To configure Cisco ASA or virtual context syslogs to be sent, configure either from the CLI or from ADSM according to the instructions below.
Syslog traffic must be configured to arrive to the TOS Aurora cluster that monitors the device at the Syslog VIP. See Sending Additional Information via Syslog.
Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.
Only rules that are marked for logging in the device are included in the syslogs.
CLI Commands
| Configure the device to send syslog messages | logging enable |
| Set that the timestamp is included in the syslog message | logging timestamp |
| Set the level of events for which syslog messages are sent | logging facility 23 |
| Set the device-id that is included in the syslog message The Hostname for the device must be explicitly set via syslog for Real Time Monitoring to retrieve data. | logging device-id hostname |
| Set the device-id that is included in the syslog message with a virtual context | logging device-id context-name |
| Set to send events to SecureTrack for full accountability | logging list securetrack message 111008 |
| Set to send events for SecureTrack APG and SecureApp discovery | logging list securetrack message 106100 |
| Set to send events for SecureTrack APG and SecureApp discovery | logging list securetrack message 106023 |
| Set the level of severity of the messages that you want to receive | - logging message 111008 level notifications
- logging message 106100 level notifications
- logging message 106023 level notifications
|
| Set the trap message list name for the syslog messages | logging trap securetrack |
| Set the SecureTrack server to send the syslog messages to: - ip_address - The IP address of the SecureTrack server.
- interface_name - The interface that the SecureTrack server is behind.
| logging host <interface_name> <ip_address> |
ASDM Configuration
-
Log into the ASDM and enter the syslog configuration for the ASA device:
-
Log into the ASDM, and select the device from the Device List.
- Click Configuration.
- Click Device Management.
-
Enable logging on the ASA device:
-
Add the event IDs that you want to the ASA device to send:
- Select Event Lists, and click Add.
-
In the Add Event List window, type a Name, and under Message ID Filters, click Add.
-
Enter a syslog ID and click OK.
| Syslog ID | Purpose | Notes |
| 111008 | Full accountability | |
| 106023 106100 | SecureTrack APG and SecureApp connection discovery | - Syslog ID 106100 only sends syslogs for logged rules.
- For APG, you can use either of the syslog IDs or both IDs
- Click OK to close the Add Event List window.
|
-
Configure the logging filters to use the specified event IDs:
- Select Logging Filters, and double-click Syslog Servers.
- In the Edit Logging Filters window, select Use event list and select the event list configured above.
- Click OK.
-
Configure SecureTrack as a syslog server:
-
Select Syslog Servers, and click Add.
- In the Add Syslog Server window, select the interface used to access SecureTrack, and enter the syslog VIP of the cluster that is managing the device.
- Select UDP, Port:
514 , and clear Log messages in Cisco EMBLEM format. -
- Click OK.
-
Configure the format for the syslogs:
-
Select Syslog Setup.
-
Select Include timestamp in syslogs.
-
By Facility Code to Include in Syslogs, select LOCAL7(23).
To use a different facility, you must configure SecureTrack as described in this tech note: Configuring SecureTrack for Non-Default Syslogs
- Scroll down and double-click entry 111008. Set its Logging Level to Notifications, and click OK.
- Click Apply.
-
Still in the Syslog Setup page, click Advanced and select Enable syslog device ID.
If the device is not in context mode, you must enable the syslog device ID from the device's CLI with this command: logging device-id string <Enter the ID>
-
Configure a unique logging ID by selecting one of the following. No other device, including virtual contexts even on other devices, may have the same ID:
-
Hostname
The Hostname for the device must be explicitly set via syslog for Real Time Monitoring to retrieve data.
-
Context name (in a Virtual Context)
-
IP address (select an interface)
-
String (type the desired ID)
-
Click OK, and Apply.
For virtual contexts, configure a logging ID for each context.
FAQs
- Log into the ASDM and enter the syslog configuration for the ASA device: ...
- Enable logging on the ASA device: ...
- Add the event IDs that you want to the ASA device to send: ...
- Configure the logging filters to use the specified event IDs: ...
- Configure SecureTrack as a syslog server: ...
- Configure the format for the syslogs:
Data can be sent to a syslog server under the UDP or TCP protocol. Some syslog servers have no TCP listener ports, however. The most common UDP listener port is 514, whereas under TCP the port varies from application to application.
How do I send a message to syslog server? ›
Enter the message of the event log entry. Select the priority from the dropdown menu that is appropriate for this message. Select the facility from the dropdown menu that is appropriate for this message.
How do I send application logs to syslog? ›
Sending Logs to Syslog
- Host: Enter the host.
- Port: Enter the port.
- Transport type: Click the Transport type drop-down menu to select either TCP or UDP.
- Date format: Click the Data format drop-down menu to select either CEF or JSON as the data format.
Syslog servers can be defined in the Dashboard from Network-wide > Configure > General. Click the Add a syslog server link to define a new server. An IP address, UDP port number, and the roles to send to the server need to be defined. Multiple syslog servers can be configured.
What is the default syslog port in ASA? ›
ASA sends syslog on UDP port 514 by default, but protocol and port can be chosen.
Can Windows server send syslog messages? ›
Windows OS does not have built-in syslog protocol support. It means that Windows can send system log messages to a syslog server using third-party utilities only. Here is a brief instruction on how to translate Windows event log records to syslog messages and send them to a syslog server, for example, Syslog Watcher.
How do I forward logs to a syslog server? ›
Select the Manage tab and then click Advanced Options. The Syslog Forwarding tile shows the status as Inactive if you haven't already configured syslog forwarding . On the Syslog Forwarding tile, click Add to specify a target server to forward the logs to.
How do I forward Windows events to syslog? ›
Forward system events to a syslog or SIEM server
- Go to Administration > System Settings > Event Forwarding.
- Select Forward System Events to a remote computer (via Syslog) in the SIEM section.
- Specify the following information and then click Save: Setting. Notes. Hostname or IP address to which events should be sent.
Syslog messages typically come in two main formats: the original BSD format (RFC3164) the “new” format (RFC5424)
Configuring a Syslog Server
- On the Navigation pane, click Log > Configuration > Syslog Server to visit the Syslog Server List page.
- Click New.
- In the Syslog Server Configuration dialog, type the IP address of the syslog server into the Host name box.
- Select a protocol type from the Protocol drop-down list.
You can use the pidof utility to check whether pretty much any program is running (if it gives out at least one pid, the program is running). If you are using syslog-ng, this would be pidof syslog-ng ; if you are using syslogd, it would be pidof syslogd .
Where is syslog configuration file? ›
The syslog daemon processing is controlled by a configuration file called /etc/syslog. conf in which you define logging rules and output destinations for error messages, authorization violation messages, and trace data.
What is the difference between application log and syslog? ›
Difference :Application logging records the progress of the execution of an application, whereas the system log record system events.
Does syslog use TCP or UDP? ›
Syslog runs on UDP, where syslog servers listen to UDP port 514 and clients (sending log messages) use a port above 1023. Note that a syslog server will not send a message back to the client, but the syslog log server can communicate, normally using port 514.
How do I show syslog configuration in Cisco? ›
To view the current syslog configuration, use the show running-config system settings logging command in global configuration mode. nfvis# show running-config system settings logging system settings logging host 192.0.2.3 transport tcp port 1635 ! system settings logging host 192.0. 2.34 transport udp port 163 !
How to configure syslog server in clearpass? ›
Add a Syslog Target
- Click Administration, and then External Servers.
- Click Syslog Targets. The Syslog Targets page opens.
- Click Add. The Add Syslog Target dialog opens.
- Specify the following Add Syslog Target parameters: Parameter. Description. Host Address. ...
- Click Save. The new Syslog Target is added to the list.
Enable Syslog in FMC (Accountability)
- In the FMC, navigate to the System > Configuration tab.
- Select Audit Log.
- Configure the following parameters: Set Send Audit Log to Syslog to Enabled. In the Host field, enter the IP address of the syslog VIP. Set Facility to LOCAL7. Set Severity to NOTICE. ...
- Click Save.
