ASA5520 - Syslog user login attempts
Pash
Member Posts: 1,600 ■■■■■□□□□□
Good Evening,
I have found and read the ASA 7.2 command refence logging commands here:-
Cisco Security Appliance Command Reference, Version 7.2 - logging asdm through logout message Commands [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
Does anyone know a way of syslogging user logging attempts, whether by console/terminal login?
These are the commands I am running on my ASA thus far:-
logging enable
logging timestamp
logging standby
logging monitor warnings
logging buffered warnings
logging trap debugging
logging asdm informational
logging facility xx
logging host xxxxxx xxx.xxx.xxx.xxx
logging host xxxxxx xxx.xxx.xxx.xxx
Please let me know if anyone has set this up before or if it is even possible because my searches have not returned any results yet.
Cheers,
Pash
I have found and read the ASA 7.2 command refence logging commands here:-
Cisco Security Appliance Command Reference, Version 7.2 - logging asdm through logout message Commands [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
Does anyone know a way of syslogging user logging attempts, whether by console/terminal login?
These are the commands I am running on my ASA thus far:-
logging enable
logging timestamp
logging standby
logging monitor warnings
logging buffered warnings
logging trap debugging
logging asdm informational
logging facility xx
logging host xxxxxx xxx.xxx.xxx.xxx
logging host xxxxxx xxx.xxx.xxx.xxx
Please let me know if anyone has set this up before or if it is even possible because my searches have not returned any results yet.
Cheers,
Pash
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Comments
-
Ahriakin Member Posts: 1,799 ■■■■■■■■□□I have a link to the complete Cisco syslog message list for the ASA/PIX at work, I'll post it up tomorrow. It shouldn't be hard to isolate the authentication messages and set them to a higher (well lower, you know what I mean) syslog level so they can stand out.
If you want a live feed you can also create a filtered view from the ASDM for the correct message types.
Edit found it.
http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html
There are a few different messages based on the authentication method so have a search through and take note of the numbers you think you'll need, then use 'logging message xxxxxx level yyyyyy' to raise it above the informational level noise, or filter your Syslog viewer for them (I highly recommend Splunk).We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Pash Member Posts: 1,600 ■■■■■□□□□□Thanks for the info dude, this is helping me. I will post back with my efforts.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
-
Pash Member Posts: 1,600 ■■■■■□□□□□Well I have had as much of a look at it as I can and seemingly its just not possible to do what our customer wants.
All of these messages are pumped to a IBM hosted syslog server (distributed logging and vulnerability service) but it just doesnt seem that we can log successful/failed login attempts.
Our cisco support vendor has said that we might need TACAS and maybe ACS to leave an audit trail.
Juniper firewalls will send all login attempts/failures to the syslog server (infact of several devices that I need to up the logging levels on the only device that doesnt need touching is an ssg140)DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.