Friday 1 December 2017

setup syslog on cisco ASA

Syslog is UDP traffic on port 514
The ASA will send traffic on its own IP address from SRC port 514 to dst server IP and port 514
192.168.1.254.514 > 192.168.1.100.514:  udp 201

Usual config to enable
logging enable
logging timestamp
logging trap debugging
logging facility 23
logging device-id ipaddress inside system
logging host INSIDE x.x.x.x
no logging hide username

Syslog over S2S VPN
First make sure the VPN is up and working

logging enable
logging timestamp
logging trap debugging
logging asdm debugging

logging device-id ipaddress inside
logging device-id ipaddress inside system (system  Specifies to use the cluster system IP address of the interface to present an integrated view for all units)

Logging host can differ not sure why
logging host inside 10.36.0.200
logging host outside 10.36.0.200 (some cases I had to use outside ASA v8.2)

You will get a warning (because route is to outside) but it will work
WARNING:  configured logging host interface conflicts with route table entry

You also need to have management access configured like so
management-access inside

Set route
route outside 10.36.0.200 255.255.255.255 100.100.200.200 1

Good idea to make sure you allow ssh on the outside (public IP) and inside (LAN IP) so you can SSH in and check/change settings
ssh 180.100.100.100 255.255.255.255 outside
ssh 192.168.200.200 255.255.255.255 inside

Permit host down
logging permit-hostdown

More detail
Examples:
logging host dmz1 192.168.1.5 udp 1026 format emblem

The format emblem keyword enables EMBLEM format logging for the syslog server with UDP only. The interface_name argument specifies the interface through which you access the syslog server. The syslog_ip argument specifies the IP address of the syslog server. The tcp[/ port ] or udp[/ port ] keyword and argument pair specify that the ASA and ASASM should use TCP or UDP to send syslog messages to the syslog server.

You can configure the ASA to send data to a syslog server using either UDP or TCP, but not both. The default protocol is UDP if you do not specify a protocol.

If you specify TCP, the ASA discover when the syslog server fails and as a security protection, new connections through the ASA are blocked. To allow new connections regardless of connectivity to a TCP syslog server, see Step 3. If you specify UDP, the ASA continue to allow new connections whether or not the syslog server is operational. Valid port values for either protocol are 1025 through 65535. The default UDP port is 514. The default TCP port is 1470.


logging trap debugging

Specifies which syslog messages should be sent to the syslog server. You can specify the severity level number (1 through 7) or name. For example, if you set the severity level to 3, then the ASA send syslog messages for severity levels 3, 2, and 1. You can specify a custom message list that identifies the syslog messages to send to the syslog server.


logging permit-hostdown

(Optional)  If you negate this command and syslog server goes down then traffic stops flowing


logging facility 23

(Optional) Sets the logging facility to a value other than 20, which is what most UNIX systems expect.


logging buffered

Specifies which syslog messages should be sent to the internal log buffer, which serves as a temporary storage location. New messages are appended to the end of the list. When the buffer is full, that is, when the buffer wraps, old messages are overwritten as new messages are generated, unless you configure the ASA to save the full buffer to another location. To empty the internal log buffer, enter the clear logging buffer command.


logging buffer-size 16384

Changes the size of the internal log buffer. The buffer size is 4 KB.


logging savelog latest-logfile.txt

Saves the current log buffer content to the internal flash memory.


logging asdm debugging


logging console debugging

Specifies which syslog messages should be sent to the console port.


logging monitor debugging

Specifies which syslog messages should be sent to a Telnet or SSH session.


terminal monitor

Enables logging to the current session only. If you log out and then log in again, you need to reenter this command. To disable logging to the current session, enter the terminal no monitor command.


logging standby

send logs from the standby ASA as well


logging list


More here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html


No comments:

Post a Comment