ASA Logging (2024)

SYSLOG is a standard for message logging, it allows for separate of messages based on severity level. The following table represents the syslog message severity levels, related to the Cisco ASA.

The Cisco ASA supports logging to multiple locations, including:

• Internal log buffer
  
• External SYSLOG servers
  
• ASDM
  
• Console Port
  
• SSH Session (monitor)
  
• Email
  

This post covers configuration of logging on the Cisco ASA firewall, using internal buffer, ASDM and an external SYSLOG server.

As default logging is disabled and must explictly be enabled

logging enable

Configure logging timestamps to include date and time, to allow correlation of logging information.

logging timestamp

It is important that the Cisco ASA has the correct time, as this ensures the timestamps on log messages are correct and accurate throughout the network, which will aid troubleshooting.

Configure the NTP server(s)

ntp server 192.168.10.5 source INSIDE prefer ntp server 192.168.10.4 source INISDE

Buffered Logging

Logging to the buffer is recommended over logging to the console or monitor sessions. The default buffer size would need to be increased.

logging buffer-size 20000logging buffered notifications

To view the log buffer run the command show logging. From the output below we can confirm syslog logging is enabled and buffer logging for notification events. The buffer contains logs from severity level 1 – 5 (notification). Nothing above notification (5) will be logged in the buffer.

ASA-1# show loggingSyslog logging: enabledFacility: 20Timestamp logging: enabledHide Username logging: enabledStandby logging: disabledDebug-trace logging: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: level notifications, 61 messages loggedTrap logging: disabledPermit-hostdown logging: disabledHistory logging: disabledDevice ID: disabledMail logging: disabledASDM logging: disabledFeb 09 2023 10:33:54: %ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.Feb 09 2023 10:33:54: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'clear logging buffer'Feb 09 2023 10:34:13: %ASA-5-111001: Begin configuration: console writing to memoryFeb 09 2023 10:34:13: %ASA-5-111004: console end configuration: OKFeb 09 2023 10:34:13: %ASA-5-111008: User 'enable_15' executed the 'write memory' command.Feb 09 2023 10:34:13: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'write memory'Feb 09 2023 10:34:54: %ASA-5-111008: User 'enable_15' executed the 'interface GigabitEthernet 0/3' command.Feb 09 2023 10:34:54: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'interface GigabitEthernet 0/3'Feb 09 2023 10:34:55: %ASA-5-111008: User 'enable_15' executed the 'shutdown' command.Feb 09 2023 10:34:55: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'shutdown'Feb 09 2023 10:34:55: %ASA-3-710003: TCP access denied by ACL from 119.203.11.243/52909 to OUTSIDE:192.168.178.254/22Feb 09 2023 10:34:56: %ASA-4-411003: Interface GigabitEthernet0/3, changed state to administratively upFeb 09 2023 10:34:56: %ASA-5-111008: User 'enable_15' executed the 'no shutdown' command.Feb 09 2023 10:34:56: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'no shutdown'Feb 09 2023 10:34:57: %ASA-4-411001: Line protocol on Interface GigabitEthernet0/3, changed state to up

External SYSLOG

The ASA logs can be sent to one or more external SYSLOG server, using UDP or TCP (the default is udp if the protocol is not specified).

Configure the SYSLOG server on the INSIDE interface using TCP protocol on port 1514

logging host INSIDE 192.168.10.15 tcp/1514

NOTE – When using TCP and if the SYSLOG server is down, for security reasons, the ASA will block new connections until the SYSLOG server is reachable again.

To enable connections whilst the TCP SYSLOG server is unavailable use the following command:

logging permit-hostdown

The command logging trap <level> defines which logging messages are sent to the external SYSLOG servers.

logging trap informational

Run the command show logging to configure the settings. From the output below, we can confirm logging is being sent to the configured SYSLOG server and a connection established, having transmitted 19 packets. You can also determine the permit-hostdown setting is enabled.

ASA-1# show loggingSyslog logging: enabledFacility: 20Timestamp logging: enabledHide Username logging: enabledStandby logging: disabledDebug-trace logging: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: level informational, facility 20, 878 messages loggedLogging to INSIDE 192.168.10.15 tcp/1514Connected TX:19TCP SYSLOG_PKT_LOSS:0TCP [Channel Idx/Not Putable counts]: [0/0]TCP [Channel Idx/Not Putable counts]: [1/0]TCP [Channel Idx/Not Putable counts]: [2/0]TCP [Channel Idx/Not Putable counts]: [3/0] Global TCP syslog stats::NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 192CHANNEL_FLAP_CNT: 192, SYSLOG_PKT_LOSS: 0PARTIAL_REWRITE_CNT: 0Permit-hostdown logging: enabled History logging: disabledDevice ID: disabledMail logging: disabledASDM logging: disabled

On the SYSLOG server itself we can confirm the messages are received.

Custom Event Lists

Sending all messages of a severity level might be excessive, with a Custom Event List you can specify the level and message ID to log. Multiple lists can be created to send different log messages or severity levels to the different destinations.

Create a Custom Event List to log errors and selected message IDs (710003, 106023 and 106100).

logging list SEND-TO-SYSLOG level errorslogging list SEND-TO-SYSLOG message 710003logging list SEND-TO-SYSLOG message 106023logging list SEND-TO-SYSLOG message 106100

The list can then be enabled to send to the destination, in this instance the logs will be sent to the SYSLOG server.

logging trap SEND-TO-SYSLOG

On the SYSLOG server we can determine the server received log messages for the IDs specified in the custom event list.

ASDM Logging

Logs can also be sent to ASDM and viewed in the Real-Time Log Viewer. As per the other destinations logs can be sent based on severity level or using a custom event list.

Create a custom event list to log Remote Access VPN login, logoff events.

logging list SEND-TO-ASDM message 113012-113019logging list SEND-TO-ASDM message 737026

Enable the list to send to specified messages to ASDM

logging asdm SEND-TO-ASDM

From ASDM Real-Time Log Viewer we can determine just the specified log messages in the custom list are received in ASDM, in this instance the messages relate to RAVPN events.

Full Configuration

The commands below represent the full logging configuration covered in this post.

logging enablelogging timestamplogging list SEND-TO-SYSLOG level errorslogging list SEND-TO-SYSLOG message 710003logging list SEND-TO-SYSLOG message 106023logging list SEND-TO-SYSLOG message 106100logging list SEND-TO-ASDM message 113012-113019logging list SEND-TO-ASDM message 737026logging buffer-size 21000logging trap SEND-TO-SYSLOGlogging asdm SEND-TO-ASDMlogging host INSIDE 192.168.10.15 6/1514logging permit-hostdown

The following list represents Cisco best practices regarding logging on the ASA.

For best security NTP authentication should be configured (if the NTP server supports authentication)

ntp authentication-key 1 md5 <Passphrase>ntp server 192.168.10.5 key 1ntp server 192.168.10.4 key 1ntp authenticate

Disable logging to console sessions and terminal lines (SSH), this ensures the CPU of the ASA is not overloaded. If monitor or console logging is required, enable only when troubleshooting then disable once complete.

no logging monitorno logging console

The table below represents other additional configurable logging options.

Cisco ASA 9.17 configuration guide
https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/configuration/general/asa-917-general-config/monitor-syslog.html

Cisco ASA SYSLOG Messages
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/about.html