Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Configuring Logging
Downloads: This chapterpdf (PDF - 309.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Configuring Logging

Table Of Contents

Configuring Logging

Information About Logging

Logging in Multiple Context Mode

Analyzing Syslog Messages

Syslog Message Format

Severity Levels

Message Classes and Range of Syslog IDs

Filtering Syslog Messages

Sorting in the Log Viewers

Using Custom Message Lists

Licensing Requirements for Logging

Prerequisites for Logging

Guidelines and Limitations

Configuring Logging

Enabling Logging

Configuring an Output Destination

Sending Syslog Messages to an External Syslog Server

Configuring FTP Settings

Configuring Logging Flash Usage

Configuring Syslog Messaging

Editing Syslog ID Settings

Including a Device ID in Non-EMBLEM Formatted Syslog Messages

Sending Syslog Messages to the Internal Log Buffer

Sending Syslog Messages to an E-mail Address

Adding or Editing E-Mail Recipients

Configuring the Remote SMTP Server

Applying Message Filters to a Logging Destination

Applying Logging Filters

Adding or Editing a Message Class and Severity Filter

Adding or Editing a Syslog Message ID Filter

Sending Syslog Messages to the Console Port

Sending Syslog Messages to a Telnet or SSH Session

Creating a Custom Event List

Generating Syslog Messages in EMBLEM Format to a Syslog Server

Adding or Editing Syslog Server Settings

Generating Syslog Messages in EMBLEM Format to Other Output Destinations

Changing the Amount of Internal Flash Memory Available for Logs

Configuring the Logging Queue

Sending All Syslog Messages in a Class to a Specified Output Destination

Enabling Secure Logging

Including the Device ID in Non-EMBLEM Format Syslog Messages

Including the Date and Time in Syslog Messages

Disabling a Syslog Message

Changing the Severity Level of a Syslog Message

Limiting the Rate of Syslog Message Generation

Assigning or Changing Rate Limits for Individual Syslog Messages

Adding or Editing the Rate Limit for a Syslog Message

Editing the Rate Limit for a Syslog Severity Level

Log Monitoring

Filtering Syslog Messages Through the Log Viewers

Editing Filtering Settings

Feature History for Logging


Configuring Logging


This chapter describes how to configure and manage logs for the adaptive security appliance and includes the following sections:

Information About Logging

Licensing Requirements for Logging

Prerequisites for Logging

Guidelines and Limitations

Configuring Logging

Log Monitoring

Feature History for Logging

Information About Logging

System logging is a method of collecting messages from devices to a server running a syslog daemon. Logging to a central syslog server helps in aggregation of logs and alerts. Cisco devices can send their log messages to a UNIX-style syslog service. A syslog service accepts messages and stores them in files, or prints them according to a simple configuration file. This form of logging is the best available for Cisco devices, because it can provide protected long-term storage for logs. Logs are useful both in routine troubleshooting and in incident handling.

The adaptive security appliance system logs provide you with information for monitoring and troubleshooting the adaptive security appliance. With the logging feature, you can do the following:

Specify which syslog messages should be logged.

Disable or change the severity level of a syslog message.

Specify one or more locations where syslog messages should be sent, including an internal buffer, one or more syslog servers, ASDM, an SNMP management station, specified e-mail addresses, or to Telnet and SSH sessions.

Configure and manage syslog messages in groups, such as by severity level or class of message.

Specify whether or not a rate-limit is applied to syslog generation.

Specify what happens to the contents of the internal log buffer when it becomes full: overwrite the buffer, send the buffer contents to an FTP server, or save the contents to internal flash memory.

Filter syslog messages by locations, severity level, class, or a custom message list.

This section includes the following topics:

Logging in Multiple Context Mode

Analyzing Syslog Messages

Syslog Message Format

Severity Levels

Filtering Syslog Messages

Sorting in the Log Viewers

Message Classes and Range of Syslog IDs

Using Custom Message Lists

Logging in Multiple Context Mode

Each security context includes its own logging configuration and generates its own messages. If you log in to the system or admin context, and then change to another context, messages you view in your session are only those messages that are related to the current context.

Syslog messages that are generated in the system execution space, including failover messages, are viewed in the admin context along with messages generated in the admin context. You cannot configure logging or view any logging information in the system execution space.

You can configure the adaptive security appliance to include the context name with each message, which helps you differentiate context messages that are sent to a single syslog server. This feature also helps you to determine which messages are from the admin context and which are from the system; messages that originate in the system execution space use a device ID of system, and messages that originate in the admin context use the name of the admin context as the device ID.

Analyzing Syslog Messages

The following are some examples of the type of information you can obtain from a review of various syslog messages:

Connections that are allowed by adaptive security appliance security policies. These messages help you spot holes that remain open in your security policies.

Connections that are denied by adaptive security appliance security policies. These messages show what types of activity are being directed toward your secured inside network.

Using the ACE deny rate logging feature shows attacks that are occurring against your adaptive security appliance.

IDS activity messages can show attacks that have occurred.

User authentication and command usage provide an audit trail of security policy changes.

Bandwidth usage messages show each connection that was built and torn down, as well as the duration and traffic volume used.

Protocol usage messages show the protocols and port numbers used for each connection.

Address translation audit trail messages record NAT or PAT connections being built or torn down, which are useful if you receive a report of malicious activity coming from inside your network to the outside world.

Syslog Message Format

Syslog messages begin with a percent sign (%) and are structured as follows:

%ASA Level Message_number: Message_text
 
   

Field descriptions are as follows:

ASA

The syslog message facility code for messages that are generated by the adaptive security appliance. This value is always ASA.

Level

1 through 7. The level reflects the severity of the condition described by the syslog message—the lower the number, the more severe the condition. See Table 72-1 for more information.

Message_number

A unique six-digit number that identifies the syslog message.

Message_text

A text string that describes the condition. This portion of the syslog message sometimes includes IP addresses, port numbers, or usernames.


Severity Levels

Table 72-1 lists the syslog message severity levels. You can assign custom colors to each of the severity levels to make it easier to distinguish them in the ASDM log viewers. To configure syslog message color settings, either choose the Tools > Preferences > Syslog tab or, in the log viewer itself, click Color Settings in the toolbar.

Table 72-1 Syslog Message Severity Levels

Level Number
Severity Level
Description

0

emergencies

System is unusable.

1

alert

Immediate action is needed.

2

critical

Critical conditions.

3

error

Error conditions.

4

warning

Warning conditions.

5

notification

Normal but significant conditions.

6

informational

Informational messages only.

7

debugging

Debugging messages only.



Note The adaptive security appliance does not generate syslog messages with a severity level of zero (emergencies). This level is provided in the logging command for compatibility with the UNIX syslog feature but is not used by the adaptive security appliance.


Message Classes and Range of Syslog IDs

For a list of syslog message classes and the ranges of syslog message IDs that are associated with each class, see the Cisco ASA 5500 Series System Log Messages.

Filtering Syslog Messages

You can filter generated syslog messages so that only certain syslog messages are sent to a particular output destination. For example, you could configure the adaptive security appliance to send all syslog messages to one output destination and to send a subset of those syslog messages to a different output destination.

Specifically, you can configure the adaptive security appliance so that syslog messages are directed to an output destination according to the following criteria:

Syslog message ID number

Syslog message severity level

Syslog message class (equivalent to a functional area of the adaptive security appliance)

You customize these criteria by creating a message list that you can specify when you set the output destination. Alternatively, you can configure the adaptive security appliance to send a particular message class to each type of output destination independently of the message list.

You can use syslog message classes in two ways:

Specify an output location for an entire category of syslog messages using the logging class command.

Create a message list that specifies the message class using the logging list command.

The syslog message class provides a method of categorizing syslog messages by type, equivalent to a feature or function of the adaptive security appliance. For example, the vpnc class denotes the VPN client.

All syslog messages in a particular class share the same initial three digits in their syslog message ID numbers. For example, all syslog message IDs that begin with the digits 611 are associated with the vpnc (VPN client) class. Syslog messages associated with the VPN client feature range from 611101 to 611323.

In addition, most of the ISAKMP syslog messages have a common set of prepended objects to help identify the tunnel. These objects precede the descriptive text of a syslog message when available. If the object is not known at the time the syslog message is generated, the specific heading = value combination is not displayed.

The objects are prefixed as follows:

Group = groupname, Username = user, IP = IP_address, ...

Where the group identifies the tunnel-group, the username is the username from the local database or AAA server, and the IP address is the public IP address of the remote access client or L2L peer.

Sorting in the Log Viewers

You can sort messages in all ASDM log viewers (that is, the Real-Time Log Viewer, the Log Buffer Viewer, and the Latest ASDM Syslog Events Viewer). To sort tables by multiple columns, click the header of the first column that you want to sort by, then press and hold down the Ctrl key and at the same time, click the headers of the other column(s) that you want to include in the sort order. To sort messages chronologically, select both the date and time columns; otherwise, the messages will be sorted only by date (regardless of the time) or only by time (regardless of the date).

When you sort messages in the Real-Time Log Viewer Viewer and in the Latest ASDM Syslog Events Viewer, the new messages that come in appear in the sorted order, instead of at the top, as they normally would be. That is, they are mixed in with the rest of the messages.

Using Custom Message Lists

Creating a custom message list is a flexible way to exercise control over which syslog messages are sent to which output destination. In a custom syslog message list, you specify groups of syslog messages using any or all of the following criteria: severity level, message IDs, ranges of syslog message IDs, or message class.

For example, you can use message lists to do the following:

Select syslog messages with severity levels of 1 and 2 and send them to one or more e-mail addresses.

Select all syslog messages associated with a message class (such as ha) and save them to the internal buffer.

A message list can include multiple criteria for selecting messages. However, you must add each message selection criterion with a new command entry. It is possible to create a message list that includes overlapping message selection criteria. If two criteria in a message list select the same message, the message is logged only once.

Licensing Requirements for Logging

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License.


Prerequisites for Logging

Logging has the following prerequisites:

The syslog server must run a server program called syslogd. Windows (except for Windows 95 and Windows 98) provides a syslog server as part of its operating system. For Windows 95 and Windows 98, you must obtain a syslogd server from another vendor.

To view logs generated by the adaptive security appliance, you must specify a logging output destination. If you enable logging without specifying a logging output destination, the adaptive security appliance generates messages but does not save them to a location from which you can view them. You must specify each different logging output destination separately. For example, to designate more than one syslog server as an output destination, specify separate entries in the Syslog Server pane for each syslog server.

Guidelines and Limitations

Context Mode Guidelines

Supported in single and multiple context modes.

Firewall Mode Guidelines

Supported in routed and transparent firewall modes.

IPv6 Guidelines

Supports IPv6.

Additional Guidelines

Sending syslogs over TCP is not supported on a standby adaptive security appliance.

Configuring Logging

This section describes how to configure logging, and includes the following topics:

Enabling Logging

Configuring an Output Destination


Note The minimum configuration depends on what you want to do and what your requirements are for handling syslog messages in the adaptive security appliance.


Enabling Logging

To enable logging, perform the following steps:

Path
Purpose

Choose one of the following:

Home > Latest ASDM Syslog Messages > Enable Logging

Configuration > Device Management > Logging > Logging Setup

Monitoring > Real-Time Log Viewer > Enable Logging

Monitoring > Log Buffer > Enable Logging

Enables logging.


What to Do Next

See the "Configuring an Output Destination" section.

Configuring an Output Destination

To optimize syslog message usage for troubleshooting and performance monitoring, we recommend that you specify one or more locations where syslog messages should be sent, including an internal log buffer, one or more external syslog servers, ASDM, an SNMP management station, the console port, specified e-mail addresses, or Telnet and SSH sessions.

This section includes the following topics:

Sending Syslog Messages to an External Syslog Server

Sending Syslog Messages to the Internal Log Buffer

Sending Syslog Messages to an E-mail Address

Sending Syslog Messages to the Console Port

Sending Syslog Messages to a Telnet or SSH Session

Creating a Custom Event List

Generating Syslog Messages in EMBLEM Format to a Syslog Server

Generating Syslog Messages in EMBLEM Format to Other Output Destinations

Changing the Amount of Internal Flash Memory Available for Logs

Sending All Syslog Messages in a Class to a Specified Output Destination

Enabling Secure Logging

Including the Device ID in Non-EMBLEM Format Syslog Messages

Including the Date and Time in Syslog Messages

Disabling a Syslog Message

Changing the Severity Level of a Syslog Message

Limiting the Rate of Syslog Message Generation

Sending Syslog Messages to an External Syslog Server

You can archive messages according to the available disk space on the external syslog server, and manipulate logging data after it is saved. For example, you could specify actions to be executed when certain types of syslog messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script.

To send syslog messages to an external syslog server, perform the following steps:


Step 1 Choose Configuration > Device Management > Logging > Logging Setup.

Step 2 Check the Enable logging check box to turn on logging for the main adaptive security appliance.

Step 3 Check the Enable logging on the failover standby unit check box to turn on logging for the standby adaptive security appliance, if available.

Step 4 Check the Send debug messages as syslogs check box to redirect all debugging trace output to system logs. The syslog message does not appear on the console if this option is enabled. Therefore, to view debugging messages, you must have logging enabled at the console and have it configured as the destination for the debugging syslog message number and severity level. The syslog message number to use is 711001. The default severity level for this syslog message is debugging.

Step 5 Check the Send syslogs in EMBLEM format check box to enable EMBLEM format so that it is used for all log destinations, except syslog servers.

Step 6 In the Buffer Size field, specify the size of the internal log buffer to which syslog messages are saved if the logging buffer is enabled. When the buffer fills up, messages will be overwritten unless you save the logs to an FTP server or to internal flash memory. The default buffer size is 4096 bytes. The range is 4096 to 1048576.

Step 7 To save the buffer content to the FTP server before it is overwritten, check the Save Buffer To FTP Server check box. To allow overwriting of the buffer content, uncheck this check box.

Step 8 Click Configure FTP Settings to identify the FTP server and configure the FTP parameters used to save the buffer content. For more information, see the "Configuring FTP Settings" section.

Step 9 To save the buffer content to internal flash memory before it is overwritten, check the Save Buffer To Flash check box.


Note This option is only available in routed or transparent single mode.


Step 10 Click Configure Flash Usage to specify the maximum space to be used in internal flash memory for logging and the minimum free space to be preserved (in KB). Enabling this option creates a directory called "syslog" on the device disk on which messages are stored. For more information, see the "Configuring Logging Flash Usage" section.


Note This option is only available in routed or transparent single mode.


Step 11 In the Queue Size field, specify the queue size for system logs that are to be viewed in the adaptive security appliance.


Configuring FTP Settings

To specify the configuration for the FTP server that is used to save the log buffer content, perform the following steps:


Step 1 Check the Enable FTP client check box to enable configuration of the FTP client.

Step 2 In the Server IP Address field, specify the IP address of the FTP server.

Step 3 In the Path field, specify the directory path on the FTP server to store the saved log buffer content.

Step 4 In the Username field, specify the username to log in to the FTP server.

Step 5 In the Password field, specify the password associated with the username to log in to the FTP server.

Step 6 In the Confirm Password field, reenter the password, and click OK.


Configuring Logging Flash Usage

To specify the limits for saving log buffer content to internal flash memory, perform the following steps:


Step 1 In the Maximum Flash to Be Used by Logging field, specify the maximum amount of internal flash memory that can be used for logging (in KB).

Step 2 In the Minimum Free Space to Be Preserved field, specify the amount of internal flash memory that is preserved (in KB). When the internal flash memory approaches that limit, new logs are no longer saved.

Step 3 Click OK to close this dialog box.


Configuring Syslog Messaging

To configure syslog messaging, perform the following steps:


Step 1 Choose Configuration > Device Management > Logging > Syslog Setup.

Step 2 From the Facility code to include in syslogs drop-down list, choose a system log facility for syslog servers to use as a basis to file messages. The default is LOCAL(4)20, which is what most UNIX systems expect. However, because your network devices share eight available facilities, you might need to change this value for system logs.

Step 3 To add the date and time in each syslog message sent, check the Include timestamp in syslogs check box.

Step 4 From the Show drop-down list, choose the information to be displayed in the Syslog ID table. Available options are as follows:

To specify that the Syslog ID table should display the entire list of syslog message IDs, choose Show all syslog IDs.

To specify that the Syslog ID table should display only those syslog message IDs that have been explicitly disabled, choose Show disabled syslog IDs.

To specify that the Syslog ID table should display only those syslog message IDs with severity levels that have changed from their default values, choose Show syslog IDs with changed logging.

To specify that the Syslog ID table should display only those syslog message IDs with severity levels that have been modified and the IDs of syslog messages that have been explicitly disabled, choose Show syslog IDs that are disabled or with a changed logging level.

Step 5 The Syslog ID Setup Table displays the list of syslog messages based on the setting in the Syslog ID Setup Table. Choose individual messages or ranges of message IDs that you want to modify. You can either disable the selected message IDs or modify their severity levels. To select more than one message ID in the list, click the first ID in the range and Shift-click the last ID in the range.

Step 6 To configure syslog messages to include a device ID, click Advanced. For more information, see the "Editing Syslog ID Settings" section and the "Including a Device ID in Non-EMBLEM Formatted Syslog Messages" section.


Editing Syslog ID Settings

To change syslog message settings, perform the following steps:


Note The Syslog ID(s) field is display-only. The values that appear in this area are determined by the entries you chose in the Syslog ID table, located in the Syslog Setup pane.



Step 1 Check the Disable Message(s) check box to disable messages for the syslog message ID(s) displayed in the Syslog ID(s) list.

Step 2 From the Logging Level drop-down list, choose the severity level of messages to be sent for the syslog message ID(s) displayed in the Syslog ID(s) list. Severity levels are defined as follows:

Emergency (level 0, system is unusable)

Alert (level 1, immediate action is needed)

Critical (level 2, critical conditions)

Error (level 3, error conditions)

Warning (level 4, warning conditions)

Notification (level 5, normal but significant conditions)

Informational (level 6, informational messages only)

Debugging (level 7, debugging messages only)


Note Using a severity level of zero is not recommended.


Step 3 Click OK to close this dialog box.


Including a Device ID in Non-EMBLEM Formatted Syslog Messages

To include a device ID in non-EMBLEM formatted syslog messages, perform the following steps:


Step 1 Check the Enable syslog device ID check box to specify that a device ID should be included in all non-EMBLEM formatted syslog messages.

Step 2 To specify which to use as the device ID, choose one of the following options:

Hostname of the adaptive security appliance

Interface IP address

Choose the interface name that corresponds to the specified IP address from the drop-down list.

String

In the User-Defined ID field, specify an alphanumeric, user-defined string.

Context

Step 3 Click OK to close this dialog box.


Sending Syslog Messages to the Internal Log Buffer

To send syslog messages to the internal log buffer, perform the following steps:

 
Path
Purpose

Step 1 

Choose one of the following:

Home > Latest ASDM Syslog Messages > Configure ASDM Syslog Filters

Configuration > Device Management > Logging > Logging Filters

Specifies which syslog messages should be sent to the internal log buffer, which serves as a temporary storage location. New messages are appended to the end of the list. When the buffer is full, that is, when the buffer wraps, old messages are overwritten as new messages are generated, unless you configure the adaptive security appliance to save the full buffer to another location. To empty the internal log buffer, choose Monitoring > Logging > Log Buffer > View. Then in the Log Buffer pane, choose File > Clear Internal Log Buffer.

Step 2 

Configuration > Device Management > Logging > Logging Setup

Changes the size of the internal log buffer. The buffer size is 4 KB.

Step 3 

Choose one of the following options:

 

Configuration > Device Management > Logging > Logging Setup > Configure Flash Usage

When saving the buffer content to another location, the adaptive security appliance creates log files with names that use the following time-stamp format:

LOG-YYYY-MM-DD-HHMMSS.TXT
 
        

where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.

The adaptive security appliance continues to save new messages to the internal log buffer and saves the full log buffer content to the internal flash memory.

 

Configuration > Device Management > Logging > Logging Setup > Configure FTP Settings

When saving the buffer content to another location, the adaptive security appliance creates log files with names that use the following time-stamp format:

LOG-YYYY-MM-DD-HHMMSS.TXT
 
        

where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.

The adaptive security appliance continues saving new messages to the internal log buffer and saves the full log buffer content to an FTP server.

 

Configuration > Device Management > Logging > Logging Setup > Configure FTP Settings

Identifies the FTP server on which you want to store log buffer content.

 

Configuration > Device Management > Logging > Logging Setup > Configure FTP Settings

Saves the current log buffer content to the internal flash memory.

Sending Syslog Messages to an E-mail Address

To send syslog messages to an e-mail address, perform the following steps:


Step 1 Choose Configuration > Device Management > Logging > E-Mail Setup.

Step 2 In the Source E-Mail Address field, specify the e-mail address that is used as the source address for syslog messages that are sent as e-mail messages.

Step 3 Click Add to enter a new e-mail address recipient of the specified syslog messages. For more information, see the "Adding or Editing E-Mail Recipients" section.

Step 4 Choose the severity level of the syslog messages that are sent to the recipient from the drop-down list. The syslog message severity filter used for the destination e-mail address causes messages of the specified severity level and higher to be sent. The global filter specified in the Logging Filters pane is also applied to each e-mail recipient. For more information, see the "Applying Logging Filters" section.

Step 5 Click Edit to modify an existing severity level of the syslog messages that are sent to this recipient. For more information, see the "Adding or Editing E-Mail Recipients" section.

Step 6 Click OK to close this dialog box.

Step 7 To continue, see the "Configuring the Remote SMTP Server" section.


Adding or Editing E-Mail Recipients

To add or edit e-mail recipients and severity levels, see the "Configuring Syslog Messaging" section.


Note The severity level used to filter messages for the destination e-mail address is the higher of the severity level specified in the Add/Edit E-Mail Recipient dialog box and the global filter set for all e-mail recipients in the Logging Filters pane.


Configuring the Remote SMTP Server

To configure the remote SMTP server to which e-mail alerts and notifications are sent in response to specific events, perform the following steps:


Step 1 Choose Configuration > Device Setup > Logging > SMTP.

Step 2 Enter the IP address of the primary SMTP server.

Step 3 (Optional) Enter the IP address of the standby SMTP server, and click Apply.


Applying Message Filters to a Logging Destination

To apply message filters to a logging destination, perform the following steps:


Step 1 Choose Configuration > Device Management > Logging > Logging Filters.

Step 2 Choose the name of the logging destination to which you want to apply a filter. Available logging destinations are as follows:

ASDM

Console port

E-Mail

Internal buffer

SNMP server

Syslog server

Telnet or SSH session

Included in this selection are the second column, Syslogs From All Event Classes, and the third column, Syslogs From Specific Event Classes. The second column lists the severity or the event class to use to filter messages for the logging destination, or whether logging is disabled for all event classes. The third column lists the event class to use to filter messages for that logging destination. For more information, see the "Adding or Editing a Message Class and Severity Filter" section and the "Adding or Editing a Syslog Message ID Filter" section.

Step 3 Click Edit to display the Edit Logging Filters dialog box. To apply, edit, or disable filters, see the "Applying Logging Filters" section.


Applying Logging Filters

To apply filters, perform the following steps:


Step 1 Choose the Filter on severity option to filter syslog messages according to their severity level.

Step 2 Choose the Use event list option to filter syslog messages according to an event list.

Step 3 Choose the Disable logging from all event classes option to disable all logging to the selected destination.

Step 4 Click New to add a new event list. To add a new event list, see the "Creating a Custom Event List" section.

Step 5 Choose the event class from the drop-down list. Available event classes change according to the device mode that you are using.

Step 6 Choose the level of logging messages from the drop-down list. Severity levels include the following:

Emergency (level 0, system is unusable)

Alert (level 1, immediate action is needed)

Critical (level 2, critical conditions)

Error (level 3, error conditions)

Warning (level 4, warning conditions)

Notification (level 5, normal but significant conditions)

Informational (level 6, informational messages only)

Debugging (level 7, debugging messages only)

Step 7 Click Add to add the event class and severity level, and then click OK.

The selected logging destination for a filter appears at the top.


Note Using a severity level of zero is not recommended.



Adding or Editing a Message Class and Severity Filter

To add or edit a message class and severity level for filtering messages, perform the following steps:


Step 1 Choose the event class from the drop-down list. Available event classes change according to the device mode that you are using.

Step 2 Choose the level of logging messages from the drop-down list. Severity levels include the following:

Emergency (level 0, system is unusable)

Alert (level 1, immediate action is needed)

Critical (level 2, critical conditions)

Error (level 3, error conditions)

Warning (level 4, warning conditions)

Notification (level 5, normal but significant conditions)

Informational (level 6, informational messages only)

Debugging (level 7, debugging messages only)

Step 3 Click OK when you are done making selections.


Note Using a severity level of zero is not recommended.



Adding or Editing a Syslog Message ID Filter

To add or edit a syslog message ID filter, see the "Adding or Editing a Syslog Message ID Filter" section.

Sending Syslog Messages to the Console Port

To send syslog messages to the console port, perform the following steps:

Path
Purpose

Choose one of the following:

Home > Latest ASDM Syslog Messages > Configure ASDM Syslog Filters

Configuration > Device Management > Logging > Logging Filters

Specifies which syslog messages should be sent to the console port.


Sending Syslog Messages to a Telnet or SSH Session

To send syslog messages to a Telnet or SSH session, perform the following steps:

 
Path
Purpose

Step 1 

Choose one of the following:

Home > Latest ASDM Syslog Messages > Configure ASDM Syslog Filters

Configuration > Device Management > Logging > Logging Filters

Specifies which syslog messages should be sent to a Telnet or SSH session.

Step 2 

Configuration > Device Management > Logging > Logging Setup

Enables logging to the current session only.

Creating a Custom Event List

You use the following three criteria to define an event list:

Event Class

Severity

Message ID

To create a custom list of events to send to a specific logging destination (for example, an SNMP server), perform the following steps:


Step 1 Choose Configuration > Device Management > Logging > Event Lists.

Step 2 Click Add to display the Add Event List dialog box.

Step 3 In the Name field, enter the name of the event list. No spaces are allowed.

Step 4 In the Event Class/Severity area, click Add to display the Add Class and Severity Filter dialog box

Step 5 Choose the event class from the drop-down list. Available event classes change according to the device mode that you are using.

Step 6 Choose the severity level from the drop-down list. Severity levels include the following:

Emergency (level 0, system is unusable)

Alert (level 1, immediate action is needed)

Critical (level 2, critical conditions)

Error (level 3, error conditions)

Warning (level 4, warning conditions)

Notification (level 5, normal but significant conditions)

Informational (level 6, informational messages only)

Debugging (level 7, debugging messages only)

Step 7 Click OK to close this dialog box.


Note Using a severity level of zero is not recommended.


Step 8 In the Message ID Filters area, click Add to display the Add Syslog Message ID Filter dialog box.

Step 9 In the Message IDs field, enter a syslog message ID or range of IDs (for example, 101001-199012) to include in the filter.

Step 10 Click OK to close this dialog box.

The event of interest appears in the list. To change this entry, click Edit.


Generating Syslog Messages in EMBLEM Format to a Syslog Server

To generate syslog messages in EMBLEM format to a syslog server, perform the following steps:


Step 1 Choose Configuration > Device Management > Logging > Syslog Server.

Step 2 To add a new syslog server, click Add to display the Add Syslog Server dialog box. To change an existing syslog server settings, click Edit to display the Edit Syslog Server dialog box.

Step 3 Specify the number of messages that are allowed to be queued on the adaptive security appliance when a syslog server is busy. A zero value means an unlimited number of messages may be queued.

Step 4 Check the Allow user traffic to pass when TCP syslog server is down check box to specify whether or not to restrict all traffic if any syslog server is down.

Step 5 To continue, see the "Adding or Editing Syslog Server Settings" section.


Note You can set up a maximum of four syslog servers per security context (up to a total of 16).



Adding or Editing Syslog Server Settings

To add or edit syslog server settings, perform the following steps:


Step 1 Choose the interface used to communicate with the syslog server from the drop-down list.

Step 2 Enter the IP address that is used to communicate with the syslog server.

Step 3 Choose the protocol (either TCP or UDP) that is used by the syslog server to communicate with the adaptive security appliance.

Step 4 Enter the port number used by the syslog server to communicate with the adaptive security appliance.

Step 5 Check the Log messages in Cisco EMBLEM format (UDP only) check box to specify whether to log messages in Cisco EMBLEM format (available only if UDP is selected as the protocol).

Step 6 Check the Enable secure logging using SSL/TLS (TCP only) check box to specify that the connection to the syslog server is secure through the use of SSL/TLS over TCP, and that the syslog message content is encrypted.

Step 7 Click OK to complete the configuration.


Generating Syslog Messages in EMBLEM Format to Other Output Destinations

To generate syslog messages in EMBLEM format to other output destinations, perform the following steps:

Path
Purpose

Configuration > Device Management > Logging > Logging Setup

Sends syslog messages in EMBLEM format to output destinations other than a syslog server, such as Telnet or SSH sessions.


Changing the Amount of Internal Flash Memory Available for Logs

To change the amount of internal flash memory available for logs, perform the following steps:

 
Path
Purpose

Step 1 

Configuration > Device Management > Logging > Logging Setup

Specifies the maximum amount of internal flash memory available for saving log files. By default, the adaptive security appliance can use up to 1 MB of internal flash memory for log data. The minimum amount of internal flash memory that must be free for the adaptive security appliance to save log data is 3 MB.

If a log file being saved to internal flash memory would cause the amount of free internal flash memory to fall below the configured minimum limit, the adaptive security appliance deletes the oldest log files to ensure that the minimum amount of memory remains free after saving the new log file. If there are no files to delete or if, after all old files have been deleted, free memory is still below the limit, the adaptive security appliance fails to save the new log file.

Step 2 

Configuration > Device Management > Logging > Logging Setup

Specifies the minimum amount of internal flash memory that must be free for the adaptive security appliance to save a log file.

Configuring the Logging Queue

To configure the logging queue, perform the following steps:

Path
Purpose

Configuration > Device Management > Logging > Logging Setup

Specifies the number of syslog messages that the adaptive security appliance can hold in its queue before sending them to the configured output destination. The adaptive security appliance has a fixed number of blocks in memory that can be allocated for buffering syslog messages while they are waiting to be sent to the configured output destination. The number of blocks required depends on the length of the syslog message queue and the number of syslog servers specified. The default queue size is 512 syslog messages. The queue size is limited only by block memory availability. Valid values are from 0 to 8192 messages, depending on the platform. If the logging queue is set to zero, the queue will be the maximum configurable size (8192 messages), depending on the platform. The maximum queue size by platform is as follows:

ASA-5505—1024

ASA-5510—2048

On all other platforms—8192


Sending All Syslog Messages in a Class to a Specified Output Destination

To send all syslog messages in a class to a specified output destination, perform the following steps:

Path
Purpose

Configuration > Device Management > Logging > Logging Filters

Overrides the configuration in the specified output destination command. For example, if you specify that messages at severity level 7 should go to the internal log buffer and that ha class messages at severity level 3 should go to the internal log buffer, then the latter configuration takes precedence. To specify that a class should go to more than one destination, choose a different filtering option for each output destination.


Enabling Secure Logging

To enable secure logging, perform the following steps:

Path
Purpose

Configuration > Device Management > Logging > Syslog Server

Enables secure logging.

 


Including the Device ID in Non-EMBLEM Format Syslog Messages

To include the device ID in non-EMBLEM format syslog messages, perform the following steps:

Path
Purpose

Configuration > Device Management > Logging > Syslog Setup > Advanced

Configures the adaptive security appliance to include a device ID in non-EMBLEM-format syslog messages. You can specify only one type of device ID for syslog messages. If you enable the logging device ID for the admin context in multiple context mode, messages that originate in the system execution space use a device ID of system, and messages that originate in the admin context use the name of the admin context as the device ID.

Note If enabled, the device ID does not appear in EMBLEM-formatted syslog messages nor in SNMP traps.


Including the Date and Time in Syslog Messages

To include the date and time in syslog messages, perform the following steps:

Path
Purpose

Configuration > Device Management > Logging > Syslog Setup

Specifies that syslog messages should include the date and time that they were generated.


Disabling a Syslog Message

To disable a specified syslog message, perform the following steps:

Path
Purpose

Configuration > Device Management > Logging > Syslog Setup

Prevents the adaptive security appliance from generating a particular syslog message.


Changing the Severity Level of a Syslog Message

To change the severity level of a syslog message, perform the following steps:

Path
Purpose

Configuration > Device Management > Logging > Syslog Setup

Specifies the severity level of a syslog message.


Limiting the Rate of Syslog Message Generation

To limit the rate of syslog message generation, perform the following steps:


Step 1 Choose Configuration > Device Management > Logging > Rate Limit.

Step 2 Choose the logging level (message severity level) to which you want to assign rate limits. Severity levels are defined as follows:

Description
Severity Level

Emergency

0—System is unusable

Alert

1—Immediate action is needed

Critical

2—Critical conditions

Error

3—Error conditions

Warning

4—Warning conditions

Notification

5—Normal but significant conditions

Informational

6—Informational messages only

Debugging

7—Debugging messages only


Step 3 The No of Messages field displays the number of messages sent. The Interval (Seconds) field displays the interval, in seconds, that is used to limit how many messages at this logging level can be sent. Choose a logging level from the table and click Edit to display the Edit Rate Limit for Syslog Logging Level dialog box. To continue, see the "Assigning or Changing Rate Limits for Individual Syslog Messages" section.


Assigning or Changing Rate Limits for Individual Syslog Messages

To assign or change rate limits to individual syslog messages, perform the following steps:


Step 1 To assign the rate limit of a specific syslog message, click Add to display the Add Rate Limit for Syslog Message dialog box. To continue, see the "Adding or Editing the Rate Limit for a Syslog Message" section.

Step 2 To change the rate limit of a specific syslog message, click Edit to display the Edit Rate Limit for Syslog Message dialog box. To continue, see the "Editing the Rate Limit for a Syslog Severity Level" section.


Adding or Editing the Rate Limit for a Syslog Message

To add or change the rate limit for a specific syslog message, perform the following steps:


Step 1 To add a rate limit to a specific syslog message, click Add to display the Add Rate Limit for Syslog Message dialog box. To change a rate limit for a syslog message, click Edit to display the Edit Rate Limit for Syslog Message dialog box.

Step 2 Enter the message ID of the syslog message that you want to limit.

Step 3 Enter the maximum number of messages that can be sent in the specified time interval.

Step 4 Enter the amount of time, in seconds, that is used to limit the rate of the specified message, and click OK.


Note To allow an unlimited number of messages, leave both the Number of Messages and Time Interval fields blank.



Editing the Rate Limit for a Syslog Severity Level

To change the rate limit of a specified syslog severity level, perform the following steps:


Step 1 Enter the maximum number of messages at this severity level that can be sent.

Step 2 Enter the amount of time, in seconds, that is used to limit the rate of messages at this severity level, and click OK.

The selected message severity level appears.


Note To allow an unlimited number of messages, leave both the Number of Messages and Time Interval fields blank.



Log Monitoring

This section includes the following topics:

Filtering Syslog Messages Through the Log Viewers

Editing Filtering Settings

To perform log monitoring in the log buffer or in real-time and assist in monitoring system performance, perform the following steps:

Path
Purpose

Choose one of the following:

Monitoring > Logging > Log Buffer > View

Monitoring > Logging > Real-Time Log Viewer > View

Shows syslog messages, including the severity level.

Note The maximum number of syslog messages that are available to view is 1000, which is the default setting. The maximum number of syslog messages that are available to view is 2000.

Displays the message explanations, additional details, and recommended actions to take, if necessary, to resolve an error in a separate window. Provides text search within messages and message filtering. Allows creation of a reverse access control rule that performs the opposite action of the access control rule that originally generated the syslog message. Reverse access control rules can be applied only to syslog messages 106100, 106023, 338001 through 338004, 338201, and 338202. Provides sorting of messages in each column shown. Allows detailed message filtering based on the syslog ID, date and time, severity level, source and destination IP addresses, source and destination ports, and description listed. Displays popup help in the Build Filter dialog box.


Filtering Syslog Messages Through the Log Viewers

You can filter syslog messages based on one or multiple values that correspond to any column of the Real-Time Log Viewer and the Log Buffer Viewer.

To filter syslog messages through one of the log viewers, perform the following steps:


Step 1 Choose one of the following:

Monitoring > Logging > Real-Time Log Viewer > View

Monitoring > Logging > Log Buffer > View

Step 2 In either the Real-Time Log Viewer or the Log Buffer Viewer dialog box, click Build Filter in the toolbar.

Step 3 In the Build Filter dialog box, specify the filtering criteria to apply to syslog messages:

a. In the Date and Time area, choose one of the following three options: real-time, a specific time, or a time range. If you chose a specific time, indicate the time by entering the number and choosing hours or minutes from the drop-down list. If you chose a time range, in the Start Time field, click the drop-down arrow to display a calendar. Choose a start date and a start time from the drop-down list, then click OK. In the End Time field, click the drop-down arrow to display a calendar. Choose an end date and an end time from the drop-down list, then click OK.

b. Enter a valid severity level in the Severity field. Alternatively, click the Edit icon on the right of the Severity field. In the Severity dialog box, click the severity levels in the list on which you want to filter. To include severity levels 1-7, click All. Click OK to display these settings in the Build Filter dialog box. For additional information about the correct input format to use, click the Info icon on the right of the Severity field.

c. Enter a valid syslog ID in the Syslog ID field. Alternatively, click the Edit icon on the right of the Syslog ID field. In the Syslog ID dialog box, choose a condition on which to filter from the drop-down list, then click Add. Click OK to display these settings in the Build Filter dialog box. Click Delete to remove these settings and enter new ones. For additional information about the correct input format to use, click the Info icon on the right of the Syslog ID field.

d. Enter a valid source IP address in the Source IP Address field, or click the Edit icon on the right of the Source IP Address field. In the Source IP Address dialog box, choose a single IP address or a specified range of IP addresses, then click Add. To exclude a specific IP address or range of IP addresses, check the Do not include (exclude) this address or range check box. Click OK to display these settings in the Build Filter dialog box. Click Delete to remove these settings and enter new ones. For additional information about the correct input format to use, click the Info icon on the right of the Source IP Address field.

e. Enter a valid source port in the Source Port field, or click the Edit icon on the right of the Source Port field. In the Source Port dialog box, choose a condition on which to filter from the drop-down list, then click Add. Click OK to display these settings in the Build Filter dialog box. Click Delete to remove these settings and enter new ones. For additional information about the correct input format to use, click the Info icon on the right of the Source Port field.

f. Enter a valid destination IP address in the Destination IP Address field, or click the Edit icon on the right of the Destination IP Address field. In the Destination IP Address dialog box, choose a single IP address or a specified range of IP addresses, then click Add. To exclude a specific IP address or range of IP addresses, check the Do not include (exclude) this address or range check box. Click OK to display these settings in the Build Filter dialog box. Click Delete to remove these settings and enter new ones. For additional information about the correct input format to use, click the Info icon on the right of the Destination IP Address field.

g. Enter a valid destination port in the Destination Port field, or click the Edit icon on the right of the Destination Port field. In the Destination Port dialog box, choose a condition on which to filter from the drop-down list, then click Add. Click OK to display these settings in the Build Filter dialog box. Click Delete to remove these settings and enter new ones. For additional information about the correct input format to use, click the Info icon on the right of the Destination Port field.

h. Enter filtering text for the Description field. The text may be any string of one or more characters, including a regular expression. However, semicolons are not valid characters, and this setting is case-sensitive. Multiple entries must be separated by commas.

i. Click OK to add the filter settings you have just specified to the Filter By drop-down list in the log viewers. The filter strings follow a specific format. The prefix FILTER: designates all custom filters that appear in the Filter By drop-down list. You may still type random text into this field.

The following table shows examples of the format used.

Build Filter Example
Filter String Format

Source IP = 192.168.1.1 or 0.0.0.0

Source Port = 67

FILTER: srcIP=192.168.1.1,0.0.0.0;srcPort=67;

Severity = Informational

Destination IP = 1.1.1.1 through 1.1.1.10

FILTER: sev=6;dstIP=1.1.1.1-1.1.1.10;

Syslog ID not in the range 725001 through 725003

FILTER: sysID=!725001-725003;

Source IP = 1.1.1.1

Description = Built outbound

FILTER: srcIP=1.1.1.1;descr=Built outbound

Step 4 To filter syslog messages, choose one of the settings in the Filter By drop-down list, then click Filter in the toolbar. This setting also applies to all future syslog messages. To clear all filters, click Show All in the toolbar.


Note You cannot save filters that you have specified with the Build Filter dialog box. These filters are valid only for the ASDM session during which they were created.



Editing Filtering Settings

To edit filtering settings that you created using the Build Filter dialog box, perform the following steps:

Choose one of the following:

Revise a filter directly by entering the changes in the Filter By drop-down list.

Choose a filter in the Filter By drop-down list, then click Build Filter to display the Build Filter dialog box. To remove the current filter settings and enter new ones, click Clear Filter. Otherwise, change the settings that appear, and click OK.


Note These filter settings apply only to those defined in the Build Filter dialog box.


To stop filtering and show all syslog messages, click Show All in the toolbar.


Feature History for Logging

Table 72-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 72-2 Feature History for Logging 

Feature Name
Platform Releases
Feature Information

Logging

7.0(1)

Provides adaptive security appliance network logging information through various output destinations, and includes the option to view and save log files.

The Configuration > Device Management > Logging > Logging Setup screen was introduced.

Rate limit

7.0(4)

Limits the rate at which syslog messages are generated.

The Configuration > Device Management > Logging > Rate Limit screen was modified.

Logging list

7.2(1)

Creates a logging list to use in other commands to specify messages by various criteria (logging level, event class, and message IDs).

The Configuration > Device Management > Logging > Event Lists screen was modified.

Secure logging

8.0(2)

Specifies that the connection to the remote logging host should use SSL/TLS. This option is valid only if the protocol selected is TCP.

The Configuration > Device Management > Logging > Syslog Server screen was modified.

Logging class

8.0(4), 8.1(1)

Added support for the ipaa event class of logging messages.

The Configuration > Device Management > Logging > Logging Filters screen was modified.

Logging class and saved logging buffers

8.2(1)

Added support for the dap event class of logging messages.

Added support to clear the saved logging buffers (ASDM, internal, FTP, and flash).

The Configuration > Device Management > Logging > Logging Setup screen was modified.

Password encryption

8.3(1)

Added support for password encryption.

 

Log viewers

8.3(1)

The source and destination IP addresses were added to the log viewers.

Syslog message filtering and sorting

8.3(2)

Support has been added for the following:

Syslog message filtering based on multiple text strings that correspond to various columns

Creation of custom filters

Column sorting of messages. For detailed information, see the Cisco ASA 5500 Series Configuration Guide using ASDM.

The following screens were modified:

Monitoring > Logging > Real-Time Log Viewer > View
Monitoring > Logging > Log Buffer Viewer > View

This feature interoperates with all ASA versions.

Enhanced logging and connection blocking

8.3(2)

When you configure a syslog server to use TCP, and the syslog server is unavailable, the adaptive security appliance blocks new connections that generate syslog messages until the server becomes available again (for example, VPN, firewall, and cut-through-proxy connections). This feature has been enhanced to also block new connections when the logging queue on the adaptive security appliance is full; connections resume when the logging queue is cleared.

This feature was added for compliance with Common Criteria EAL4+. Unless required, we recommended allowing connections when syslog messages cannot be sent or received. To allow connections, continue to check the Allow user traffic to pass when TCP syslog server is down check box on the Configuration > Device Management > Logging > Syslog Servers pane.

The following syslog messages were introduced: 414005, 414006, 414007, and 414008.

No ASDM screens were modified.