Cisco ASA Logging Facility Question
Hello Experts,
I'm trying to configure Cisco ASA to send on syslog messages which are emergencies.
The command is as follows:
hostname(config)# logging facility 16
hostname(config)# show logging
Syslog logging: enabled
Facility: 16
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level errors, facility 16, 3607 messages logged
Logging to infrastructure 10.1.2.3
History logging: disabled
Device ID: 'inside' interface IP address "10.1.1.1"
Mail logging: disabled
ASDM logging: disabled
However, I'm still getting syslog messages from the ASA that are informational, warning, notice etc...
Is there an overall command that will get the ASA to send only emergencies for all message levels?
Cheers
I'm trying to configure Cisco ASA to send on syslog messages which are emergencies.
The command is as follows:
hostname(config)# logging facility 16
hostname(config)# show logging
Syslog logging: enabled
Facility: 16
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level errors, facility 16, 3607 messages logged
Logging to infrastructure 10.1.2.3
History logging: disabled
Device ID: 'inside' interface IP address "10.1.1.1"
Mail logging: disabled
ASDM logging: disabled
However, I'm still getting syslog messages from the ASA that are informational, warning, notice etc...
Is there an overall command that will get the ASA to send only emergencies for all message levels?
Cheers
Jan Bacher
What do you have for "logging buffered"?
ASKER
Hi Jesper,
Syslog logging: enabled
Facility: 16
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 17994758 messages logged
Trap logging: level notifications, class auth session vpn vpnc webvpn, facility 16, 18139157 messages logged
Permit-hostdown logging: enabled
History logging: level notifications, 17994758 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 31756398 messages logged
Syslog logging: enabled
Facility: 16
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 17994758 messages logged
Trap logging: level notifications, class auth session vpn vpnc webvpn, facility 16, 18139157 messages logged
Permit-hostdown logging: enabled
History logging: level notifications, 17994758 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 31756398 messages logged
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Pony,
I'm sending them to a syslog server. I don't seem to have the option to only send Critical conditions to a syslog server. However, I'm sure its possible...
I'm sending them to a syslog server. I don't seem to have the option to only send Critical conditions to a syslog server. However, I'm sure its possible...
logging buffered critical
or
logging buffered emergencies
or
logging buffered emergencies
ASKER
Jesper, thanks again for responding. However, I want to send the message to a syslog server, not to buffer....
Try this:
logging buffered critical
or
logging buffered 2
We send Warning and below to our syslog server with this command so Jesper is correct.
logging buffered critical
or
logging buffered 2
We send Warning and below to our syslog server with this command so Jesper is correct.
yes, try "logging trap" and set the level.
ASKER
Guys,
I don't understand.
Are you suggesting that by applying the command:
logging buffered critical
or
logging buffered 2
I will only send critical syslog messages to the syslog server?
Cheers
I don't understand.
Are you suggesting that by applying the command:
logging buffered critical
or
logging buffered 2
I will only send critical syslog messages to the syslog server?
Cheers
logging buffered ?
will show you your options. they should be debug, info, emer, etc.
will show you your options. they should be debug, info, emer, etc.
ASKER
Chaps,
I believe the following is the way to achieve what I'm after:
The following example shows how to use the logging list command:
hostname(config)# logging list my-list 100100-100110
hostname(config)# logging list my-list level critical
hostname(config)# logging list my-list level warning class vpn
hostname(config)# logging host inside xx.xx.xx.xx (I'm not given option to specify 'my-list' here)
I believe the following is the way to achieve what I'm after:
The following example shows how to use the logging list command:
hostname(config)# logging list my-list 100100-100110
hostname(config)# logging list my-list level critical
hostname(config)# logging list my-list level warning class vpn
hostname(config)# logging host inside xx.xx.xx.xx (I'm not given option to specify 'my-list' here)
Keep in mind that "critical" will log message levels 0, 1 and 2.
Allowable entries include:
•0—emergencies (System unusable messages)
•1—alerts (Take immediate action)
•2—critical (Critical condition)
•3—errors (Error message)
•4—warnings (Warning message)
•5—notifications (Normal but significant condition)
•6—informational (Information message)
•7—debugging (Debug messages)
Allowable entries include:
•0—emergencies (System unusable messages)
•1—alerts (Take immediate action)
•2—critical (Critical condition)
•3—errors (Error message)
•4—warnings (Warning message)
•5—notifications (Normal but significant condition)
•6—informational (Information message)
•7—debugging (Debug messages)
ASKER
Hi Pony,
Did you see my response above?
Did you see my response above?
This is taken directly from our ASA:
112 logging enable
113 logging buffered warnings
114 logging asdm informational
115 logging host inside xxx.xxx.xxx.xxx
As stated, we are logging for warnings and below. (0-4)
We also log to the asdm log as well as the syslog server (lines 114 and 115 respectively)
112 logging enable
113 logging buffered warnings
114 logging asdm informational
115 logging host inside xxx.xxx.xxx.xxx
As stated, we are logging for warnings and below. (0-4)
We also log to the asdm log as well as the syslog server (lines 114 and 115 respectively)
ASKER
Pony, are you therefore saying that your suggestion above will only send 'warnings' to the host xx.xx.xx.xx ?
Cheers
Cheers
No - Your original statement was: "I'm trying to configure Cisco ASA to send on syslog messages which are emergencies."
Then you say: "I don't seem to have the option to only send Critical conditions to a syslog server."
So:
0 - emergencies
2 - critical
So which do you actually want?
This will give you emergency, Alert and Critical based on what you have provided:
logging list notif-list 104024-105999
Then you say: "I don't seem to have the option to only send Critical conditions to a syslog server."
So:
0 - emergencies
2 - critical
So which do you actually want?
This will give you emergency, Alert and Critical based on what you have provided:
logging list notif-list 104024-105999
Here is a list of Cisco ASA messages: http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html#pgfId-1057980
ASKER
Pony,
Sorry for the confusion.
I just want to send 'emergencies' to a syslog server....
Sorry for the confusion.
I just want to send 'emergencies' to a syslog server....
ASKER
Hi Pony,
As mentioned, I just want to send 'emergencies' to a host/syslog server
As mentioned, I just want to send 'emergencies' to a host/syslog server
Taken from the site I mentioned:
Note The ASA does not send severity 0, emergency messages to the syslog server. These are analogous to a UNIX panic message, and denote an unstable system.
Note The ASA does not send severity 0, emergency messages to the syslog server. These are analogous to a UNIX panic message, and denote an unstable system.
ASKER
OK, what about just 'critical' messages to the syslog server?
So if you populate your "my-list" above with the message numbers from the section "Critical Messages, Severity 2" on the site you should be able to log just the Critical messages.
ASKER
Pony,
Correct, but I can't find an option to send just critical to the host/syslog server - it will only send the critical messages to the logging buffer - Just to reiterate, I just want critical messages sent to the server...
"my-list" above with the message numbers from the section "Critical Messages, Severity 2" on the site you should be able to log just the Critical messages.
Correct, but I can't find an option to send just critical to the host/syslog server - it will only send the critical messages to the logging buffer - Just to reiterate, I just want critical messages sent to the server...
Okay, I think we are both dancing around the same hat. :)
The commands below:
hostname(config)# logging list my-list 100100-100110
hostname(config)# logging host inside xx.xx.xx.xx
Should log all messages in the range 100100-100110 to the syslog server xx.xx.xx.xx and nothing else.
The "my-list" is the name given to the list containing messages 100100-100110 by whoever. You can have multiple lists so you can pick out the messages you want.
The commands below:
hostname(config)# logging list my-list 100100-100110
hostname(config)# logging host inside xx.xx.xx.xx
Should log all messages in the range 100100-100110 to the syslog server xx.xx.xx.xx and nothing else.
The "my-list" is the name given to the list containing messages 100100-100110 by whoever. You can have multiple lists so you can pick out the messages you want.
ASKER
Hi Pony,
Sorry for delayed response.
I'm going to try your suggestion now.
Cheers
Sorry for delayed response.
I'm going to try your suggestion now.
Cheers
ASKER
Hi Pony,
I applied the commands as you suggested but I'm still getting messages other than critical see image
logging list solarwinds level critical
logging list solarwinds message 101001-199021
logging host inside xx.xx.xx.xx
Regards
asalogg.PNG
I applied the commands as you suggested but I'm still getting messages other than critical see image
logging list solarwinds level critical
logging list solarwinds message 101001-199021
logging host inside xx.xx.xx.xx
Regards
asalogg.PNG
Try leaving out this line:
logging list solarwinds level critical
That should limit the logging to the errors you have selected (101001-199021)
logging list solarwinds level critical
That should limit the logging to the errors you have selected (101001-199021)
ASKER
Cheers