To configure Cisco ASA or virtual context syslogs to be sent, configure either from the CLI or from ADSM according to the instructions below.
Syslog traffic must be configured to arrive to the TOS Aurora cluster that monitors the device at the Syslog VIP.
For more information see Sending Additional Information via Syslog.
Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.
Only rules that are marked for logging in the device are included in the syslogs.
CLI Commands
| Configure the device to send syslog messages | logging enable |
| Set that the timestamp is included in the syslog message | logging timestamp |
| Set the level of events for which syslog messages are sent | logging facility 23 |
| Set the device-id that is included in the syslog message The Hostname for the device must be explicitly set via syslog for Real Time Monitoring to retrieve data. | logging device-id hostname |
| Set the device-id that is included in the syslog message with a virtual context | logging device-id context-name |
| Set to send events to SecureTrack for full accountability | logging list securetrack message 111008 |
| Set to send events for SecureTrack APG and SecureApp discovery | logging list securetrack message 106100 |
| Set to send events for SecureTrack APG and SecureApp discovery | logging list securetrack message 106023 |
| Set the level of severity of the messages that you want to receive | - logging message 111008 level notifications
- logging message 106100 level notifications
- logging message 106023 level notifications
|
| Set the trap message list name for the syslog messages | logging trap securetrack |
| Set the SecureTrack server to send the syslog messages to: - ip_address - The IP address of the SecureTrack server.
- interface_name - The interface that the SecureTrack server is behind.
| logging host <interface_name> <ip_address> |
ASDM Configuration
-
Log into the ASDM and enter the syslog configuration for the ASA device:
-
Log into the ASDM, and select the device from the Device List.
- Click Configuration.
- Click Device Management.
-
Enable logging on the ASA device:
-
Add the event IDs that you want to the ASA device to send:
- Select Event Lists, and click Add.
-
In the Add Event List window, type a Name, and under Message ID Filters, click Add.
-
Enter a syslog ID and click OK.
| Syslog ID | Purpose | Notes |
| 111008 | Full accountability | |
| 106023 106100 | SecureTrack APG and SecureApp connection discovery | - Syslog ID 106100 only sends syslogs for logged rules.
- For APG, you can use either of the syslog IDs or both IDs
- Click OK to close the Add Event List window.
|
-
Configure the logging filters to use the specified event IDs:
- Select Logging Filters, and double-click Syslog Servers.
- In the Edit Logging Filters window, select Use event list and select the event list configured above.
- Click OK.
-
Configure SecureTrack as a syslog server:
-
Select Syslog Servers, and click Add.
- In the Add Syslog Server window, select the interface used to access SecureTrack, and enter the syslog VIP of the cluster that is managing the device.
- Select UDP, Port:
514 , and clear Log messages in Cisco EMBLEM format. -
- Click OK.
-
Configure the format for the syslogs:
-
Select Syslog Setup.
-
Select Include timestamp in syslogs.
-
By Facility Code to Include in Syslogs, select LOCAL7(23).
To use a different facility, you must configure SecureTrack as described in this tech note: Configuring SecureTrack for Non-Default Syslogs
- Scroll down and double-click entry 111008. Set its Logging Level to Notifications, and click OK.
- Click Apply.
-
Still in the Syslog Setup page, click Advanced and select Enable syslog device ID.
If the device is not in context mode, you must enable the syslog device ID from the device's CLI with this command: logging device-id string <Enter the ID>
-
Configure a unique logging ID by selecting one of the following. No other device, including virtual contexts even on other devices, may have the same ID:
-
Hostname
The Hostname for the device must be explicitly set via syslog for Real Time Monitoring to retrieve data.
-
Context name (in a Virtual Context)
-
IP address (select an interface)
-
String (type the desired ID)
-
Click OK, and Apply.
For virtual contexts, configure a logging ID for each context.
FAQs
How to Configure Syslog on a Cisco Device
- Step 1: Enable logging on the Cisco device. ...
- Step 2: Modify the syslog config for facility codes. ...
- Step 3: Change the default logging levels. ...
- Step 4: Define destination port and IP address. ...
- Step 5: Define source IP address. ...
- Step 6: Securing syslog messages on a Cisco device (Optional)
- Log into the ASDM and enter the syslog configuration for the ASA device: ...
- Enable logging on the ASA device: ...
- Add the event IDs that you want to the ASA device to send: ...
- Configure the logging filters to use the specified event IDs: ...
- Configure SecureTrack as a syslog server: ...
- Configure the format for the syslogs:
Syslog servers can be defined in the Dashboard from Network-wide > Configure > General. Click the Add a syslog server link to define a new server. An IP address, UDP port number, and the roles to send to the server need to be defined.
What is the highest level of syslog messages that can be configured? ›
The highest level is level 0 (emergencies). The lowest level is level 7. To change the minimum severity level that is sent to syslog, use the logging trap level configuration command. If you specify a level, that level and all the higher levels will be displayed.
How do I send logs to syslog server? ›
Solution:
- Connect to a Controller VM (CVM) in the cluster using SSH.
- Enter the ncli command to log into the nCLI prompt. ...
- The remote syslog server is enabled by default. ...
- Add an rsyslog server using the following command, which adds it to the cluster.
To view the current syslog configuration, use the show running-config system settings logging command in global configuration mode.
What is the default syslog port in ASA? ›
IMPORTANT NOTE: ASA sends syslog on UDP port 514 by default but protocol and port can be chosen. If TCP is chosen as the logging protocol, this causes the ASA to send syslog messages via a TCP connection to the syslog server.
What is the standard for Cisco syslog? ›
The default protocol for sending syslogs is UDP with a default port of 514. For TCP, the default port is 601. By default, the logging severity of syslogs is informational which means all syslogs at informational severity and higher will be logged.
What is the command to show logs in ASA? ›
Checking Logs in Cisco ASA Firewall CLI
Use the command "show logging" to display the system logs. To view specific log messages, you can use filters with the "show logging" command.
Where is syslog configuration? ›
The syslog daemon (syslogd) processing is controlled by a configuration file called /etc/syslog. conf, in which you define logging rules and output destinations for error messages, authorization violation messages, and trace data. Logging rules are defined using a facility name and a priority code.
The /etc/syslog. conf file is the configuration file for the syslogd daemon. It consists of lines with two fields: Selector field.
How do I connect to syslog? ›
Navigate to Admin | Configuration and select the Foreign Systems tab. At the SysLog page, click Create. Select a template for the messages, provide a Name and the SysLog Server Address (either tcp or udp). The default is udp on port 514.
How often does syslog send messages? ›
Most Cisco products stream syslog messages in approximately real time as they happen, not batched up at particular intervals. The frequency is therefore driven by what's happening on your platform.
What are the limitations of syslog? ›
It does not include an authentication mechanism and is therefore weak on security. Additionally, it is possible to lose syslog messages because of its reliance on UDP transport.
Can you have multiple syslog servers? ›
Each Syslog server connection generates network traffic from the firewall to the servers. If there are multiple syslog servers configured, it can result in higher network utilization and increased bandwidth consumption.
Which default destination do Cisco routers and switches use to send syslog messages? ›
By default, these syslog messages are only outputted to the console. This is because the logging console command is enabled by default.
How to configure a custom syslog sender and test user mappings? ›
Configuration
- Go to Device > User Identification > User Mapping.
- Edit the "Palo Alto Networks User ID Agent Setup" section.
- Go to the Syslog Filter tab and add a new Syslog Parse Profile.
- Determine the type for the profile (Regex Identifier or Field Identifier) depending on the complexity of the logs.
Syslog Forwarding
- Description: Enter name of the syslog server.
- Address: Enter the IP address for the syslog server.
- Protocol: Select TCP or UDP. ...
- Port: Enter port number for the syslog server.
- TLS: Select Disabled or Enabled. ...
- Verify TLS: Select the check-box to ensure that the TLS peer's server certificate is valid.
From the ISE Administration Interface, select Administration > System > Logging > Remote Logging Targets. Click Add in the Remote Logging Targets page. Name: Enter the name of the new target. Target Type: By default it is set to Syslog.
