How do I configure remote syslog logging for a Cisco ASA Firewall

This article will walk through the steps to configure Cisco ASA firewalls to send Syslog messages to the RocketAgent Syslog Server

Configure Basic Syslog with ASDM 

This procedure demonstrates the ASDM configuration for all available Syslog destinations.

  1. In order to enable logging on the ASA, first, configure the basic logging parameters. Choose Configuration > Features > Properties > Logging > Logging Setup. Check the Enable logging check box in order to enable Syslog.

    Screen_Shot_2021-02-24_at_8.15.38_PM.png

  2. In order to configure an external server as the destination for Syslogs, choose Syslog Servers in Logging and click Add in order to add a Syslog server.

    Screen_Shot_2021-02-24_at_8.15.44_PM.png

  3. Choose the Appropriate Interface to send Syslog messages from.
  4. In the IP Address field, enter the IP address of the RocketAgent Syslog Server.
  5. Click on UDP
  6. Enter 514 in the Port field.
  7. Click Ok
  8. In order to enable logs to be sent to the RocketAgent Syslog Server, choose Logging Filters in the logging section. This presents you with each possible logging destination and the current level of logs that are sent to those destinations. Choose the Logging Destination for the RocketAgent Syslog Server (Syslog Servers) and click Edit

    Screen_Shot_2021-02-24_at_8.15.49_PM.png

  9. Choose  Informational, from the Filter on severity drop-down list. Click OK when you are done.

    Screen_Shot_2021-02-24_at_8.15.55_PM.png

  10. Click Apply after you return to the Logging Filters window.Screen_Shot_2021-02-24_at_8.16.01_PM.png

 

*Ensure these event IDs are enabled in the firewall in Non-Emblem logging format. 

Cisco ASA event ID            Description 
%ASA-4-400007                IP Fragment Attack 
%ASA-4-400008                IP Impossible Packet Attack 
%ASA-4-400023                Fragmented ICMP Traffic Attack 
%ASA-4-400024                Large ICMP Traffic Attack 
%ASA-4-400025                Ping of Death Attack Attack 
%ASA-4-400027                TCP SYN+FIN flag Attack 
%ASA-4-400028                TCP FIN only flags Attack 
%ASA-4-400041                Proxied RPC Request 
%ASA-4-400030                FTP Improper Port Specified 
%ASA-4-400031                UDP Bomb attack 
%ASA-4-400032                UDP Snork attack 
%ASA-4-400033                UDP Chargen DoS attack 
%ASA-6-302013                Reputation lookup on connecting IPs 
%ASA-4-400026                TCP NULL flags Attack 
%ASA-6-605005                Successful User login 
%ASA-6-605004                Failed User login 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us