SYSLOG is a standard for message logging, it allows for separate of messages based on severity level. The following table represents the syslog message severity levels, related to the Cisco ASA.
The Cisco ASA supports logging to multiple locations, including:
- Internal log buffer
- External SYSLOG servers
- ASDM
- Console Port
- SSH Session (monitor)
- Email
This post covers configuration of logging on the Cisco ASA firewall, using internal buffer, ASDM and an external SYSLOG server.
As default logging is disabled and must explictly be enabled
logging enable
Configure logging timestamps to include date and time, to allow correlation of logging information.
logging timestamp
It is important that the Cisco ASA has the correct time, as this ensures the timestamps on log messages are correct and accurate throughout the network, which will aid troubleshooting.
Configure the NTP server(s)
ntp server 192.168.10.5 source INSIDE prefer ntp server 192.168.10.4 source INISDE
Buffered Logging
Logging to the buffer is recommended over logging to the console or monitor sessions. The default buffer size would need to be increased.
logging buffer-size 20000logging buffered notifications
To view the log buffer run the command show logging. From the output below we can confirm syslog logging is enabled and buffer logging for notification events. The buffer contains logs from severity level 1 – 5 (notification). Nothing above notification (5) will be logged in the buffer.
ASA-1# show loggingSyslog logging: enabledFacility: 20Timestamp logging: enabledHide Username logging: enabledStandby logging: disabledDebug-trace logging: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: level notifications, 61 messages loggedTrap logging: disabledPermit-hostdown logging: disabledHistory logging: disabledDevice ID: disabledMail logging: disabledASDM logging: disabledFeb 09 2023 10:33:54: %ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.Feb 09 2023 10:33:54: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'clear logging buffer'Feb 09 2023 10:34:13: %ASA-5-111001: Begin configuration: console writing to memoryFeb 09 2023 10:34:13: %ASA-5-111004: console end configuration: OKFeb 09 2023 10:34:13: %ASA-5-111008: User 'enable_15' executed the 'write memory' command.Feb 09 2023 10:34:13: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'write memory'Feb 09 2023 10:34:54: %ASA-5-111008: User 'enable_15' executed the 'interface GigabitEthernet 0/3' command.Feb 09 2023 10:34:54: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'interface GigabitEthernet 0/3'Feb 09 2023 10:34:55: %ASA-5-111008: User 'enable_15' executed the 'shutdown' command.Feb 09 2023 10:34:55: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'shutdown'Feb 09 2023 10:34:55: %ASA-3-710003: TCP access denied by ACL from 119.203.11.243/52909 to OUTSIDE:192.168.178.254/22Feb 09 2023 10:34:56: %ASA-4-411003: Interface GigabitEthernet0/3, changed state to administratively upFeb 09 2023 10:34:56: %ASA-5-111008: User 'enable_15' executed the 'no shutdown' command.Feb 09 2023 10:34:56: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'no shutdown'Feb 09 2023 10:34:57: %ASA-4-411001: Line protocol on Interface GigabitEthernet0/3, changed state to up
External SYSLOG
The ASA logs can be sent to one or more external SYSLOG server, using UDP or TCP (the default is udp if the protocol is not specified).
Configure the SYSLOG server on the INSIDE interface using TCP protocol on port 1514
logging host INSIDE 192.168.10.15 tcp/1514
NOTE – When using TCP and if the SYSLOG server is down, for security reasons, the ASA will block new connections until the SYSLOG server is reachable again.
To enable connections whilst the TCP SYSLOG server is unavailable use the following command:
logging permit-hostdown
The command logging trap <level> defines which logging messages are sent to the external SYSLOG servers.
logging trap informational
Run the command show logging to configure the settings. From the output below, we can confirm logging is being sent to the configured SYSLOG server and a connection established, having transmitted 19 packets. You can also determine the permit-hostdown setting is enabled.
ASA-1# show loggingSyslog logging: enabledFacility: 20Timestamp logging: enabledHide Username logging: enabledStandby logging: disabledDebug-trace logging: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: level informational, facility 20, 878 messages loggedLogging to INSIDE 192.168.10.15 tcp/1514Connected TX:19TCP SYSLOG_PKT_LOSS:0TCP [Channel Idx/Not Putable counts]: [0/0]TCP [Channel Idx/Not Putable counts]: [1/0]TCP [Channel Idx/Not Putable counts]: [2/0]TCP [Channel Idx/Not Putable counts]: [3/0] Global TCP syslog stats::NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 192CHANNEL_FLAP_CNT: 192, SYSLOG_PKT_LOSS: 0PARTIAL_REWRITE_CNT: 0Permit-hostdown logging: enabled History logging: disabledDevice ID: disabledMail logging: disabledASDM logging: disabled
On the SYSLOG server itself we can confirm the messages are received.
Custom Event Lists
Sending all messages of a severity level might be excessive, with a Custom Event List you can specify the level and message ID to log. Multiple lists can be created to send different log messages or severity levels to the different destinations.
Create a Custom Event List to log errors and selected message IDs (710003, 106023 and 106100).
logging list SEND-TO-SYSLOG level errorslogging list SEND-TO-SYSLOG message 710003logging list SEND-TO-SYSLOG message 106023logging list SEND-TO-SYSLOG message 106100
The list can then be enabled to send to the destination, in this instance the logs will be sent to the SYSLOG server.
logging trap SEND-TO-SYSLOG
On the SYSLOG server we can determine the server received log messages for the IDs specified in the custom event list.
ASDM Logging
Logs can also be sent to ASDM and viewed in the Real-Time Log Viewer. As per the other destinations logs can be sent based on severity level or using a custom event list.
Create a custom event list to log Remote Access VPN login, logoff events.
logging list SEND-TO-ASDM message 113012-113019logging list SEND-TO-ASDM message 737026
Enable the list to send to specified messages to ASDM
logging asdm SEND-TO-ASDM
From ASDM Real-Time Log Viewer we can determine just the specified log messages in the custom list are received in ASDM, in this instance the messages relate to RAVPN events.
Full Configuration
The commands below represent the full logging configuration covered in this post.
logging enablelogging timestamplogging list SEND-TO-SYSLOG level errorslogging list SEND-TO-SYSLOG message 710003logging list SEND-TO-SYSLOG message 106023logging list SEND-TO-SYSLOG message 106100logging list SEND-TO-ASDM message 113012-113019logging list SEND-TO-ASDM message 737026logging buffer-size 21000logging trap SEND-TO-SYSLOGlogging asdm SEND-TO-ASDMlogging host INSIDE 192.168.10.15 6/1514logging permit-hostdown
The following list represents Cisco best practices regarding logging on the ASA.
For best security NTP authentication should be configured (if the NTP server supports authentication)
ntp authentication-key 1 md5 <Passphrase>ntp server 192.168.10.5 key 1ntp server 192.168.10.4 key 1ntp authenticate
Disable logging to console sessions and terminal lines (SSH), this ensures the CPU of the ASA is not overloaded. If monitor or console logging is required, enable only when troubleshooting then disable once complete.
no logging monitorno logging console
The table below represents other additional configurable logging options.
Command | Description |
no logging message syslog-id | Prevent logging of specified syslog message ID. |
no logging hide username | Show invalid usernames in syslog messages |
logging message syslog_id level severity_level | Change the severity of a syslog message |
logging device-id hostname|context-name | Include the ASA device ID in syslog messages |
logging rate-limit <rate limit number> <rate limit internal> level|message <value> | Rate limit syslog message generation |
Cisco ASA 9.17 configuration guide
https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/configuration/general/asa-917-general-config/monitor-syslog.html
Cisco ASA SYSLOG Messages
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/about.html