- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
- Information About Logging
- Licensing Requirements for Logging
- Prerequisites for Logging
- Guidelines and Limitations
- Configuring Logging
- Enabling Logging
- Configuring an Output Destination
- Sending Syslog Messages to an External Syslog Server
- Sending Syslog Messages to the Internal Log Buffer
- Sending Syslog Messages to an E-mail Address
- Sending Syslog Messages to ASDM
- Sending Syslog Messages to the Console Port
- Sending Syslog Messages to an SNMP Server
- Sending Syslog Messages to a Telnet or SSH Session
- Creating a Custom Event List
- Generating Syslog Messages in EMBLEM Format to a Syslog Server
- Generating Syslog Messages in EMBLEM Format to Other Output Destinations
- Changing the Amount of Internal Flash Memory Available for Logs
- Configuring the Logging Queue
- Sending All Syslog Messages in a Class to a Specified Output Destination
- Enabling Secure Logging
- Including the Device ID in Non-EMBLEM Format Syslog Messages
- Including the Date and Time in Syslog Messages
- Disabling a Syslog Message
- Changing the Severity Level of a Syslog Message
- Limiting the Rate of Syslog Message Generation
Configuring Logging
This chapter describes how to configure and manage logs for the ASA and includes the following sections:
Information About Logging
System logging is a method of collecting messages from devices to a server running a syslog daemon. Logging to a central syslog server helps in aggregation of logs and alerts. Cisco devices can send their log messages to a UNIX-style syslog service. A syslog service accepts messages and stores them in files, or prints them according to a simple configuration file. This form of logging provides protected long-term storage for logs. Logs are useful both in routine troubleshooting and in incident handling.
The ASA system logs provide you with information for monitoring and troubleshooting the ASA. With the logging feature, you can do the following:
- Specify which syslog messages should be logged.
- Disable or change the severity level of a syslog message.
- Specify one or more locations where syslog messages should be sent, including an internal buffer, one or more syslog servers, ASDM, an SNMP management station, specified e-mail addresses, or to Telnet and SSH sessions.
- Configure and manage syslog messages in groups, such as by severity level or class of message.
- Specify whether or not a rate-limit is applied to syslog generation.
- Specify what happens to the contents of the internal log buffer when it becomes full: overwrite the buffer, send the buffer contents to an FTP server, or save the contents to internal flash memory.
- Filter syslog messages by locations, severity level, class, or a custom message list.
This section includes the following topics:
- Logging in Multiple Context Mode
- Analyzing Syslog Messages
- Syslog Message Format
- Severity Levels
- Message Classes and Range of Syslog IDs
- Filtering Syslog Messages
- Using Custom Message Lists
Logging in Multiple Context Mode
Each security context includes its own logging configuration and generates its own messages. If you log in to the system or admin context, and then change to another context, messages you view in your session are only those messages that are related to the current context.
Syslog messages that are generated in the system execution space, including failover messages, are viewed in the admin context along with messages generated in the admin context. You cannot configure logging or view any logging information in the system execution space.
You can configure the ASA to include the context name with each message, which helps you differentiate context messages that are sent to a single syslog server. This feature also helps you to determine which messages are from the admin context and which are from the system; messages that originate in the system execution space use a device ID of system, and messages that originate in the admin context use the name of the admin context as the device ID.
Analyzing Syslog Messages
The following are some examples of the type of information you can obtain from a review of various syslog messages:
- Connections that are allowed by ASA security policies. These messages help you spot holes that remain open in your security policies.
- Connections that are denied by ASA security policies. These messages show what types of activity are being directed toward your secured inside network.
- Using the ACE deny rate logging feature shows attacks that are occurring on your ASA.
- IDS activity messages can show attacks that have occurred.
- User authentication and command usage provide an audit trail of security policy changes.
- Bandwidth usage messages show each connection that was built and torn down as well as the duration and traffic volume used.
- Protocol usage messages show the protocols and port numbers used for each connection.
- Address translation audit trail messages record NAT or PAT connections being built or torn down, which are useful if you receive a report of malicious activity coming from inside your network to the outside world.
Syslog Message Format
Syslog messages begin with a percent sign (%) and are structured as follows:
%ASA Level Message_number: Message_text
Field descriptions are as follows:
The syslog message facility code for messages that are generated by the ASA. This value is always ASA. |
|
1 through 7. The level reflects the severity of the condition described by the syslog message—the lower the number, the more severe the condition. See Table 77-1 for more information. |
|
A unique six-digit number that identifies the syslog message. |
|
A text string that describes the condition. This portion of the syslog message sometimes includes IP addresses, port numbers, or usernames. |
Severity Levels
Table 77-1 lists the syslog message severity levels. You can assign custom colors to each of the severity levels to make it easier to distinguish them in the ASDM log viewers. To configure syslog message color settings, either choose the Tools > Preferences > Syslog tab or, in the log viewer itself, click Color Settings on the toolbar.
|
|
|
---|---|---|
Note The ASA does not generate syslog messages with a severity level of zero (emergencies). This level is provided in the logging command for compatibility with the UNIX syslog feature but is not used by the ASA.
Message Classes and Range of Syslog IDs
For a list of syslog message classes and the ranges of syslog message IDs that are associated with each class, see the syslog message guide.
Filtering Syslog Messages
You can filter generated syslog messages so that only certain syslog messages are sent to a particular output destination. For example, you could configure the ASA to send all syslog messages to one output destination and to send a subset of those syslog messages to a different output destination.
Specifically, you can configure the ASA so that syslog messages are directed to an output destination according to the following criteria:
- Syslog message ID number
- Syslog message severity level
- Syslog message class (equivalent to a functional area of the ASA)
You customize these criteria by creating a message list that you can specify when you set the output destination. Alternatively, you can configure the ASA to send a particular message class to each type of output destination independently of the message list.
You can use syslog message classes in two ways:
- Specify an output location for an entire category of syslog messages using the logging class command.
- Create a message list that specifies the message class using the logging list command.
The syslog message class provides a method of categorizing syslog messages by type, equivalent to a feature or function of the ASA. For example, the vpnc class denotes the VPN client.
All syslog messages in a particular class share the same initial three digits in their syslog message ID numbers. For example, all syslog message IDs that begin with the digits 611 are associated with the vpnc (VPN client) class. Syslog messages associated with the VPN client feature range from 611101 to 611323.
In addition, most of the ISAKMP syslog messages have a common set of prepended objects to help identify the tunnel. These objects precede the descriptive text of a syslog message when available. If the object is not known at the time that the syslog message is generated, the specific heading = value combination does not appear.
The objects are prefixed as follows:
Group = groupname, Username = user, IP = IP_address
Where the group is the tunnel-group, the username is the username from the local database or AAA server, and the IP address is the public IP address of the remote access client or L2L peer.
Using Custom Message Lists
Creating a custom message list is a flexible way to exercise control over which syslog messages are sent to which output destination. In a custom syslog message list, you specify groups of syslog messages using any or all of the following criteria: severity level, message IDs, ranges of syslog message IDs, or message class.
For example, you can use message lists to do the following:
- Select syslog messages with the severity levels of 1 and 2 and send them to one or more e-mail addresses.
- Select all syslog messages associated with a message class (such as ha) and save them to the internal buffer.
A message list can include multiple criteria for selecting messages. However, you must add each message selection criterion with a new command entry. It is possible to create a message list that includes overlapping message selection criteria. If two criteria in a message list select the same message, the message is logged only once.
Licensing Requirements for Logging
The following table shows the licensing requirements for this feature:
|
|
---|---|
Prerequisites for Logging
Logging has the following prerequisites:
- The syslog server must run a server program called syslogd. Windows (except for Windows 95 and Windows 98) provides a syslog server as part of its operating system. For Windows 95 and Windows 98, you must obtain a syslogd server from another vendor.
- To view logs generated by the ASA, you must specify a logging output destination. If you enable logging without specifying a logging output destination, the ASA generates messages but does not save them to a location from which you can view them. You must specify each different logging output destination separately. For example, to designate more than one syslog server as an output destination, enter a new command for each syslog server.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context modes.
Supported in routed and transparent firewall modes.
- Sending syslogs over TCP is not supported on a standby ASA.
- The ASA supports the configuration of 16 syslog servers with the logging host command in single context mode. In multiple context mode, the limitation is 4 servers per context.
- When you use a custom message list to match only access list hits, the access list logs are not generated for access lists that have had their logging severity level increased to debugging (level 7). The default logging severity level is set to 6 for the logging list command. This default behavior is by design. When you explicitly change the logging severity level of the access list configuration to debugging, you must also change the logging configuration itself.
The following is sample output from the show running-config logging command that will not include access list hits, because their logging severity level has been changed to debugging:
The following is sample output from the show running-config logging command that will include access list hits:
In this case, the access list configuration does not change and the number of access list hits appears, as shown in the following example:
Configuring Logging
This section describes how to configure logging and includes the following topics:
Note The minimum configuration depends on what you want to do and what your requirements are for handling syslog messages in the ASA.
Enabling Logging
To enable logging, enter the following command:
|
|
---|---|
|
Enables logging. To disable logging, enter the no logging enable command. |
What to Do Next
Configuring an Output Destination
To optimize syslog message usage for troubleshooting and performance monitoring, we recommend that you specify one or more locations where syslog messages should be sent, including an internal log buffer, one or more external syslog servers, ASDM, an SNMP management station, the console port, specified e-mail addresses, or Telnet and SSH sessions.
This section includes the following topics:
- Sending Syslog Messages to an External Syslog Server
- Sending Syslog Messages to the Internal Log Buffer
- Sending Syslog Messages to an E-mail Address
- Sending Syslog Messages to ASDM
- Sending Syslog Messages to the Console Port
- Sending Syslog Messages to an SNMP Server
- Sending Syslog Messages to a Telnet or SSH Session
- Creating a Custom Event List
- Generating Syslog Messages in EMBLEM Format to a Syslog Server
- Generating Syslog Messages in EMBLEM Format to Other Output Destinations
- Changing the Amount of Internal Flash Memory Available for Logs
- Configuring the Logging Queue
- Sending All Syslog Messages in a Class to a Specified Output Destination
- Enabling Secure Logging
- Including the Device ID in Non-EMBLEM Format Syslog Messages
- Including the Date and Time in Syslog Messages
- Disabling a Syslog Message
- Changing the Severity Level of a Syslog Message
- Limiting the Rate of Syslog Message Generation
Sending Syslog Messages to an External Syslog Server
You can archive messages according to the available disk space on the external syslog server, and manipulate logging data after it is saved. For example, you could specify actions to be executed when certain types of syslog messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script.
To send syslog messages to an external syslog server, perform the following steps:
|
|
|
---|---|---|
hostname(config)# logging host dmz1 192.168.1.5 udp 1026 format emblem |
Configures the ASA to send messages to a syslog server. The format emblem keyword enables EMBLEM format logging for the syslog server with UDP only. The interface_name argument specifies the interface through which you access the syslog server. The syslog_ip argument specifies the IP address of the syslog server. The tcp[/ port ] or udp[/ port ] keyword and argument pair specify that the ASA and ASASM should use TCP or UDP to send syslog messages to the syslog server. You can configure the ASA to send data to a syslog server using either UDP or TCP, but not both. The default protocol is UDP if you do not specify a protocol. If you specify TCP, the ASA discover when the syslog server fails and as a security protection, new connections through the ASA are blocked. To allow new connections regardless of connectivity to a TCP syslog server, see Step 3. If you specify UDP, the ASA continue to allow new connections whether or not the syslog server is operational. Valid port values for either protocol are 1025 through 65535. The default UDP port is 514. The default TCP port is 1470. |
|
|
Specifies which syslog messages should be sent to the syslog server. You can specify the severity level number (1 through 7) or name. For example, if you set the severity level to 3, then the ASA send syslog messages for severity levels 3, 2, and 1. You can specify a custom message list that identifies the syslog messages to send to the syslog server. |
|
|
(Optional) Disables the feature to block new connections when a TCP-connected syslog server is down. If the ASA is configured to send syslog messages to a TCP-based syslog server, and if either the syslog server is down or the log queue is full, then new connections are blocked. New connections are allowed again after the syslog server is back up and the log queue is no longer full. For more information about the log queue, see the “Configuring the Logging Queue” section. |
|
|
(Optional) Sets the logging facility to a value other than 20, which is what most UNIX systems expect. |
Sending Syslog Messages to the Internal Log Buffer
To send syslog messages to the internal log buffer, perform the following steps:
Sending Syslog Messages to an E-mail Address
To send syslog messages to an e-mail address, perform the following steps:
Sending Syslog Messages to ASDM
To send syslog messages to ASDM, perform the following steps:
Sending Syslog Messages to the Console Port
To send syslog messages to the console port, enter the following command:
|
|
---|---|
|
Specifies which syslog messages should be sent to the console port. |
Sending Syslog Messages to an SNMP Server
To enable logging to an SNMP server, enter the following command:
Sending Syslog Messages to a Telnet or SSH Session
To send syslog messages to a Telnet or SSH session, perform the following steps:
Creating a Custom Event List
To create a custom event list, perform the following steps:
Generating Syslog Messages in EMBLEM Format to a Syslog Server
To generate syslog messages in EMBLEM format to a syslog server, enter the following command:
Generating Syslog Messages in EMBLEM Format to Other Output Destinations
To generate syslog messages in EMBLEM format to other output destinations, enter the following command:
|
|
---|---|
|
Sends syslog messages in EMBLEM format to output destinations other than a syslog server, such as Telnet or SSH sessions. |
Changing the Amount of Internal Flash Memory Available for Logs
To change the amount of internal flash memory available for logs, perform the following steps:
Configuring the Logging Queue
To configure the logging queue, enter the following command:
Sending All Syslog Messages in a Class to a Specified Output Destination
To send all syslog messages in a class to a specified output destination, enter the following command:
Enabling Secure Logging
To enable secure logging, enter the following command:
Including the Device ID in Non-EMBLEM Format Syslog Messages
To include the device ID in non-EMBLEM format syslog messages, enter the following command:
Including the Date and Time in Syslog Messages
To include the date and time in syslog messages, enter the following command:
Disabling a Syslog Message
To disable a specified syslog message, enter the following command:
Changing the Severity Level of a Syslog Message
To change the severity level of a syslog message, enter the following command:
Limiting the Rate of Syslog Message Generation
To limit the rate of syslog message generation, enter the following command:
Monitoring the Logs
To monitor the logs and assist in monitoring the system performance, enter one of the following commands:
|
|
---|---|
|
|
Shows a list of syslog messages with modified severity levels and disabled syslog messages. |
|
Examples
The following example shows the logging information that displays for the show logging command:
Configuration Examples for Logging
The following examples show how to control both whether a syslog message is enabled and the severity level of the specified syslog message:
Feature History for Logging
Table 77-2 lists each feature change and the platform release in which it was implemented.