How do I configure the ASA to show "Accessed URL" messages to my syslog server

I have a PIX 6.x firewall which is configured as "trap logging: informational " and it shows the folllowing URL messages in the syslog
 Feb  6 15:11:05 fw05Feb 06 2008 15:11:05: %PIX-5-304001: 7.1.1.155 Accessed URL 209.85.143.99:/__utm.gif?

I have a ASA 5510 which I've configure as "trap logging: level informational" and it does not show any URL messages on the syslog server.  I've even tried to set the logging level to debug and it still doesn't show the URL Accessed messages.  (Oh... I am getting tons of other informational messages on the  syslog from the ASA 5510 device. - just not the Accessed URL messages)

What do I need to do to have the Access URL messges show up in the syslog server.
Surefoot3Asked:
Who is Participating?
 
Surefoot3Connect With a Mentor Author Commented:
Ok.. got the answer.

For the ASA, you must have inspect http in one of your configured policy maps.  For me, I had to add it to the default global policy map.  Additionally, I only need to have the trap level configured informational.

policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect icmp
  inspect http
!
service-policy global_policy global
0
 
batry_boyCommented:
I know you mentioned this, but can you confirm that you do have "logging trap debugging" in your ASA config?  If you look at the following link, it mentions that you need debug level output for WWW URL's...

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/l2_72.html#wp1690864
0
 
Surefoot3Author Commented:
Hi Batry Boy,
Yes, I saw the same manual and I did set the level to debbuging, which when I did the syslog messages really started flying but, still no URL messges.  I tested it by browsing the web with one of the computers behind the filrewall and nothing.  

I just dont get it... maybe its supposed to be a combination of settings on the asa not just the trap level debug setting.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
batry_boyCommented:
Could be a bug if you're using an early version of the 7.x code...what version are you using?
0
 
Surefoot3Author Commented:
Yep... I just upgraded to 8.0.3 and still don't get the Accessed URL messages.  I've seen other folks talk about getting them on the ASA doing google searches.... so ugh.  Not sure what to do next.
0
 
batry_boyCommented:
If you set your ASDM logging to"debugging", do you see the URL messagesin the Real Time Log Viewer?
0
 
Surefoot3Author Commented:
sorry for the delay... nope... I don't see them in the buffer log or the asdm log

I'm doing a sh log | inc URL command.. and get nothing but I can tell lots of folks are accessing IP's on port 80 and 443 from the log.  It just doesn't show the URL they accesed.  argh...

Both my pix 6.3x firewalls actual have the trap and buffer level set to info and they both show URL messages on the syslog server.
0
 
batry_boyCommented:
Thanks for the info!  I've learned something new...glad you got your problem fixed...
0
All Courses

From novice to tech pro — start learning today.