ASA5520 - Syslog user login attempts

Good Evening,

I have found and read the ASA 7.2 command refence logging commands here:-

Cisco Security Appliance Command Reference, Version 7.2 - logging asdm through logout message Commands [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

Does anyone know a way of syslogging user logging attempts, whether by console/terminal login?

These are the commands I am running on my ASA thus far:-

logging enable
logging timestamp
logging standby
logging monitor warnings
logging buffered warnings
logging trap debugging
logging asdm informational
logging facility xx
logging host xxxxxx xxx.xxx.xxx.xxx
logging host xxxxxx xxx.xxx.xxx.xxx

Please let me know if anyone has set this up before or if it is even possible because my searches have not returned any results yet.

Cheers,

Pash

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Ahriakin

I have a link to the complete Cisco syslog message list for the ASA/PIX at work, I'll post it up tomorrow. It shouldn't be hard to isolate the authentication messages and set them to a higher (well lower, you know what I mean) syslog level so they can stand out.
If you want a live feed you can also create a filtered view from the ASDM for the correct message types.

Edit found it.
http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html

There are a few different messages based on the authentication method so have a search through and take note of the numbers you think you'll need, then use 'logging message xxxxxx level yyyyyy' to raise it above the informational level noise, or filter your Syslog viewer for them (I highly recommend Splunk).

Pash

Thanks for the info dude, this is helping me. I will post back with my efforts.

Pash

Well I have had as much of a look at it as I can and seemingly its just not possible to do what our customer wants.

All of these messages are pumped to a IBM hosted syslog server (distributed logging and vulnerability service) but it just doesnt seem that we can log successful/failed login attempts.

Our cisco support vendor has said that we might need TACAS and maybe ACS to leave an audit trail.

Juniper firewalls will send all login attempts/failures to the syslog server (infact of several devices that I need to up the logging levels on the only device that doesnt need touching is an ssg140)

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of