Configuring a Cisco ASA to Send Syslogs

SecureChange Requester This topic is intended for TOS Administrators.

Overview

To configure Cisco ASA or virtual context syslogs to be sent, configure either from the CLI or from ADSM.

Syslog traffic must be configured to arrive to the TOS cluster that monitors the device - see Sending Additional Information via Syslog.

Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.

Only rules that are marked for logging in the device are included in the syslogs.

Configuration Using CLI Commands

Configuration

CLI Command

Configure the device to send syslog messages

logging enable

Set that the timestamp is included in the syslog message

logging timestamp

Set the level of events for which syslog messages are sent

logging facility 23

Set the device-id that is included in the syslog message

The Hostname for the device must be explicitly set via syslog for Real Time Monitoring to retrieve data.

logging device-id hostname

Set the device-id that is included in the syslog message with a virtual context

logging device-id context-name

Set to send events to SecureTrack for full accountability

logging list securetrack message 111008

Set to send events for SecureTrack APG and SecureApp discovery

logging list securetrack message 106100

Set to send events for SecureTrack APG and SecureApp discovery

logging list securetrack message 106023

Set the level of severity of the messages that you want to receive
  • logging message 111008 level notifications
  • logging message 106100 level notifications
  • logging message 106023 level notifications

Set the trap message list name for the syslog messages

logging trap securetrack

Set the SecureTrack server to send the syslog messages to:

  • ip_address: IP address of the SecureTrack server.
  • interface_name: Interface that the SecureTrack server is behind.

logging host <interface_name> <ip_address>

Configure Using ASDM

  1. Log into the ASDM and enter the syslog configuration for the ASA device:

    1. Log into the ASDM, and select the device from the Device List.

      ASDM select device

    2. Click Configuration.

      ASDM Configuration

    3. Click Device Management.

      ASDM Device Mgmt

  2. Enable logging on the ASA device:

    • In Logging > Logging Setup, select Enable logging.

      ASDM enable logging

  3. Add the event IDs that you want to the ASA device to send:

    1. Select Event Lists, and click Add.

      ASDM Event Lists Add

    2. In the Add Event List window, type a Name, and under Message ID Filters, click Add.

      ASDM add event list

    3. Enter a syslog ID and click OK.

      Syslog ID

      Purpose

      Notes

      111008

      Full accountability

      106023

      106100

      SecureTrack APG and SecureApp connection discovery
      • Syslog ID 106100 only sends syslogs for logged rules.
      • For APG, you can use either of the syslog IDs or both IDs
        1. Click OK to close the Add Event List window.

  4. Configure the logging filters to use the specified event IDs:

    1. Select Logging Filters, and double-click Syslog Servers.

      ASDM syslog servers

    2. In the Edit Logging Filters window, select Use event list and select the event list configured above.

      ASDM edit logging filters

    3. Click OK.

  5. Configure SecureTrack as a syslog server:

    1. Select Syslog Servers, and click Add.

      ASDM add syslog server

    2. In the Add Syslog Server window, select the interface used to access SecureTrack, and enter the appropriate TOS destination described in Sending Additional Information via Syslog..
    3. Select UDP, Port: 514 , and clear Log messages in Cisco EMBLEM format.
    4. ASDM add syslog server settings
    5. Click OK.

  6. Configure the format for the syslogs:

    1. Select Syslog Setup.

      ASDM syslog setup

    2. Select Include timestamp in syslogs.

    3. By Facility Code to Include in Syslogs, select LOCAL7(23).

      To use a different facility, you must configure SecureTrack as described in this tech note: Configuring SecureTrack for Non-Default Syslogs

    4. Scroll down and double-click entry 111008. Set its Logging Level to Notifications, and click OK.
    5. Click Apply.

    6. Still in the Syslog Setup page, click Advanced and select Enable syslog device ID.

      If the device is not in context mode, you must enable the syslog device ID from the device's CLI with this command: logging device-id string <Enter the ID>

    7. Configure a unique logging ID by selecting one of the following. No other device, including virtual contexts even on other devices, may have the same ID:

      • Hostname

        The Hostname for the device must be explicitly set via syslog for Real Time Monitoring to retrieve data.

      • Context name (in a Virtual Context)

      • IP address (select an interface)

      • String (type the desired ID)

    8. Click OK, and Apply.

      For virtual contexts, configure a logging ID for each context.