Cisco ASA Logging Facility Question

Hello Experts,

I'm trying to configure Cisco ASA  to send on syslog messages which are emergencies.

The command is as follows:
hostname(config)# logging facility 16
 hostname(config)# show logging
 Syslog logging: enabled
     Facility: 16
     Timestamp logging: disabled
     Standby logging: disabled
     Deny Conn when Queue Full: disabled
     Console logging: disabled
     Monitor logging: disabled
     Buffer logging: disabled
     Trap logging: level errors, facility 16, 3607 messages logged
         Logging to infrastructure 10.1.2.3
     History logging: disabled
     Device ID: 'inside' interface IP address "10.1.1.1"
     Mail logging: disabled
     ASDM logging: disabled

However, I'm still getting syslog messages from the ASA that are informational, warning, notice etc...

Is there an overall command that will get the ASA to send only emergencies for all message levels?

Cheers
cpatte7372Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
What do you have for "logging buffered"?
0
cpatte7372Author Commented:
Hi Jesper,

Syslog logging: enabled
    Facility: 16
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level notifications, 17994758 messages logged
    Trap logging: level notifications, class auth session vpn vpnc webvpn, facility 16, 18139157 messages logged
    Permit-hostdown logging: enabled
    History logging: level notifications, 17994758 messages logged
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 31756398 messages logged
0
Steven CarnahanNetwork ManagerCommented:
Where are you sending these messages? To the buffer? To a syslog server? To SNMP?

SNMP you need:

logging history 3

That will log 0-3 severity

–0—emergencies (System unusable messages)
 
–1—alerts (Take immediate action)
 
–2—critical (Critical condition)

-3—errors (Error message)  

*****************
If you are logging to buffer then:

logging buffered 3

(as mentioned by jesper)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

cpatte7372Author Commented:
Hi Pony,

I'm sending them to a syslog server.  I don't seem to have the option to only send Critical conditions to a syslog server. However, I'm sure its possible...
0
Jan SpringerCommented:
logging buffered critical

or

logging buffered emergencies
0
cpatte7372Author Commented:
Jesper, thanks again for responding. However, I want to send the message to a syslog server, not to buffer....
0
Steven CarnahanNetwork ManagerCommented:
Try this:

logging buffered critical

or

logging buffered 2

We send Warning and below to our syslog server with this command so Jesper is correct.
0
Jan SpringerCommented:
yes, try "logging trap" and set the level.
0
cpatte7372Author Commented:
Guys,

I don't understand.

Are you suggesting that by applying the command:

logging buffered critical

or

logging buffered 2

I will only send critical syslog messages to the syslog server?

Cheers
0
Jan SpringerCommented:
logging buffered ?

will show you your options.  they should be debug, info, emer, etc.
0
cpatte7372Author Commented:
Chaps,

I believe the following is the way to achieve what I'm after:


The following example shows how to use the logging list command:
hostname(config)# logging list my-list 100100-100110
hostname(config)# logging list my-list level critical
hostname(config)# logging list my-list level warning class vpn
hostname(config)# logging host inside xx.xx.xx.xx (I'm not given option to specify 'my-list' here)
0
Steven CarnahanNetwork ManagerCommented:
Keep in mind that "critical" will log message levels 0, 1 and 2.

Allowable entries include:
 
•0—emergencies (System unusable messages)
 
•1—alerts (Take immediate action)
 
•2—critical (Critical condition)
 
•3—errors (Error message)
 
•4—warnings (Warning message)
 
•5—notifications (Normal but significant condition)
 
•6—informational (Information message)
 
•7—debugging (Debug messages)
0
cpatte7372Author Commented:
Hi Pony,

Did you see my response above?
0
Steven CarnahanNetwork ManagerCommented:
This is taken directly from our ASA:  

112  logging enable
113  logging buffered warnings
114  logging asdm informational
115  logging host inside xxx.xxx.xxx.xxx

As stated, we are logging for warnings and below.  (0-4)

We also log to the asdm log as well as the syslog server (lines 114 and 115 respectively)
0
cpatte7372Author Commented:
Pony, are you therefore saying that your suggestion above will only send 'warnings' to the host xx.xx.xx.xx ?

Cheers
0
Steven CarnahanNetwork ManagerCommented:
No - Your original statement was:  "I'm trying to configure Cisco ASA  to send on syslog messages which are emergencies."

Then you say:  "I don't seem to have the option to only send Critical conditions to a syslog server."

So:

0 - emergencies
2 - critical

So which do you actually want?

This will give you emergency, Alert and Critical based on what you have provided:

logging list notif-list 104024-105999
0
Steven CarnahanNetwork ManagerCommented:
0
cpatte7372Author Commented:
Pony,

Sorry for the confusion.

I just want to send 'emergencies' to a syslog server....
0
cpatte7372Author Commented:
Hi Pony,

As mentioned, I just want to send 'emergencies' to a host/syslog server
0
Steven CarnahanNetwork ManagerCommented:
Taken from the site I mentioned:

Note The ASA does not send severity 0, emergency messages to the syslog server. These are analogous to a UNIX panic message, and denote an unstable system.
0
cpatte7372Author Commented:
OK, what about just 'critical' messages to the syslog server?
0
Steven CarnahanNetwork ManagerCommented:
So if you populate your "my-list" above with the message numbers from the section "Critical Messages, Severity 2" on the site you should be able to log just the Critical messages.
0
cpatte7372Author Commented:
Pony,

"my-list" above with the message numbers from the section "Critical Messages, Severity 2" on the site you should be able to log just the Critical messages.

Correct, but I can't find an option to send just critical to the host/syslog server - it will only send the critical messages to the logging buffer - Just to reiterate, I just want critical messages sent to the server...
0
Steven CarnahanNetwork ManagerCommented:
Okay, I think we are both dancing around the same hat.  :)

The commands below:

hostname(config)# logging list my-list 100100-100110
hostname(config)# logging host inside xx.xx.xx.xx

Should log all messages in the range 100100-100110 to the syslog server xx.xx.xx.xx and nothing else.

The "my-list" is the name given to the list containing messages 100100-100110 by whoever. You can have multiple lists so you can pick out the messages you want.
0
cpatte7372Author Commented:
Hi Pony,

Sorry for delayed response.

I'm going to try your suggestion now.

Cheers
0
cpatte7372Author Commented:
Hi Pony,

I applied the commands as you suggested but I'm still getting messages other than critical see image

logging list solarwinds level critical
logging list solarwinds message 101001-199021
logging host inside xx.xx.xx.xx

Regards
asalogg.PNG
0
Steven CarnahanNetwork ManagerCommented:
Try leaving out this line:

logging list solarwinds level critical

That should limit the logging to the errors you have selected (101001-199021)
0
cpatte7372Author Commented:
Cheers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.