- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- Index
Configuring Logging Policies on Firewall Devices
The Logging feature lets you enable and manage NetFlow “collectors,” and enable system logging, set up logging parameters, configure event lists (syslog filters), apply the filters to a destination, set up syslog messages, configure syslog servers, and specify e-mail notification parameters.
After you enable logging and set up the logging parameters using the Logging Setup page, the Event Lists page lets you configure filters (for a set of syslogs) which can be sent to a logging destination. The Logging Filters page lets you specify a logging destination for the syslogs to be sent. Finally, the Syslog and E-Mail pages configure syslog and e-mail setup.
NetFlow Page
A device configured for NetFlow data export captures flow-based traffic statistics on the device. This information is periodically transmitted from the device to a NetFlow collection server, in the form of User Datagram Protocol (UDP) datagrams.
The NetFlow page lets you enable NetFlow export on the selected device, and define and manage NetFlow “collectors” to which collected flow information is transmitted.
- (Device view) Select Platform > Logging > NetFlow from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > NetFlow from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Interval (in minutes) between transmissions of flow information to the collectors. The value can be from one to 3600 minutes; the default is 30. |
|
For active connections, specifies the time interval between flow-update events in minutes. Valid values are from 1 to 60 minutes. The default value is 1 minute. |
|
Delays the sending of a flow-create event by the specified number of seconds. The value can be from one to 180 seconds. If no value is entered, there is no delay, and the flow-create event is exported as soon as the flow is created. If the flow is torn down before the configured delay, the flow-create event is not sent; an extended flow teardown event is sent instead. |
|
Lists the currently defined NetFlow collectors. Use the Add Row, Edit Row and Delete Row buttons below the table to manage these entries. The Add Row and Edit Row buttons open the Add and Edit Collector Dialog Boxes (NetFlow). |
Add and Edit Collector Dialog Boxes (NetFlow)
Use the Add Collector and Edit Collector dialog boxes to define and edit NetFlow “collectors.” Except for the title, the two dialog boxes are identical; the following information applies to both.
You can open the Add and Edit Collector dialog boxes from the NetFlow Page.
E-Mail Setup Page
The E-Mail Setup page (PIX 7.0/ASA Only) lets you set up a source e-mail address, as well as a list of recipients for specified syslog messages to be sent as e-mails. You can filter the syslog messages sent to a destination e-mail address by severity. The table shows which entries have been set up.
The syslog severity filter used for the destination e-mail address will be the higher of the severity selected in this section and the global filter set for all e-mail recipients in the Logging Filters page.
- (Device view) Select Platform > Logging > Syslog > E-Mail Setup from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > E-Mail Setup from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Enter the email address to be used as the source address when syslogs are sent as emails. |
|
Lists the currently defined email recipients of syslog messages. Use the Add Row, Edit Row and Delete Row buttons below the table to manage this list; the Add Row and Edit Row buttons open the Add/Edit Email Recipient Dialog Box. |
Add/Edit Email Recipient Dialog Box
The Add/Edit Email Recipient dialog box lets you configure a destination address to be sent emails containing syslog messages; you can limit the messages sent according to severity.
The syslog severity filter used for the destination email address will be the higher of the severity selected in this section and the global filter set for all email recipients on the Logging Filters Page.
You can access the Add/Edit Email Recipient dialog box from the E-Mail Setup Page.
Enter the recipient email address for the chosen type of syslog messages. |
|
Choose the severity of the syslogs to be emailed to this recipient; messages of the chosen severity and higher are sent. Message severity levels are described in Logging Levels. |
Event Lists Page
The Event Lists page (PIX 7.0+/ASA only) lets you define a set of syslog message filters for logging. After you enable logging and set up global logging parameters on the Logging Setup page, use this page to configure event lists used to filter syslog messages sent to different logging destinations. (The Logging Filters Page lets you specify logging destinations for event lists.)
Use the Add Row, Edit Row and Delete Row buttons below the Event Lists table to manage the entries. Add Row and Edit Row open the Add/Edit Event List Dialog Box.
- (Device view) Select Platform > Logging > Syslog > Event Lists from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Event Lists from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Message Classes and Associated Message ID Numbers
The following table lists the message classes and the range of message IDs in each class.
Add/Edit Event List Dialog Box
The Add/Edit Event List dialog box lets you create or edit an event list, and specify which syslog messages to include in the event list filter.
You can use the following criteria to define an event list:
Class represents specific types of related syslog messages. For example, the class
auth
represents all syslog messages related to user authentication.
Severity classifies syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.
The message ID is a numeric value that uniquely identifies each individual message. You can specify a single message ID, or a range of IDs, in an event list.
You can access the Add/Edit Event List dialog box from the Event Lists Page.
This table lists the event class and severity level filters defined for this event list. Use the Add Row, Edit Row and Delete Row buttons below this table to manage the entries. Add Row and Edit Row open the Add/Edit Syslog Class Dialog Box. |
|
This table list the message ID filters defined for this event list. Use the Add Row, Edit Row and Delete Row buttons below this table to manage the entries. Add Row and Edit Row open the Add/Edit Syslog Message ID Filter Dialog Box. |
Add/Edit Syslog Class Dialog Box
The Add/Edit Syslog Class dialog box lets you specify an event class and a related severity level as an event list filter.
Class represents specific types of related syslog messages, so you do not have to select the syslogs individually. For example, the class
auth
represents all syslog messages related to user authentication.
Severity classifies syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.
You access the Add/Edit Syslog Class dialog box from the Add/Edit Event List Dialog Box.
Choose the desired event class. Event classes are described in Table 52-5. |
|
Choose the desired message severity level. Severity levels are described in Logging Levels. |
Add/Edit Syslog Message ID Filter Dialog Box
The Add/Edit Syslog Message ID Filter dialog box lets you specify a syslog message ID, or a range of IDs, as an the event list filter.
You can access the Add/Edit Syslog Message ID Filter dialog box from the Add/Edit Event List Dialog Box.
Message IDs
– Enter a syslog message ID, or a range of IDs. Use a hyphen to specify a range; for example,
101001-101010
. Message IDs must be between 100000 and 999999.
Message IDs and their corresponding messages are listed in the System Log Message guides for the appropriate product. You can access these guides from cisco.com:
Logging Filters Page
The Logging Filters page lets you configure a logging destination for event lists (syslog filters) that have been configured using the Event Lists page, or for only the syslog messages that you specify using the Edit Logging Filters page. Syslog messages from specific or all event classes can be selected using the Edit Logging Filters page.
- (Device view) Select Platform > Logging > Syslog > Logging Filters from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Filters from the Policy Type selector. Right-click Logging Filters to create a policy, or select an existing policy from the Shared Policy selector.
Lists the name of the logging destination to which messages matching this filter are sent. Logging destinations are as follows:
|
|
Lists the severity on which to filter, the event list to use, or whether logging is disabled from all event classes. Event classes are described in Message Classes and Associated Message ID Numbers. |
|
Lists event class and severity set up as the filter. Event classes are described in Message Classes and Associated Message ID Numbers. Severity levels are described in Logging Levels. |
Edit Logging Filters Dialog Box
The Edit Logging Filters dialog box lets you edit filters for a logging destination. Syslogs can be configured from all or specific event classes, or disabled for a specific logging destination.
You can access the Edit Logging Filters dialog box from the Logging Filters page. For more information about the Logging Filters page, see Logging Filters Page.
Specifies the logging destination for this filter:
|
|
Specifies the event list to use. Event lists are defined on the Event Lists Page. |
|
Specifies the event class and severity. Event classes include one or all available items. Event classes are described in Table 52-5. |
|
Specifies the level of logging messages. Severity levels are described in Table 52-15. |
|
Configuring Logging Setup
The Logging Setup page lets you enable system logging on the security appliance and configure other logging options. These options include enabling logging on the security appliance and failover unit, specifying the base log format and detail, and logging to longer-term storage devices, FTP server or Flash, before purging the internal buffer.
Step 1 Select Platform > Logging > Syslog > Logging Setup to display the Logging Setup page.
This option enables logging on the security appliance.
Step 3 To enable logging on the failover unit paired with this security appliance, select the Enable logging on the standby failover unit check box.
Step 4 To enable EMBLEM format, or to send debug messages as part of the syslog messages, select the corresponding check boxes.
If you enable EMBLEM, you must use the UDP protocol to publish syslog messages. It is not compatible with TCP.
Step 5 To write the internal buffer data to an FTP server for future processing prior to clearing the buffer, do the following:
a. Check FTP Server Buffer wrap .
b. Enter the IP address of the FTP server in the IP Address field.
c. Enter the user name of the account used to log into the FTP server in the User Name field.
d. Enter the path in the Path field, relative to the FTP root, where the file should be stored.
e. Enter and confirm the password used to authenticate the user name.
Step 6 To write the internal buffer data to Flash for future processing prior to clearing the buffer, do the following:
b. Specify the maximum amount of memory to allocate to the storage of internal buffer data.
c. Specify the minimum memory that should remain free on the Flash drive. If this minimum value cannot be retained while writing out the data from the internal buffer, the messages will be pruned to meet the space requirements.
Step 7 To specify the maximum queue size maintained on the appliance for viewing by an ASDM client, enter that value in the Message Queue Size (Messages) field.
Logging Setup Page
The Logging Setup page lets you enable system logging on the security appliance and configure other logging options.
- (Device view) Select Platform > Logging > Syslog > Logging Setup from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Setup from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Configuring Rate Limit Levels
The Rate Limit page lets you specify the maximum number of log messages of specific types (e.g., “alert” or “critical”), and messages with specific Syslog IDs, that can be generated within given periods of time. You can specify individual limits for each logging level, and each Syslog message ID. If the settings conflict, the Syslog message ID limits take precedence.
The Add/Edit Rate Limited Syslog Message Dialog Box is used to specify the maximum number of messages that can be generated for a particular Syslog message ID within a given period of time.
The Add/Edit Rate Limit for Syslog Logging Levels Dialog Box is used to specify the maximum number of messages that can be generated for a particular Syslog logging level within a given period of time.
Follow these steps to manage rate limits for message logging:
Step 1 Access the Rate Limit page by doing one of the following:
- (Device view) Select Platform > Logging > Syslog > Rate Limit from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Rate Limit from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new policy.
Step 2 Add, edit and delete rate limits for Syslog logging levels:
- To specify the maximum number of messages that can be generated within a given period of time for particular logging level, click the Add Row button under the Rate Limits for Syslog Logging Levels table to open the Add/Edit Rate Limit for Syslog Logging Levels Dialog Box. Choose a logging level and define a rate limit.
- To edit the rate limit for a particular logging level, select the appropriate entry in the Rate Limits for Syslog Logging Levels table, and then click the Edit Row button under the table to open the Add/Edit Rate Limit for Syslog Logging Levels Dialog Box. Alter the rate limit as necessary.
- To delete a rate limit entry from the Rate Limits for Syslog Logging Levels table, select it and then click the Delete Row button under the table. A confirmation dialog box may be displayed; click OK to delete the entry.
Step 3 Add, edit and delete limits for log messages according to message IDs:
- To specify the maximum number of messages that can be generated within a given period of time for particular message ID, click the Add Row button under the Individually Rate Limited Syslog Messages table to open the Add/Edit Rate Limited Syslog Message Dialog Box. Choose a Syslog message ID and define a rate limit.
- To edit the rate limit for a particular Syslog message ID, select the appropriate entry in the Individually Rate Limited Syslog Messages table, and then click the Edit Row button under the table to open the Add/Edit Rate Limited Syslog Message Dialog Box. Alter the rate limit as necessary.
- To delete a message limit entry from the Individually Rate Limited Syslog Messages table, select it and then click the Delete Row button under the table. A confirmation dialog box may be displayed; click OK to delete the entry.
Rate Limit Page
The Rate Limit page allows you to specify the maximum number of log messages of a particular type (for example, alert or critical) that should be generated within a given period of time. You can specify a limit for each logging level and Syslog message ID. If the settings differ, Syslog message ID limits take precedence.
- (Device view) Select Platform > Logging > Syslog > Rate Limit from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Rate Limit from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new policy.
- Chapter 52, “Configuring Logging Policies on Firewall Devices”
- Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
- Add/Edit Rate Limited Syslog Message Dialog Box
Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
Using the Add/Edit Rate Limit for Syslog Logging Levels dialog box, you can specify the maximum number of log messages for particular log level that should be generated within a given period of time. You can specify a limit for each logging level or syslog message ID (see Add/Edit Rate Limited Syslog Message Dialog Box). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.
You can access the Add/Edit Rate Limit for Syslog Logging Levels dialog box from the Rate Limit page. For more information, see Rate Limit Page.
Add/Edit Rate Limited Syslog Message Dialog Box
Using the Add/Edit Rate Limited Syslog Message dialog box you can specify the maximum number of log messages of a particular Syslog ID that can be generated within a given period of time. You can specify a limit for each syslog message ID or logging level (see Add/Edit Rate Limit for Syslog Logging Levels Dialog Box). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.
You can access the Add/Edit Rate Limited Syslog Message dialog box from the Rate Limit page. For more information, see Rate Limit Page.
Configuring Syslog Server Setup
You can configure general syslog server settings to set the facility code to be included in syslog messages that are sent to syslog servers, specify whether a timestamp is included in each message, specify the device ID to include in messages, view and modify the severity levels for messages, and disable the generation of specific messages.
Step 1 Do one of the following:
- (Device view) Select Platform > Logging > Syslog > Server Setup to open the Server Setup Page.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Server Setup from the Policy Type selector. Select an existing policy or create a new one.
Step 2 Change the basic message configuration as required:
- If your syslog server expects a different facility than the default, select the required facility in the Facility list.
- If you want to include the date and time a message was generated in the message, select Enable Timestamp on Each Syslog Message .
- If you want to add a device identifier to syslog messages (which is placed at the beginning of the message), select Enable Syslog Device ID and then select the type of ID:
Note For an ASA cluster, each unit in the cluster generates its own syslog messages. You can configure logging so that each unit uses either the same or a different device ID in the syslog message header field. For example, the hostname configuration is replicated and shared by all units in the cluster. If you configure logging to use the hostname as the device ID, syslog messages generated by all units look as if they come from a single unit. If you configure logging to use the local-unit name that is assigned in the cluster bootstrap configuration as the device ID (Cluster ID option), syslog messages look as if they come from different units. You can also specify whether or not the interface IP address of the cluster Master should be used for all cluster devices.
– Interface —To use the IP address of the specified interface, regardless of the interface through which the appliance sends the message. Click Select to select the interface or the interface role that identifies the interface. Interface roles must map to a single interface.
For ASA clusters, to specify that the interface IP address of the cluster Master should be used for all cluster devices, select the corresponding option under the Interface Name field.
– User Defined ID —To use a text string (up to 16 characters) of your choosing.
– Host Name —To use the hostname of the device.
– Cluster ID —To use the unique name in the boot configuration of an individual ASA unit in the cluster as the device ID.
Step 3 Use the Syslog Message table to alter the default settings for specific syslog messages. You need to configure rules in this table only if you want to change the default settings. You can change the severity assigned to a message, or you can suppress (disable) the generation of a message.
- To add a rule, click the Add Row button and fill in the Add/Edit Syslog Message Dialog Box.
You select the message number whose configuration you want to change, and then select the new severity level, or select Suppressed to disable the generation of the message. Typically, you would not change the severity level and disable the message, but you can make changes to both fields if desired. Click OK to add the rule to the table.
For a description of message severity levels, see Logging Levels.
- To edit a rule, select it and click the Edit Row button, make the desired changes, and click OK .
- To delete a rule, select it and click the Delete Row button.
- If you are using NetFlow, you can easily disable the generation of syslog messages that have NetFlow equivalents by clicking the Disable NetFlow Equivalent Syslogs button. This adds the messages to the table as suppressed messages. Note that if any of these syslog equivalents are already in the table, your existing rules are not overwritten.
Server Setup Page
The Server Setup page allows you to set the facility code to be included in syslog messages that are sent to syslog servers, specify whether a timestamp is included in each message, specify the device ID to include in messages, view and modify the severity levels for messages, and disable the generation of specific messages.
- (Device view) Select Platform > Logging > Syslog > Server Setup from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Server Setup from the Policy Type selector. Select an existing policy or create a new one.
- Configuring Syslog Server Setup
- Defining Syslog Servers
- Chapter 52, “Configuring Logging Policies on Firewall Devices”
- Logging Levels
The syslog facility code that the appliance includes in messages destined for syslog servers. The default is LOCAL4(20), which is what most UNIX systems expect. You can select a facility between LOCAL0(16) and LOCAL7(23). Syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network devices that generate syslog data streams. Because your network devices share the eight available facilities, you might need to change this value. |
|
Whether to include the date and time a message was generated in syslog messages. The default is to not include time stamps. |
|
Whether to configure a device ID in non-EMBLEM-format syslog messages. If you select this option, select one of the following to use as the device ID, which is place at the start of all syslog messages: Note For an ASA cluster, each unit in the cluster generates its own syslog messages. You can configure logging so that each unit uses either the same or a different device ID in the syslog message header field. For example, the hostname configuration is replicated and shared by all units in the cluster. If you configure logging to use the hostname as the device ID, syslog messages generated by all units look as if they come from a single unit. If you configure logging to use the local-unit name that is assigned in the cluster bootstrap configuration as the device ID (Cluster ID option), syslog messages look as if they come from different units. You can also specify whether or not the interface IP address of the cluster Master should be used for all cluster devices.
If you select an interface role, that role must map to a single interface on the device. For ASA clusters, to specify that the interface IP address of the cluster Master should be used for all cluster devices, select the corresponding option under the Interface Name field. |
|
Use this table to enable or disable the generation of specific syslog messages, or to change the severity level of a message. If you do not want to constrict which message types are generated, or change any message severity levels, you do not need to configure anything in this table. The table shows the messages you have configured with the message level and whether generation is suppressed (“true” in the table).
|
|
If you are using NetFlow logging, you might want to disable the generation of syslog messages that duplicate NetFlow messages. If you click the Disable button, these duplicate syslog messages are added to the Syslog Message table as suppressed messages, and the button is renamed Enable NetFlow Equivalent Syslogs. Clicking the Enable button removes the duplicate syslog messages from the table, meaning that they will no longer be suppressed, and the device will start sending them again. However, if you manually edited any message that was added to the list by the Disable button, the Enable button does not remove them. |
Logging Levels
The following table describes logging levels.
Add/Edit Syslog Message Dialog Box
The Add/Edit Syslog Message dialog box lets you modify the logging level or suppression setting for a syslog message.
You can access the Add/Edit Syslog Message dialog box from the Server Setup Page.
The message log ID of the message whose severity level or suppression setting you want to alter. These values and their corresponding messages are identified in the System Log Message guides for the appropriate product: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guides_list.html http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html |
|
The logging level that you want to assign to the message. For logging levels and descriptions, see Logging Levels. Select (default) to use the default level assigned to the message. |
|
Whether to suppress the generation of the syslog message. Suppressing a message disables its generation, so you will not see it in syslogs. |
Defining Syslog Servers
The Syslog Servers page lets you specify the syslog servers to which the security appliance will send syslog messages. To make use of the syslog servers you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Tip If you want to view events from an ASA device using Security Manager Event Viewer, ensure that you define the Security Manager server as a syslog server. Also, if you use CS-MARS or other applications to manage syslog events, include those servers in this policy.
By directing syslog records generated by a security appliance to a syslog server, you can process and study the records.
Enable logging. See Configuring Logging Setup.
Step 1 Select Platform > Logging > Syslog > Syslog Servers to display the Syslog Servers page.
Step 2 Do one of the following:
- To add a new syslog target, click the Add Row button.
- To edit an existing syslog target, select the check box for the row, then click the Edit Row button.
Step 3 Enter or select the interface name in the Interface field.
The list displays all interfaces defined at the current scope.
Step 4 Enter or select the IP address of the syslog server in the IP Address field.
Step 5 Determine whether to use UDP or TCP, then click the appropriate radio button under Protocol.
Step 6 Enter the port from which the security appliance sends either UDP or TCP syslog messages. The port must be the same port on which the syslog server listens.
Step 7 To generate syslog messages using the EMBLEM format, select the Log messages in Cisco EMBLEM format check box.
To enable this option, you must select UDP protocol to publish messages to this syslog server.
The definition appears in the Syslog Servers table.
Syslog Servers Page
The Syslog Servers page lets you specify the syslog servers to which the security appliance sends syslog messages. To make use of the syslog servers you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Tip If you want to view events from an ASA device using Security Manager Event Viewer, ensure that you define the Security Manager server as a syslog server. Also, if you use CS-MARS or other applications to manage syslog events, include those servers in this policy.
- (Device view) Select Platform > Logging > Syslog > Syslog Servers from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Syslog Servers from the Policy Type selector. Select an existing policy or create a new one.
The syslog servers to which this device sends syslog messages. The table shows the device interface that publishes messages to the server, the server’s IP address, syslog protocol and port number, and whether the messages are in Cisco EMBLEM syslog format. There is a limit of four syslog servers that can be set up per context.
|
|
Specifies the size of the queue for storing syslog messages on the security appliance when syslog server is busy. Minimum is 1 message. Default is 512. Specify 0 to allow an unlimited number of messages to be queued (subject to available block memory). |
|
Whether to restrict all traffic if any syslog server that is using the TCP protocol is down. |
Add/Edit Syslog Server Dialog Box
The Add/Edit Syslog Servers dialog box lets you add or edit the syslog servers to which the security appliance will send syslog messages. To make use of the syslog servers you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Note There is a limit of four syslog servers that can be set up per context.
You can access the Add Syslog Servers dialog box from the Syslog Servers page. For more information about the Syslog Servers page, see Syslog Servers Page.
The interface used to communicate with the syslog server. Enter the name of the interface or interface role object, or click Select to select it from a list or to create a new object. |
|
The IP address of syslog server. Enter the IP address or the name of the network/host policy object that defines the address, or click Select to select the network/host object. |
|
The protocol used by syslog server, either TCP or UDP. UDP is the default. TCP ports work only with a security appliance syslog server. Note You must select UDP if you intend to use the EMBLEM format. |
|
The TCP or UDP port from which the security appliance sends syslog messages and on which the syslog server receives them. The default ports for each protocol are: Tip If you are defining the Security Manager server as a syslog server, you can find the port number on the Security Manager Administration Event Management Page.
Note During the installation or upgrade of Security Manager, the Common Services syslog service port is changed from 514 to 49514. Later, if Security Manager is uninstalled, the port is not reverted to 514. |
|
Whether to log messages in Cisco EMBLEM format. The syslog server must use UDP. Note If the syslog server is a Cisco Security MARS appliance, do not select this option. Cisco Security MARS does not process the EMBLEM format. |
Feedback