Solved

Cisco ASA Logging Facility Question

Posted on 2014-10-02
28
333 Views
Last Modified: 2014-10-18
Hello Experts,

I'm trying to configure Cisco ASA  to send on syslog messages which are emergencies.

The command is as follows:
hostname(config)# logging facility 16
 hostname(config)# show logging
 Syslog logging: enabled
     Facility: 16
     Timestamp logging: disabled
     Standby logging: disabled
     Deny Conn when Queue Full: disabled
     Console logging: disabled
     Monitor logging: disabled
     Buffer logging: disabled
     Trap logging: level errors, facility 16, 3607 messages logged
         Logging to infrastructure 10.1.2.3
     History logging: disabled
     Device ID: 'inside' interface IP address "10.1.1.1"
     Mail logging: disabled
     ASDM logging: disabled

However, I'm still getting syslog messages from the ASA that are informational, warning, notice etc...

Is there an overall command that will get the ASA to send only emergencies for all message levels?

Cheers
0
Comment
Question by:cpatte7372
  • 14
  • 10
  • 4
28 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40357215
What do you have for "logging buffered"?
0
 

Author Comment

by:cpatte7372
ID: 40357286
Hi Jesper,

Syslog logging: enabled
    Facility: 16
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level notifications, 17994758 messages logged
    Trap logging: level notifications, class auth session vpn vpnc webvpn, facility 16, 18139157 messages logged
    Permit-hostdown logging: enabled
    History logging: level notifications, 17994758 messages logged
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 31756398 messages logged
0
 
LVL 26

Accepted Solution

by:
pony10us earned 500 total points
ID: 40357293
Where are you sending these messages? To the buffer? To a syslog server? To SNMP?

SNMP you need:

logging history 3

That will log 0-3 severity

–0—emergencies (System unusable messages)
 
–1—alerts (Take immediate action)
 
–2—critical (Critical condition)

-3—errors (Error message)  

*****************
If you are logging to buffer then:

logging buffered 3

(as mentioned by jesper)
0
 

Author Comment

by:cpatte7372
ID: 40357299
Hi Pony,

I'm sending them to a syslog server.  I don't seem to have the option to only send Critical conditions to a syslog server. However, I'm sure its possible...
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40357305
logging buffered critical

or

logging buffered emergencies
0
 

Author Comment

by:cpatte7372
ID: 40357316
Jesper, thanks again for responding. However, I want to send the message to a syslog server, not to buffer....
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40357329
Try this:

logging buffered critical

or

logging buffered 2

We send Warning and below to our syslog server with this command so Jesper is correct.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40357340
yes, try "logging trap" and set the level.
0
 

Author Comment

by:cpatte7372
ID: 40357367
Guys,

I don't understand.

Are you suggesting that by applying the command:

logging buffered critical

or

logging buffered 2

I will only send critical syslog messages to the syslog server?

Cheers
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40357375
logging buffered ?

will show you your options.  they should be debug, info, emer, etc.
0
 

Author Comment

by:cpatte7372
ID: 40357392
Chaps,

I believe the following is the way to achieve what I'm after:


The following example shows how to use the logging list command:
hostname(config)# logging list my-list 100100-100110
hostname(config)# logging list my-list level critical
hostname(config)# logging list my-list level warning class vpn
hostname(config)# logging host inside xx.xx.xx.xx (I'm not given option to specify 'my-list' here)
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40357401
Keep in mind that "critical" will log message levels 0, 1 and 2.

Allowable entries include:
 
•0—emergencies (System unusable messages)
 
•1—alerts (Take immediate action)
 
•2—critical (Critical condition)
 
•3—errors (Error message)
 
•4—warnings (Warning message)
 
•5—notifications (Normal but significant condition)
 
•6—informational (Information message)
 
•7—debugging (Debug messages)
0
 

Author Comment

by:cpatte7372
ID: 40357403
Hi Pony,

Did you see my response above?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40357408
This is taken directly from our ASA:  

112  logging enable
113  logging buffered warnings
114  logging asdm informational
115  logging host inside xxx.xxx.xxx.xxx

As stated, we are logging for warnings and below.  (0-4)

We also log to the asdm log as well as the syslog server (lines 114 and 115 respectively)
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:cpatte7372
ID: 40357425
Pony, are you therefore saying that your suggestion above will only send 'warnings' to the host xx.xx.xx.xx ?

Cheers
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40357454
No - Your original statement was:  "I'm trying to configure Cisco ASA  to send on syslog messages which are emergencies."

Then you say:  "I don't seem to have the option to only send Critical conditions to a syslog server."

So:

0 - emergencies
2 - critical

So which do you actually want?

This will give you emergency, Alert and Critical based on what you have provided:

logging list notif-list 104024-105999
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40357470
0
 

Author Comment

by:cpatte7372
ID: 40357471
Pony,

Sorry for the confusion.

I just want to send 'emergencies' to a syslog server....
0
 

Author Comment

by:cpatte7372
ID: 40357476
Hi Pony,

As mentioned, I just want to send 'emergencies' to a host/syslog server
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40357494
Taken from the site I mentioned:

Note The ASA does not send severity 0, emergency messages to the syslog server. These are analogous to a UNIX panic message, and denote an unstable system.
0
 

Author Comment

by:cpatte7372
ID: 40357512
OK, what about just 'critical' messages to the syslog server?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40357536
So if you populate your "my-list" above with the message numbers from the section "Critical Messages, Severity 2" on the site you should be able to log just the Critical messages.
0
 

Author Comment

by:cpatte7372
ID: 40357557
Pony,

"my-list" above with the message numbers from the section "Critical Messages, Severity 2" on the site you should be able to log just the Critical messages.

Correct, but I can't find an option to send just critical to the host/syslog server - it will only send the critical messages to the logging buffer - Just to reiterate, I just want critical messages sent to the server...
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40357746
Okay, I think we are both dancing around the same hat.  :)

The commands below:

hostname(config)# logging list my-list 100100-100110
hostname(config)# logging host inside xx.xx.xx.xx

Should log all messages in the range 100100-100110 to the syslog server xx.xx.xx.xx and nothing else.

The "my-list" is the name given to the list containing messages 100100-100110 by whoever. You can have multiple lists so you can pick out the messages you want.
0
 

Author Comment

by:cpatte7372
ID: 40358921
Hi Pony,

Sorry for delayed response.

I'm going to try your suggestion now.

Cheers
0
 

Author Comment

by:cpatte7372
ID: 40359037
Hi Pony,

I applied the commands as you suggested but I'm still getting messages other than critical see image

logging list solarwinds level critical
logging list solarwinds message 101001-199021
logging host inside xx.xx.xx.xx

Regards
asalogg.PNG
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40359567
Try leaving out this line:

logging list solarwinds level critical

That should limit the logging to the errors you have selected (101001-199021)
0
 

Author Closing Comment

by:cpatte7372
ID: 40388618
Cheers
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now