Configure Firewall Logging

Configuring the firewall logging is made up of three important steps:

Enter configuration mode.
Enable logging.
Enable and configure the syslog output.

Additionally you can configure other settings, such as create filtering conditions or custom message lists, change facility settings, etc. However, these additional settings are not a requirement for using the Cisco PIX/ASA Security ThinAgent.

Entering Privileged Mode

To enter the privileged mode, run the enable command as per the following example:

firewall> enable

Password: *******

firewall#

After running the command, the command prompt will change from > to #.

Entering Configuration Mode

To enter the configuration mode you must already be in privileged mode and run the configure terminal command:

firewall# configure terminal

After running this command, the command prompt will change from >to (config):

firewall(config)#

Enabling Logging

To enable logging on the Cisco Firewall enter privileged mode and run the logging enable command:

firewall(config)# logging enable

To disable logging run the no logging enable command:

firewall(config)# no logging enable

Configuring Syslog Logging Output

To enable logging output to syslog the following actions have to be performed:

Set logging level by running the logging trap command:

firewall(config)# logging trap informational

NOTE: Available levels for syslog logging output are as follows:

0 - emergencies - System is unusable

1 - alerts - Immediate action is needed

2 - critical - Critical conditions exist

3 - errors - Error conditions exist

4 - warnings - Warning conditions exist

5 - notification - Normal, but significant, conditions exist

6 - informational - Informational messages

7 - debugging - Debugging messages

If a particular syslog level is set, all lower levels are also included. So if you were to set the level in step one as informational, levels 0-5 would also be included.

Configure the host to which messages will be sent.

firewall(config)# logging host inside 10.1.1.2

Set the facility number for syslog messages. This step is optional.

firewall(config)# logging facility 16

The default facility used to send messages is set to 20.

NOTE: The keyword to enable the syslog output is trap as shown in the first command.

By default, port 514 is used to send messages to the syslog server. The port can be changed by using this syntax:

logging host interface_name ip_address [tcp[/port] | udp[/port]]

To disable the syslog logging output, run:

firewall(config)# no logging trap

Adding Timestamp to Messages

Adding a timestamp to messages is very useful to know the exact moment an event occurs on the firewall device. Although this is an optional step, it is highly recommended.

To add the timestamp to messages run the following command:

firewall(config)# logging timestamp

Adding Device ID to Messages

If you are monitoring several devices it might be useful to add the device ID to messages. This helps to determine the host name of the firewall on each message. Although this is an optional step, it is highly recommended.

To add the device id to messages run the following command:

firewall(config)# logging device-id hostname

You could also set other kind of device id instead of the name. For example you could set any other word as device id by running this:

firewall(config)# logging device-id string MyPIXFirewall

The example above defines MyPIXFirewall as device id.

Viewing Logging Configuration

To see the whole logging configuration you can run the show logging command:

pixfirewall(config)# show logging

An example output can be seen below:

Syslog logging: enabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level informational, facility 20, 96 messages logged

Logging to inside 10.1.1.2 errors: 2 dropped: 5

History logging: disabled

Device ID: hostname "firewall"

Mail logging: disabled

ASDM logging: level informational, 96 messages logged

As you can see, the output gives you all the details about each logging configuration.

Logging Queue

Another very important parameter is logging queue. Although this is an optional step, it is highly recommended. The default value for the logging queue is 512 messages.

The queue size can be checked by running the show logging queue command:

firewall# show logging queue

An example output can be seen below:

Logging Queue length limit : 512 msg(s)

0 msg(s) discarded due to queue overflow

0 msg(s) discarded due to memory allocation failure

Current 0 msg on queue, 23 msgs most on queue

In this example the average number of messages generated by the system is 23 and there is no problem sending them. However, if the value of xxx msgs most on queue is equal or higher than 512, that means the firewall will have dropped some messages.

You can adjust the queue size manually by running the following command:

firewall(config)# logging queue 1024

The queue size can range from 0 to 8192 messages. Setting this parameter to 0 means the queue size has no limit (up to available memory).

WARNING: If messages are generated faster than they are sent to the syslog server, the firewall starts dropping messages. In order to avoid this the logging queue should be adjusted to a higher value.

Filtering Messages Using Message ID

This is an optional configuration in case you know which messages you want to exclude from syslog logging.

Although the ThinAgent has a filtering configuration which is carried out in the firewall device, so messages don’t ever appear in the syslog. Using this filtering feature could substantially reduce the syslog traffic and ThinAgent resources usage.

In order to filter for specific messages run the no logging message msg_number command:

firewall(config)# no logging message msg_number

To check if a specific message is being logged you can run the following command:

firewall(config)# show logging message msg_number

NOTE: This filtering configuration will exclude the message from all logging outputs, not just the syslog output. If you want to filter a particular message from syslog output but log it in another output, you’ll have to use the Cisco Security Package filter options.

Filtering Messages Using Message Class

Besides filtering by message ID number, you can use the message classes as filters. Message classes group several ID numbers together, so if you exclude a class you’ll be excluding all message IDs in it. Successfully implementing this filtering method can substantially reduce syslog traffic resulting in better ThinAgent performance and resource usage. The classes are all defined in Cisco’s documentation. This step is not required for the general configuration.

For example, classes for software version 8.1 are:

Class	Definition	Message ID (that start with these digits)
auth	User Authentication	109, 113
bridge	Transparent Firewall	110, 220
ca	PKI Certification Authority	717
config	Command Interface	111, 112, 208, 308
dap	Dynamic Access Policies	734
e-mail	E-mail Proxy	719
ha	High Availability (Failover)	101, 102, 103, 104, 210, 211, 709
Ip	IP Stack	209, 215, 313, 317, 408
Ips	Intrusion Protection Service	400, 401, 415
np	Network Processor	319
npssl	NP SSL	725
ospf	OSPF Routing	318, 409, 503, 613
rip	RIP Routing	107, 312
rm	Resource Manager	321
session	User Session	106, 108, 201, 202, 204, 302, 303, 304, 305, 314, 405, 406, 407, 500, 502, 607, 608, 609, 616, 620, 703, 710
snmp	SNMP	212
sys	System	199, 211, 214, 216, 306, 307, 315, 414, 604, 605, 606, 610, 612, 614, 615, 701, 711
vpdn	PPTP and L2TP Sessions	213, 403, 603
vpn	IKE and IPSEC	316, 320, 402, 404, 501, 602, 702, 713, 714, 715
vpnc	VPN Client	611
vpnfo	VPN Failover	720
vpnlb	VPN Load Balancing	718
webvpn	Web-based VPN	716

Please review the Cisco documentation for your particular software version, since some classes may be different between software versions.

In order to filter a particular message class run the following command:

firewall(config)# no logging class msg_class

Defining Custom Messages List

To define a list, for example to include all messages with severity 3 (error), and also messages from 611101 to 611323, run the following commands:

firewall(config)# logging list my_message_list level 3

firewall(config)# logging list my_message_list message 611101-611323

To send your custom list to syslog output, run the following command:

firewall(config)# logging trap my_message_list

This step is not required for the general configuration.

NOTE: The logging list command is only available in software versions 7.2 and later.

Further Information

This chapter is not intended to be a full firewall logging configuration guide.

For further information about logging configuration please consult the Cisco documentation for your particular device or software version:

Cisco Security Appliance System Log Messages, Version 7.0 - Configuring Logging on the Security Appliance:

http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logconf.html

Cisco Security Appliance System Log Messages, Version 7.1 - Configuring Logging on the Security Appliance:

http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logconf.html

Cisco Security Appliance System Log Messages, Version 7.2 - Configuring Logging and SNMP:

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logconf.html

Cisco Security Appliance Command Line Configuration Guide, Version 8.0 - Monitoring the Security Appliance:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html

Cisco Security Appliance Command Line Configuration Guide, Version 8.1 - Monitoring the Security Appliance:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/monitor.html

PIX/ASA 7.x and later with Syslog Configuration Example (Cisco Document ID: 63884):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
Version: 6.9 | April 2024