The Cisco ASA firewall generates syslog messages for many different events. For example, interfaces going up or down, security alerts, debug information and more. We can configure the ASA to tell it how much and where to store logging information.
Before you configure logging, make sure your clock has been configured.
Let’s take a look at our configuration options.
First, make sure logging is enabled:
ASA1(config)# logging enable
Logging to SSH or Telnet
We’ll start by looking at logging on SSH or telnet sessions. Let’s see what level of logging options we have:
ASA1(config)# logging monitor ? configure mode commands/options: <0-7> Enter syslog level (0 - 7) WORD Specify the name of logging list alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4)
The logging monitor command configures the level of logging that we want to use. For example, when you select debugging (level 7) then it will log all lower levels as well. If you select “errors” then it will only log level 3,2,1 and 0. We will select debugging so that we can see debug messages on our telnet or SSH session:
ASA1(config)# logging monitor debugging
The logging level has been configured but we still need to enable logging, here’s how:
ASA1(config)# terminal monitor
This enables logging up to the debug level on your telnet or SSH session. Let’s continue with another example…
Logging to Internal Buffer
The ASA has an internal buffer that we can use for syslog messages. By default it’s enabled so let’s enable it:
ASA1(config)# logging buffered warnings
This will log all syslog messages with level “warnings” or lower to the internal buffer. We can also configure the size of the internal buffer:
ASA1(config)# logging buffer-size 8192
By default it’s only 4KB, I changed it to 8KB with the logging buffer-size command. Let’s see if we can find some syslog information in our internal buffer. Here’s an example how we can test it:
ASA1(config)# interface E0/0 ASA1(config-if)# shutdown ASA1(config-if)# no shutdown
Shutting an interface is something that will be logged. Now use the show logging command to view the log:
ASA1# show logging Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: level debugging, 32 messages logged Buffer logging: level warnings, 3 messages logged Trap logging: disabled Permit-hostdown logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled %ASA-4-411003: Interface Ethernet0/1, changed state to administratively down %ASA-4-411001: Line protocol on Interface Ethernet0/1, changed state to up
You can see the logging settings but also two entries at the bottom…the interface going down and up. Let’s try something else now…
Logging to console
We can log syslog messages to the console like this:
ASA1(config)# logging console warnings
This will log all syslog messsages with level "warnings" or lower to the console. Keep in mind that the console is only running at 9600 bps so it's easy to overburden it with logging messages. If there are too many logging messages then it will be rate-limited and even dropped if the console can't handle it.
Logging to e-mail
We can also send syslog messages directly to e-mail, here's an example:
ASA1(config)# logging mail alerts ASA1(config)# logging from-address firstname.lastname@example.org ASA1(config)# logging recipient-address email@example.com ASA1(config)# smtp-server 192.168.1.1
This will send all syslog messages with level "alerts" or lower to an e-mail address. Don't forget to configure a SMTP server.
Logging to ASDM
We can also log to ASDM where you can see the syslog messages in the dashboard. Here's how to enable it:
ASA1(config)# logging asdm debugging
This is how we can send all syslog messages to ASDM. Once you login, you can see the syslog messages at the bottom:
Above you can see the syslog messages in ASDM.
Logging to Syslog Server
A good choice is to send syslog messages to a syslog server. Here's how to do it:
ASA1(config)# logging host INSIDE 192.168.1.3 ASA1(config)# logging trap alerts
You need to configure the host and the level of syslog messages. Here's what it looks like on a syslog server:
Above you see some incoming messages on my syslog server.
Logging to SNMP server
Last but not least, we can send syslog messages as SNMP traps to a SNMP server. Here's how:
ASA1(config)# snmp-server host INSIDE 192.168.1.1 trap community MY_COMMUNITY ASA1(config)# snmp-server enable traps syslog ASA1(config)# logging history notifications
First we configure the SNMP server and the community and then we tell the ASA to send syslog messages using SNMP traps. The logging history commands sets the syslog level.
That's all there is, I hope this lesson has been useful!