[ASA] syslog 설정(설정변경시 로깅하기)

ASA send syslog messages for configuration changes

On a router you can send configuration changes to the syslog server by doing,

 

conf t

archive

log config

logging enable

notify syslog

 

Then the router will send something like,

 

.Aug  3 13:12:00.776 PACIFIC: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin  logged command:no interface Loopback76

 

if I had typed at the command line, "no int lo76"

 

How do you do this on the ASA?

 

 

Goal:  I want to know when anybody does any kind of config on my ASA.

 

 

Correct Answer by Jennifer Halim  on Aug 8, 2012 11:24 AM

 

The syslog number 111008 and 111010 will log the command that is entered by user.

111010 is for configuration changes.

 

Here is the syslog for your information:

111008:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769400

 

111010:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769410

 

You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

 

원본 위치 <https://supportforums.cisco.com/thread/2164290>

 

 

 

 

 

 

Mnemonic	Severity	Description
4000nn ("nn" indicates multiple messages currently 400000 - 400050)	4	IPS:number string from IP_address to IP_address on interface interface_name
106001	2	Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
106002	2	protocol Connection denied by outbound list acl_ID src inside_address dest outside_address
106006	2	Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name
106007	2	Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}
106010	3	Deny inbound protocol src interface_name:dest_address/dest_port dst
106012	3	Deny IP from IP_address to IP_address, IP options hex
106013	3	Dropping echo request from IP_address to PAT address IP_address
106014	3	Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)
106015	6	Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
106016	2	Deny IP spoof from (IP_address) to IP_address on interface interface_name.
106017	2	Deny IP due to Land Attack from IP_address to IP_address
106018	2	ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address
106020	2	Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address
106021	1	Deny protocol reverse path check from source_address to dest_address on interface interface_name
106022	1	Deny protocol connection spoof from source_address to dest_address on interface interface_name
106023	4	Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
106100	4	access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})
710003	3	{TCP|UDP} access denied by ACL from source_IP/source_port to interface_name:dest_IP/service

 

 

logging enable

! 로깅 활성화

logging timestamp

! 로깅메시지에  타임값 포함

logging list notif-cfg-changes level errors

logging list notif-cfg-changes message 111008-111010

! 커스텀(사용자정의) 로깅메시지 리스트

! 특정 크리테리어 레벨이상만

logging buffer-size 300000

! 로컬로깅 메시지의 버퍼사이즈 변경

logging buffered notif-cfg-changes

! 로컬로깅 메시지의 시큐리티레벨

logging host outside 118.223.125.100

logging trap warnings

! syslog 서버가 위치한 인터페이스와 IP

! syslog 서버로 보내는 로깅메시지의 레벨

logging history warnings

! SNMP Server로 보내는 메시지의 시큐리티레벨

logging asdm informational

logging device-id ipaddress outside

! 로깅메시지의 디바이스정보 표시(ip주소)

logging class auth history warnings trap warnings

logging class config history warnings trap warnings

no logging message 313005

! 특정 로깅메시지 비활성화

logging message 113008 level warnings

logging message 113012 level warnings

logging message 605005 level warnings

logging message 502103 level warnings

logging message 111008 level warnings

logging message 302013 level warnings

logging message 111001 level warnings

logging message 111004 level warnings

logging message 610002 level warnings

logging message 610001 level warnings

!특정 로깅메시지 시큐리티 레벨 변경

 

레드덕에 적용한 것

REDDUCK-ASA-HQ# sh run logging

logging enable

logging timestamp

logging list notif-cfg-changes level errors

logging list notif-cfg-changes message 111008-111010

logging buffer-size 300000

logging buffered notif-cfg-changes

logging trap notif-cfg-changes

logging history notif-cfg-changes

logging asdm informational

logging device-id ipaddress outside

logging host outside SKB_SNMP

logging class auth history warnings trap warnings

logging class config history warnings trap warnings

no logging message 313005

logging message 113008 level warnings

logging message 113012 level warnings

logging message 605005 level warnings

logging message 502103 level warnings

logging message 111008 level warnings

logging message 302013 level warnings

logging message 111001 level warnings

logging message 111004 level warnings

logging message 610002 level warnings

logging message 610001 level warnings

 

 

 

http://www.security-solutions.co.za/CISCO-ASA-5520-configuration-example.html