Ask the Community
Groups
How do I configure remote syslog logging for a Cisco ASA Firewall - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="this-article-will-walk-through-the-steps-to-configure-cisco-asa-firewalls-to-send-syslog-messages-to-the-rocketagent-syslog-server">This article will walk through the steps to configure Cisco ASA firewalls to send Syslog messages to the RocketAgent Syslog Server</h2> <h3 data-id="configure-basic-syslog-with-asdm">Configure Basic Syslog with ASDM</h3> <p>This procedure demonstrates the ASDM configuration for all available Syslog destinations.</p> <ol><li>In order to enable logging on the ASA, first, configure the basic logging parameters. Choose <strong>Configuration > Features > Properties > Logging > Logging Setup</strong>. Check the <strong>Enable logging</strong> check box in order to enable Syslog. <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/CEG5UWB7W514/screen-shot-2021-02-24-at-8-15-38-pm.png" alt="Screen_Shot_2021-02-24_at_8.15.38_PM.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>In order to configure an external server as the destination for Syslogs, choose <strong>Syslog Servers</strong> in Logging and click <strong>Add</strong> in order to add a Syslog server. <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/809FULR3TGAV/screen-shot-2021-02-24-at-8-15-44-pm.png" alt="Screen_Shot_2021-02-24_at_8.15.44_PM.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Choose the Appropriate Interface to send Syslog messages from.</li> <li>In the <strong>IP Address</strong> field, enter the IP address of the <strong>RocketAgent</strong> Syslog Server.</li> <li>Click on <strong>UDP</strong> </li> <li>Enter <strong>514</strong> in the <strong>Port</strong> field.</li> <li>Click <strong>Ok</strong> </li> <li>In order to enable logs to be sent to the RocketAgent Syslog Server, choose <strong>Logging Filters</strong> in the logging section. This presents you with each possible logging destination and the current level of logs that are sent to those destinations. Choose the Logging Destination for the RocketAgent Syslog Server (Syslog Servers) and click <strong>Edit</strong>. <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/9DV9KAD1DP7U/screen-shot-2021-02-24-at-8-15-49-pm.png" alt="Screen_Shot_2021-02-24_at_8.15.49_PM.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Choose <strong>Informational,</strong> from the <strong>Filter on severity</strong> drop-down list. Click <strong>OK</strong> when you are done. <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/VQHWGIKRQZ09/screen-shot-2021-02-24-at-8-15-55-pm.png" alt="Screen_Shot_2021-02-24_at_8.15.55_PM.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click <strong>Apply</strong> after you return to the Logging Filters window.<img src="https://us.v-cdn.net/6032361/uploads/migrated/FAOPS3XDASJY/screen-shot-2021-02-24-at-8-16-01-pm.png" alt="Screen_Shot_2021-02-24_at_8.16.01_PM.png" class="embedImage-img importedEmbed-img"></img></li> </ol><p> </p> <p> </p> <p>*Ensure these event IDs are enabled in the firewall in Non-Emblem logging format. </p> <p><span lang="EN-US" data-contrast="none" xml:lang="EN-US">Cisco ASA event ID Description</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400007 IP Fragment Attack</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400008 IP Impossible Packet Attack</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400023 Fragmented ICMP Traffic Attack</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400024 Large ICMP Traffic Attack</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400025 Ping of Death Attack </span>Attack <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400027 TCP SYN+FIN flag Attack</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400028 TCP FIN only flags Attack</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400041 Proxied RPC Request</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400030 FTP Improper Port Specified</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400031 UDP Bomb attack</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400032 UDP </span>Snork attack <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400033 UDP </span>Chargen DoS attack <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-6-302013 Reputation lookup on connecting IPs</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-4-400026 TCP NULL flags Attack</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-6-605005 Successful User login</span> <br><span lang="EN-US" data-contrast="none" xml:lang="EN-US">%ASA-6-605004 Failed User login</span><span data-ccp-props="{"201341983":0,"335551550":1,"335551620":1,"335559739":160,"335559740":259}"> </span></p> <p> </p> <p> </p> <p> </p> </article> </main>