- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Traffic Zones
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring FXOS Server Access Settings on Firepower 2100 Series Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- User Preferences
- Index
Configuring Logging Policies on Firewall Devices
The Logging feature lets you enable and manage NetFlow “collectors,” and enable system logging, set up logging parameters, configure event lists (syslog filters), apply the filters to a destination, set up syslog messages, configure syslog servers, and specify e-mail notification parameters.
After you enable logging and set up the logging parameters using the Logging Setup page, the Event Lists page lets you configure filters (for a set of syslogs) which can be sent to a logging destination. The Logging Filters page lets you specify a logging destination for the syslogs to be sent. Finally, the Syslog and E-Mail pages configure syslog and e-mail setup.
NetFlow Page
A device configured for NetFlow data export captures flow-based traffic statistics on the device. This information is periodically transmitted from the device to a NetFlow collection server, in the form of User Datagram Protocol (UDP) datagrams.
The NetFlow page lets you enable NetFlow export on the selected device, and define and manage NetFlow “collectors” to which collected flow information is transmitted.
- (Device view) Select Platform > Logging > NetFlow from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > NetFlow from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
|
|
|
|---|---|
Interval (in minutes) between transmissions of flow information to the collectors. The value can be from one to 3600 minutes; the default is 30. |
|
For active connections, specifies the time interval between flow-update events in minutes. Valid values are from 1 to 60 minutes. The default value is 1 minute. |
|
Delays the sending of a flow-create event by the specified number of seconds. The value can be from one to 180 seconds. If no value is entered, there is no delay, and the flow-create event is exported as soon as the flow is created. If the flow is torn down before the configured delay, the flow-create event is not sent; an extended flow teardown event is sent instead. |
|
Lists the currently defined NetFlow collectors. Use the Add Row, Edit Row and Delete Row buttons below the table to manage these entries. The Add Row and Edit Row buttons open the Add and Edit Collector Dialog Boxes (NetFlow). Note Cisco Security Manager does not allow duplicate netflow collectors for ASA 9.6(4) to 9.7.0, and 9.8(2) and above devices. Change the current configuration or remove the duplicate or overlapping configuration (Platform> Logging > Netflow) for the device. |
Add and Edit Collector Dialog Boxes (NetFlow)
Use the Add Collector and Edit Collector dialog boxes to define and edit NetFlow “collectors.” Except for the title, the two dialog boxes are identical; the following information applies to both.
You can open the Add and Edit Collector dialog boxes from the NetFlow Page.
Embedded Event Manager
The Embedded Event Manager (EEM) enables you to debug problems and provides general purpose logging for troubleshooting. There are two components: events to which the EEM responds or listens, and event manager applets that define actions as well as the events to which the EEM responds. You may configure multiple event manager applets to respond to different events and perform different actions.
Note
Embedded Event Manager is supported on ASA 9.2(1)+ only.
The EEM supports the following events:
- Syslog—The ASA uses syslog message IDs to identify syslog messages that trigger an event manager applet. You may configure multiple syslog events, but the syslog message IDs may not overlap within a single event manager applet.
- Timers—You may use timers to trigger events. You may configure each timer only once for each event manager applet. Each event manager applet may have up to three timers. The three types of timers are the following:
– Watchdog (periodic) timers trigger an event manager applet after the specified time period following the completion of the applet’s actions and restart automatically.
– Countdown (one-shot) timers trigger an event manager applet once after the specified time period and do not restart unless they are removed, then re-added.
– Absolute (once-a-day) timers cause an event to occur once a day at a specified time, and restart automatically. The time-of-day format is in hh:mm:ss.
You may configure only one timer event of each type for each event manager applet.
- None—The none event is triggered when you run an event manager applet manually.
- Crash—The crash event is triggered when the ASA crashes. Regardless of the value of the output command, the action commands are directed to the crashinfo file. The output is generated before the show tech command.
Note Be careful when using a range of Syslog IDs and when using timers. Incorrect configuration can cause an ASA loop and prevent the applet from executing normally.
When an event manager applet is triggered, the actions on the event manager applet are performed. Each action has a number that is used to specify the sequence of the actions. The sequence number must be unique within an event manager applet. You may configure multiple actions for an event manager applet. The commands are typical CLI commands, such as show blocks.
Configuring Output Destinations
You may send the output of the action CLI commands to one of three locations:
- None, which is the default and discards the output
- Console, which sends the output to the ASA console
- File, which sends the output to a file. The following four file options are available:
– new—creates a new, uniquely named file each time that an event manager applet is invoked.
– overwrite—overwrites a specified file each time that an event manager applet is invoked.
– append—appends to a specified file each time that an event manager applet is invoked. If the file does not yet exist, it is created.
– rotate—creates a set of uniquely named files that are rotated each time that an event manager applet is invoked.
- Supported in single mode only. Not supported in multiple context mode.
- Supported in routed and transparent firewall modes.
- EEM will be enabled irrespective of whether logging functionality is enabled on the device or not.
- The EEM functionality on the ASA only contains a subset of the EEM functionality found on Cisco routers.
- During a crash, the state of the ASA is generally unknown. Some commands may not be safe to run during this condition.
- The name of an event manager applet may not contain spaces.
- You cannot modify the None event and Crashinfo event parameters.
- Performance may be affected because syslog messages are sent to the EEM for processing.
- The default output is none for each event manager applet. To change this setting, you must enter a different output value.
- You may have only one output option defined for each event manager applet.
The Embedded Event Manager table lists the currently defined event manager applets. Use the Add Row, Edit Row and Delete Row buttons below the table to manage these entries. The Add Row and Edit Row buttons open the Add and Edit Applet Dialog Boxes.
- (Device view) Select Platform > Logging > Embedded Event Manager from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Embedded Event Manager from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Add and Edit Applet Dialog Boxes
Use the Add Applet and Edit Applet dialog boxes to define and edit event manager applets. Except for the title, the two dialog boxes are identical; the following information applies to both.
You can open the Add and Edit Applet dialog boxes from the Embedded Event Manager.
|
|
|
|---|---|
Enter a unique name for the event manager applet. The name cannot contain spaces and must be less than 32 characters. |
|
Enter a description for the event manager applet. The description may be up to 256 characters long. |
|
|
|
|
When selected, the event manager applet is triggered when the ASA crashes. Regardless of the value of the Output field, the action commands are directed to the crashinfo file. The output is generated before the show tech command. Note The state of the ASA is generally unknown when it crashes. Some CLI commands may not be safe to run during this condition. |
|
When selected, you can trigger the event manager applet manually. Note Manual triggering of the EEM applet is not supported in Cisco Security Manager. To manually trigger an applet, you must use a FlexConfig. See Chapter 7, “Managing FlexConfigs” for more information. |
|
The Syslog table lists the currently defined syslog message IDs for the selected applet. Use the Add Row, Edit Row and Delete Row buttons below the table to manage these entries. The Add Row and Edit Row buttons open the Add and Edit Syslog Configuration Dialog Boxes. |
|
Configure an absolute (once-a-day) timer event Absolute timers cause an event to occur once a day at a specified time, and restart automatically. Use the fields provided to enter the time of day in hours, minutes, and seconds. The time range is from 00:00:00 (midnight) to 23:59:59. |
|
Configures a countdown (one-shot) timer event. Countdown timers trigger an event manager applet once after the specified time period and do not restart unless they are removed, then re-added. Enter the time period in seconds. The number of seconds may range from 1- 604800. |
|
Configures a watchdog (periodic) timer event. Watchdog timers trigger an event manager applet after the specified time period following the completion of the applet’s actions and restart automatically. Enter the time period in seconds. The number of seconds may range from 1- 604800. |
|
To configure specific destinations for sending output from an action, choose one of the available output destination options: |
|
The following four file options are available:
When a new file is to be written, the oldest file is deleted, and all subsequent files are renumbered before the first file is written. The newest file is indicated by 0, and the oldest file is indicated by the highest number. The filename format is eem-applet-x.log, in which applet is the name of the applet, and x is the file number. |
|
Specifies the location of the output file. The location may also use FTP, TFTP, and SMB targeted files. |
|
Specify the number of files to be rotated when "rotate" is the selected Action. When a new file is to be written, the oldest file is deleted, and all subsequent files are renumbered before the first file is written. The newest file is indicated by 0, and the oldest file is indicated by the highest number. Valid values for the rotate value range from 2 - 100. The filename format is eem-applet-x.log, in which applet is the name of the applet, and x is the file number. |
|
|
|
|
The Action table lists the currently defined actions for the selected applet. Use the Add Row, Edit Row and Delete Row buttons below the table to manage these entries. The Add Row and Edit Row buttons open the Add and Edit Action Configuration Dialog Boxes. |
|
Add and Edit Syslog Configuration Dialog Boxes
Use the Add Syslog Configuration and Edit Syslog Configuration dialog boxes to configure the syslog message IDs for an event manager applet. Except for the title, the two dialog boxes are identical; the following information applies to both.
You can open the Add and Edit Syslog Configuration dialog boxes from the Add and Edit Applet Dialog Boxes.
Add and Edit Action Configuration Dialog Boxes
Use the Add Action Configuration and Edit Action Configuration dialog boxes to configure the actions for an event manager applet. Except for the title, the two dialog boxes are identical; the following information applies to both.
You can open the Add and Edit Action Configuration dialog boxes from the Add and Edit Applet Dialog Boxes.
E-Mail Setup Page
The E-Mail Setup page (PIX 7.0/ASA Only) lets you set up a source e-mail address, as well as a list of recipients for specified syslog messages to be sent as e-mails. You can filter the syslog messages sent to a destination e-mail address by severity. The table shows which entries have been set up.
The syslog severity filter used for the destination e-mail address will be the higher of the severity selected in this section and the global filter set for all e-mail recipients in the Logging Filters page.
- (Device view) Select Platform > Logging > Syslog > E-Mail Setup from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > E-Mail Setup from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
|
|
|
|---|---|
Enter the email address to be used as the source address when syslogs are sent as emails. |
|
Lists the currently defined email recipients of syslog messages. Use the Add Row, Edit Row and Delete Row buttons below the table to manage this list; the Add Row and Edit Row buttons open the Add/Edit Email Recipient Dialog Box. |
Add/Edit Email Recipient Dialog Box
The Add/Edit Email Recipient dialog box lets you configure a destination address to be sent emails containing syslog messages; you can limit the messages sent according to severity.
The syslog severity filter used for the destination email address will be the higher of the severity selected in this section and the global filter set for all email recipients on the Logging Filters Page.
You can access the Add/Edit Email Recipient dialog box from the E-Mail Setup Page.
|
|
|
|---|---|
Enter the recipient email address for the chosen type of syslog messages. |
|
Choose the severity of the syslogs to be emailed to this recipient; messages of the chosen severity and higher are sent. Message severity levels are described in Logging Levels. |
Event Lists Page
The Event Lists page (PIX 7.0+/ASA only) lets you define a set of syslog message filters for logging. After you enable logging and set up global logging parameters on the Logging Setup page, use this page to configure event lists used to filter syslog messages sent to different logging destinations. (The Logging Filters Page lets you specify logging destinations for event lists.)
Use the Add Row, Edit Row and Delete Row buttons below the Event Lists table to manage the entries. Add Row and Edit Row open the Add/Edit Event List Dialog Box.
- (Device view) Select Platform > Logging > Syslog > Event Lists from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Event Lists from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Message Classes and Associated Message ID Numbers
The following table lists the message classes and the range of message IDs in each class.
Add/Edit Event List Dialog Box
The Add/Edit Event List dialog box lets you create or edit an event list, and specify which syslog messages to include in the event list filter.
You can use the following criteria to define an event list:
Class represents specific types of related syslog messages. For example, the class auth represents all syslog messages related to user authentication.
Severity classifies syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.
The message ID is a numeric value that uniquely identifies each individual message. You can specify a single message ID, or a range of IDs, in an event list.
You can access the Add/Edit Event List dialog box from the Event Lists Page.
|
|
|
|---|---|
This table lists the event class and severity level filters defined for this event list. Use the Add Row, Edit Row and Delete Row buttons below this table to manage the entries. Add Row and Edit Row open the Add/Edit Syslog Class Dialog Box. |
|
This table list the message ID filters defined for this event list. Use the Add Row, Edit Row and Delete Row buttons below this table to manage the entries. Add Row and Edit Row open the Add/Edit Syslog Message ID Filter Dialog Box. |
Add/Edit Syslog Class Dialog Box
The Add/Edit Syslog Class dialog box lets you specify an event class and a related severity level as an event list filter.
Class represents specific types of related syslog messages, so you do not have to select the syslogs individually. For example, the class auth represents all syslog messages related to user authentication.
Severity classifies syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.
You access the Add/Edit Syslog Class dialog box from the Add/Edit Event List Dialog Box.
|
|
|
|---|---|
Choose the desired event class. Event classes are described in Table 54-8. |
|
Choose the desired message severity level. Severity levels are described in Logging Levels. |
Add/Edit Syslog Message ID Filter Dialog Box
The Add/Edit Syslog Message ID Filter dialog box lets you specify a syslog message ID, or a range of IDs, as an the event list filter.
You can access the Add/Edit Syslog Message ID Filter dialog box from the Add/Edit Event List Dialog Box.
Message IDs – Enter a syslog message ID, or a range of IDs. Use a hyphen to specify a range; for example, 101001-101010. Message IDs must be between 100000 and 999999.
Message IDs and their corresponding messages are listed in the System Log Message guides for the appropriate product. You can access these guides from cisco.com:
Logging Filters Page
The Logging Filters page lets you configure a logging destination for event lists (syslog filters) that have been configured using the Event Lists page, or for only the syslog messages that you specify using the Edit Logging Filters page. Syslog messages from specific or all event classes can be selected using the Edit Logging Filters page.
- (Device view) Select Platform > Logging > Syslog > Logging Filters from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Filters from the Policy Type selector. Right-click Logging Filters to create a policy, or select an existing policy from the Shared Policy selector.
|
|
|
|---|---|
Lists the name of the logging destination to which messages matching this filter are sent. Logging destinations are as follows:
|
|
Lists the severity on which to filter, the event list to use, or whether logging is disabled from all event classes. Event classes are described in Message Classes and Associated Message ID Numbers. |
|
Lists event class and severity set up as the filter. Event classes are described in Message Classes and Associated Message ID Numbers. Severity levels are described in Logging Levels. |
Edit Logging Filters Dialog Box
The Edit Logging Filters dialog box lets you edit filters for a logging destination. Syslogs can be configured from all or specific event classes, or disabled for a specific logging destination.
You can access the Edit Logging Filters dialog box from the Logging Filters page. For more information about the Logging Filters page, see Logging Filters Page.
|
|
|
|---|---|
Specifies the logging destination for this filter:
|
|
|
|
|
Specifies the event list to use. Event lists are defined on the Event Lists Page. |
|
|
|
|
Specifies the event class and severity. Event classes include one or all available items. Event classes are described in Table 54-8. |
|
Specifies the level of logging messages. Severity levels are described in Table 54-18. |
|
Configuring Logging Setup
The Logging Setup page lets you enable system logging on the security appliance and configure other logging options. These options include enabling logging on the security appliance and failover unit, specifying the base log format and detail, and logging to longer-term storage devices, FTP server or Flash, before purging the internal buffer.
Step 1 Select Platform > Logging > Syslog > Logging Setup to display the Logging Setup page.
This option enables logging on the security appliance.
Step 3 To enable logging on the failover unit paired with this security appliance, select the Enable logging on the standby failover unit check box.
Step 4 To enable EMBLEM format, or to send debug messages as part of the syslog messages, select the corresponding check boxes.
If you enable EMBLEM, you must use the UDP protocol to publish syslog messages. It is not compatible with TCP.
Step 5 To write the internal buffer data to an FTP server for future processing prior to clearing the buffer, do the following:
a. Check FTP Server Buffer wrap.
b. Enter the IP address of the FTP server in the IP Address field.
c. Enter the user name of the account used to log into the FTP server in the User Name field.
d. Enter the path in the Path field, relative to the FTP root, where the file should be stored.
e. Enter and confirm the password used to authenticate the user name.
Step 6 To write the internal buffer data to Flash for future processing prior to clearing the buffer, do the following:
b. Specify the maximum amount of memory to allocate to the storage of internal buffer data.
c. Specify the minimum memory that should remain free on the Flash drive. If this minimum value cannot be retained while writing out the data from the internal buffer, the messages will be pruned to meet the space requirements.
Step 7 To specify the maximum queue size maintained on the appliance for viewing by an ASDM client, enter that value in the Message Queue Size (Messages) field.
Logging Setup Page
The Logging Setup page lets you enable system logging on the security appliance and configure other logging options.
- (Device view) Select Platform > Logging > Syslog > Logging Setup from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Setup from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Configuring Rate Limit Levels
The Rate Limit page lets you specify the maximum number of log messages of specific types (e.g., “alert” or “critical”), and messages with specific Syslog IDs, that can be generated within given periods of time. You can specify individual limits for each logging level, and each Syslog message ID. If the settings conflict, the Syslog message ID limits take precedence.
The Add/Edit Rate Limited Syslog Message Dialog Box is used to specify the maximum number of messages that can be generated for a particular Syslog message ID within a given period of time.
The Add/Edit Rate Limit for Syslog Logging Levels Dialog Box is used to specify the maximum number of messages that can be generated for a particular Syslog logging level within a given period of time.
Follow these steps to manage rate limits for message logging:
Step 1 Access the Rate Limit page by doing one of the following:
- (Device view) Select Platform > Logging > Syslog > Rate Limit from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Rate Limit from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new policy.
Step 2 Add, edit and delete rate limits for Syslog logging levels:
- To specify the maximum number of messages that can be generated within a given period of time for particular logging level, click the Add Row button under the Rate Limits for Syslog Logging Levels table to open the Add/Edit Rate Limit for Syslog Logging Levels Dialog Box. Choose a logging level and define a rate limit.
- To edit the rate limit for a particular logging level, select the appropriate entry in the Rate Limits for Syslog Logging Levels table, and then click the Edit Row button under the table to open the Add/Edit Rate Limit for Syslog Logging Levels Dialog Box. Alter the rate limit as necessary.
- To delete a rate limit entry from the Rate Limits for Syslog Logging Levels table, select it and then click the Delete Row button under the table. A confirmation dialog box may be displayed; click OK to delete the entry.
Step 3 Add, edit and delete limits for log messages according to message IDs:
- To specify the maximum number of messages that can be generated within a given period of time for particular message ID, click the Add Row button under the Individually Rate Limited Syslog Messages table to open the Add/Edit Rate Limited Syslog Message Dialog Box. Choose a Syslog message ID and define a rate limit.
- To edit the rate limit for a particular Syslog message ID, select the appropriate entry in the Individually Rate Limited Syslog Messages table, and then click the Edit Row button under the table to open the Add/Edit Rate Limited Syslog Message Dialog Box. Alter the rate limit as necessary.
- To delete a message limit entry from the Individually Rate Limited Syslog Messages table, select it and then click the Delete Row button under the table. A confirmation dialog box may be displayed; click OK to delete the entry.
Rate Limit Page
The Rate Limit page allows you to specify the maximum number of log messages of a particular type (for example, alert or critical) that should be generated within a given period of time. You can specify a limit for each logging level and Syslog message ID. If the settings differ, Syslog message ID limits take precedence.
- (Device view) Select Platform > Logging > Syslog > Rate Limit from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Rate Limit from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new policy.
- Chapter 54, “Configuring Logging Policies on Firewall Devices”
- Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
- Add/Edit Rate Limited Syslog Message Dialog Box
Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
Using the Add/Edit Rate Limit for Syslog Logging Levels dialog box, you can specify the maximum number of log messages for particular log level that should be generated within a given period of time. You can specify a limit for each logging level or syslog message ID (see Add/Edit Rate Limited Syslog Message Dialog Box). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.
You can access the Add/Edit Rate Limit for Syslog Logging Levels dialog box from the Rate Limit page. For more information, see Rate Limit Page.
- Chapter 54, “Configuring Logging Policies on Firewall Devices”
- Rate Limit Page
- Add/Edit Rate Limited Syslog Message Dialog Box
Add/Edit Rate Limited Syslog Message Dialog Box
Using the Add/Edit Rate Limited Syslog Message dialog box you can specify the maximum number of log messages of a particular Syslog ID that can be generated within a given period of time. You can specify a limit for each syslog message ID or logging level (see Add/Edit Rate Limit for Syslog Logging Levels Dialog Box). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.
You can access the Add/Edit Rate Limited Syslog Message dialog box from the Rate Limit page. For more information, see Rate Limit Page.
- Chapter 54, “Configuring Logging Policies on Firewall Devices”
- Rate Limit Page
- Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
|
|
|
|---|---|
Identification number of the syslog message for which you are specifying a rate limit. |
|
Maximum number of messages with the specified ID allowed in the specified time period. |
|
Configuring Syslog Server Setup
You can configure general syslog server settings to set the facility code to be included in syslog messages that are sent to syslog servers, specify whether a timestamp is included in each message, specify the device ID to include in messages, view and modify the severity levels for messages, and disable the generation of specific messages.
Step 1 Do one of the following:
- (Device view) Select Platform > Logging > Syslog > Server Setup to open the Server Setup Page.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Server Setup from the Policy Type selector. Select an existing policy or create a new one.
Step 2 Change the basic message configuration as required:
- If your syslog server expects a different facility than the default, select the required facility in the Facility list.
- If you want to include the date and time a message was generated in the message, select Enable Timestamp on Each Syslog Message.
– If you want to configure logging timestamp in the rfc5424 format, select Enable Timestamp Format(rfc5424). This option is applicable for ASA 9.12.1 devices and later. Example output of the timestamp:
- If you want to add a device identifier to syslog messages (which is placed at the beginning of the message), select Enable Syslog Device ID and then select the type of ID:
Note For an ASA cluster, each unit in the cluster generates its own syslog messages. You can configure logging so that each unit uses either the same or a different device ID in the syslog message header field. For example, the hostname configuration is replicated and shared by all units in the cluster. If you configure logging to use the hostname as the device ID, syslog messages generated by all units look as if they come from a single unit. If you configure logging to use the local-unit name that is assigned in the cluster bootstrap configuration as the device ID (Cluster ID option), syslog messages look as if they come from different units. You can also specify whether or not the interface IP address of the cluster Control unit should be used for all cluster devices.
– Interface —To use the IP address of the specified interface, regardless of the interface through which the appliance sends the message. Click Select to select the interface or the interface role that identifies the interface. Interface roles must map to a single interface.
For ASA clusters, to specify that the interface IP address of the Control unit should be used for all cluster devices, select the corresponding option under the Interface Name field.
– User Defined ID —To use a text string (up to 16 characters) of your choosing.
– Host Name —To use the hostname of the device.
– Cluster ID —To use the unique name in the boot configuration of an individual ASA unit in the cluster as the device ID.
Step 3 Use the Syslog Message table to alter the default settings for specific syslog messages. You need to configure rules in this table only if you want to change the default settings. You can change the severity assigned to a message, or you can suppress (disable) the generation of a message.
- To add a rule, click the Add Row button and fill in the Add/Edit Syslog Message Dialog Box.
You select the message number whose configuration you want to change, and then select the new severity level, or select Suppressed to disable the generation of the message. Typically, you would not change the severity level and disable the message, but you can make changes to both fields if desired. Click OK to add the rule to the table.
For a description of message severity levels, see Logging Levels.
- To edit a rule, select it and click the Edit Row button, make the desired changes, and click OK.
- To delete a rule, select it and click the Delete Row button.
- If you are using NetFlow, you can easily disable the generation of syslog messages that have NetFlow equivalents by clicking the Disable NetFlow Equivalent Syslogs button. This adds the messages to the table as suppressed messages. Note that if any of these syslog equivalents are already in the table, your existing rules are not overwritten.
Syslog Relay Configuration
In addition to events being received by the Cisco Security Manager server, they can be forwarded to a maximum of two external/remote controllers (syslog hosts). Syslog relay will forward the received messages to another syslog host using the UDP syslog protocol.
If you want the syslog messages that are forwarded from the Cisco Security Manager server to have the Cisco Security Manager server's IP address as the source IP address of the syslog message, you must enable it through CLI command:
1. Navigate to CSCOpx\MDC\logrelay and open the logrelay.properties file.
2. Set the values of ext1 and ext2 to false like this:
Note By default the value is true for all collectors, by setting ext1 and ext2 as false, Cisco Security Manager will send the sylog messages with Cisco Security Manager IP. This modification can be done only for remote collectors and not for the local collector (ext0).
Server Setup Page
The Server Setup page allows you to set the facility code to be included in syslog messages that are sent to syslog servers, specify whether a timestamp is included in each message, specify the device ID to include in messages, view and modify the severity levels for messages, and disable the generation of specific messages.
- (Device view) Select Platform > Logging > Syslog > Server Setup from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Server Setup from the Policy Type selector. Select an existing policy or create a new one.
- Configuring Syslog Server Setup
- Defining Syslog Servers
- Chapter 54, “Configuring Logging Policies on Firewall Devices”
- Logging Levels
|
|
|
|---|---|
The syslog facility code that the appliance includes in messages destined for syslog servers. The default is LOCAL4(20), which is what most UNIX systems expect. You can select a facility between LOCAL0(16) and LOCAL7(23). Syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network devices that generate syslog data streams. Because your network devices share the eight available facilities, you might need to change this value. |
|
Whether to include the date and time a message was generated in syslog messages. The default is to not include time stamps. |
|
Whether to configure a device ID in non-EMBLEM-format syslog messages. If you select this option, select one of the following to use as the device ID, which is place at the start of all syslog messages: Note For an ASA cluster, each unit in the cluster generates its own syslog messages. You can configure logging so that each unit uses either the same or a different device ID in the syslog message header field. For example, the hostname configuration is replicated and shared by all units in the cluster. If you configure logging to use the hostname as the device ID, syslog messages generated by all units look as if they come from a single unit. If you configure logging to use the local-unit name that is assigned in the cluster bootstrap configuration as the device ID (Cluster ID option), syslog messages look as if they come from different units. You can also specify whether or not the interface IP address of the Control unit should be used for all cluster devices.
If you select an interface role, that role must map to a single interface on the device. For ASA clusters, to specify that the interface IP address of the Control unit should be used for all cluster devices, select the corresponding option under the Interface Name field. |
|
Use this table to enable or disable the generation of specific syslog messages, or to change the severity level of a message. If you do not want to constrict which message types are generated, or change any message severity levels, you do not need to configure anything in this table. The table shows the messages you have configured with the message level and whether generation is suppressed (“true” in the table).
|
|
If you are using NetFlow logging, you might want to disable the generation of syslog messages that duplicate NetFlow messages. If you click the Disable button, these duplicate syslog messages are added to the Syslog Message table as suppressed messages, and the button is renamed Enable NetFlow Equivalent Syslogs. Clicking the Enable button removes the duplicate syslog messages from the table, meaning that they will no longer be suppressed, and the device will start sending them again. However, if you manually edited any message that was added to the list by the Disable button, the Enable button does not remove them. |
Logging Levels
The following table describes logging levels.
Add/Edit Syslog Message Dialog Box
The Add/Edit Syslog Message dialog box lets you modify the logging level or suppression setting for a syslog message.
You can access the Add/Edit Syslog Message dialog box from the Server Setup Page.
|
|
|
|---|---|
The message log ID of the message whose severity level or suppression setting you want to alter. These values and their corresponding messages are identified in the System Log Message guides for the appropriate product: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guides_list.html http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html Note Starting from Cisco Security Manager 4.10, you can enter a syslog message in the Syslog ID field. Make sure that you enter a valid syslog ID corresponding to the device; else the deployment may fail. |
|
The logging level that you want to assign to the message. For logging levels and descriptions, see Logging Levels. Select (default) to use the default level assigned to the message. |
|
Whether to suppress the generation of the syslog message. Suppressing a message disables its generation, so you will not see it in syslogs. |
|
Whether to block specific syslog messages from being generated on standby ASA devices. This feature is available from ASA version 9.4(1) and Security Manager supports this feature starting from version 4.9. |
Defining Syslog Servers
The Syslog Servers page lets you specify the syslog servers to which the security appliance will send syslog messages. To make use of the syslog servers you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Tip If you want to view events from an ASA device using Security Manager Event Viewer, ensure that you define the Security Manager server as a syslog server. Also, if you use CS-MARS or other applications to manage syslog events, include those servers in this policy.
By directing syslog records generated by a security appliance to a syslog server, you can process and study the records.
Enable logging. See Configuring Logging Setup.
Step 1 Select Platform > Logging > Syslog > Syslog Servers to display the Syslog Servers page.
Step 2 Do one of the following:
- To add a new syslog target, click the Add Row button.
- To edit an existing syslog target, select the check box for the row, then click the Edit Row button.
Step 3 Enter or select the interface name in the Interface field.
The list displays all interfaces defined at the current scope.
Step 4 Enter or select the IP address of the syslog server in the IP Address field.
Step 5 Determine whether to use UDP or TCP, then click the appropriate radio button under Protocol.
Step 6 Enter the port from which the security appliance sends either UDP or TCP syslog messages. The port must be the same port on which the syslog server listens.
Step 7 To generate syslog messages using the EMBLEM format, select the Log messages in Cisco EMBLEM format check box.
To enable this option, you must select UDP protocol to publish messages to this syslog server.
The definition appears in the Syslog Servers table.
Syslog Servers Page
The Syslog Servers page lets you specify the syslog servers to which the security appliance sends syslog messages. To make use of the syslog servers you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Tip If you want to view events from an ASA device using Security Manager Event Viewer, ensure that you define the Security Manager server as a syslog server. Also, if you use CS-MARS or other applications to manage syslog events, include those servers in this policy.
- (Device view) Select Platform > Logging > Syslog > Syslog Servers from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Syslog Servers from the Policy Type selector. Select an existing policy or create a new one.
|
|
|
|---|---|
The syslog servers to which this device sends syslog messages. The table shows the device interface that publishes messages to the server, the server’s IP address, syslog protocol and port number, and whether the messages are in Cisco EMBLEM syslog format. There is a limit of four syslog servers that can be set up per context.
|
|
Specifies the size of the queue for storing syslog messages on the security appliance when syslog server is busy. Minimum is 1 message. Default is 512. Specify 0 to allow an unlimited number of messages to be queued (subject to available block memory). |
|
Whether to restrict all traffic if any syslog server that is using the TCP protocol is down. |
Add/Edit Syslog Server Dialog Box
The Add/Edit Syslog Servers dialog box lets you add or edit the syslog servers to which the security appliance will send syslog messages. To make use of the syslog servers you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Note There is a limit of four syslog servers that can be set up per context.
You can access the Add Syslog Servers dialog box from the Syslog Servers page. For more information about the Syslog Servers page, see Syslog Servers Page.
|
|
|
|---|---|
The interface used to communicate with the syslog server. Enter the name of the interface or interface role object, or click Select to select it from a list or to create a new object. |
|
The IP address of syslog server. Enter the IP address or the name of the network/host policy object that defines the address, or click Select to select the network/host object. Note Starting with Cisco Security Manager 4.13, IPv6 addresses are supported for the syslog server. |
|
The protocol used by syslog server, either TCP or UDP. UDP is the default. TCP ports work only with a security appliance syslog server. Note You must select UDP if you intend to use the EMBLEM format. |
|
The TCP or UDP port from which the security appliance sends syslog messages and on which the syslog server receives them. The default ports for each protocol are: Note During the installation or upgrade of Security Manager, the Common Services syslog service port is changed from 514 to 49514. Later, if Security Manager is uninstalled, the port is not reverted to 514. |
|
Whether to log messages in Cisco EMBLEM format. The syslog server must use UDP. Note If the syslog server is a Cisco Security MARS appliance, do not select this option. Cisco Security MARS does not process the EMBLEM format. |
|
Beginning with version 4.12, Security Manager enables you to select Reference Identity policy object name from the Policy Objects Selector. Reference Identity is enabled only if the Port is TCP and is disabled if the Port is UDP. For more information, see Reference Identities. |
Feedback