Recording ASA Activity


  • System Time: local && NTP
  • Managing Event and Session Logging
  • Configuring Event and Session Logging
  • Verifying Event and Session Logging
  • Troubleshooting Event and Session Logging


Effective troubleshooting of network or device activity, from the perspective of the security appliance, requires accurate information. Many times, the best source of accurate and complete information will be various logs, if logging is properly configured to capture the necessary information.


Part 1: System Time

1. Locally

The default ASA time is set to UTC (Coordinated Universal Time)


The configured time is retained in memory when the power is off, by a battery on the security appliance motherboard.


2. NTP


or You can use CLI:

clock set 21:24:37 NOV 1 2015
clock timezone CST +8 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60
ntp server key 1 source inside prefer
ntp server source outside
ntp authenticate
ntp authentication-key 1 md5 UEB34mid@#9C
ntp trusted-key 1



When setting from the CLI, the date can be specified as MONTH DAY YEAR or DAY MONTH YEAR, whichever you prefer.

Note: The security appliance can act only as an NTP client, not as an NTP server.


3. Verifying System Time Settings

FIREWALL# show clock
10:09:16.309 CDT Tue Nov 2 2010
FIREWALL# show clock detail
10:03:55.129 CDT Tue Nov 2 2010
Time source is NTP
Summer time starts 02:00:00 CST Sun Mar 14 2010
Summer time ends 02:00:00 CDT Sun Nov 7 2010



FIREWALL# show ntp associations
address ref clock st when poll reach delay offset disp
*~ 3 87 1024 377 2.5 -0.23 1.8
-~ .ACTS. 1 147 1024 377 41.5 -1.08 16.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured




Part 2: Managing Event and Session Logging

The Cisco Adaptive Security Appliance supports a full audit trail of system log messages that describe its activities and security events. The two major classifications of events are system events, such as resource depletion, and network events, such as denied sessions or packets.



The security appliance supports sending log messages to the following destinations:

  1. Console: The security appliance console, a low-bandwidth serial connection to which messages can be sent for display on a console CLI session. This mode is useful for limited debugging, or in production environments with limited traffic or a lack of centralized management tools.
  2. ASDM: The ASDM graphical user interface, which provides a powerful real-time event viewer useful for troubleshooting issues or monitoring network activity.
  3. Monitor: Telnet or SSH administrative sessions. This mode is useful to receive realtime debugging information when troubleshooting.
  4. Buffered: The internal in-memory buffer on the security appliance. Although useful for storage and analysis of recent activity, the internal buffer is limited in size, and it is not persistent, by default, across appliance reboots. The buffer can optionally be archived to an external FTP server or to the security appliance’s internal flash memory.
  5. Host: Remote syslog servers, using the standard syslog protocol. Use the logging host command in conjunction with the logging trap command to define both a destination server and a logging level.
  6. SNMP: Remote network management servers, using the standard Simple Network Management Protocol (SNMP) Trap to send event messages. This mode is configured with the snmp-server enable traps syslog command, rather than directly with a logging destination command.
  7. Mail: Remote email systems, using the standard Simple Mail Transfer Protocol (SMTP) to send event messages to a defined SMTP server, or set of SMTP servers.
  8. Flow-export-syslogs: Remote NetFlow collectors, using the standard NetFlow v9 protocol to send event messages to the defined collector.


1. NetFlow Support

Cisco NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, denialof-service monitoring capabilities, and network monitoring.


For a detailed discussion on Cisco ASA NetFlow event generation, consult the “Cisco ASA 5500 Series Implementation Note for NetFlow Collectors, 8.2,” at


2. Logging Message Format

Jan 5 2011 09:27:16 FIREWALL : %ASA-6-725002: Device completed SSL handshake with client management:



This message consists of the following:

  • An optional timestamp (disabled by default)
  • An optional device-id (disabled by default), which can include the interface name, IP address, hostname, context name, or a custom string up to 16 characters, if configured
  • A message identifier (%ASA-6-725002 in the example), which identifies the device type (ASA), the message severity level (6, Informational), and the event message number (725002)
  • The message text (Device completed SSL handshake...)

Additional data may be added to the message, depending on its destination. For example, a time stamp and hostname may be added for the syslog destination.


3. Message Severity

Numeric Equivalent String Definition
0 Emergencies Extremely critical “system unusable” messages
1 Alerts Messages that require immediate administrator action
2 Critical A critical condition
3 Errors An error message (also the level of many access list deny
4 Warnings A warning message (also the level of many other access list
deny messages)
5 Notifications A normal but significant condition (such as an interface coming
6 Informational An informational message (such as a session being created or
torn down)
7 Debugging A debug message or very detailed accounting message


Part 3: Configuring Event and Session Logging

Configuring event and session logging consists of some or all of the following tasks:

  • Globally enabling system logging and configuring global logging properties
  • Optionally, disabling logging of specific messages
  • Optionally, changing the level of specific messages
  • Optionally, configuring message event filters that will govern which system messages to send to particular destinations
  • Configuring event destinations and specifying message filters that apply to each of those destinations


1. Configuring Global Logging Properties


The CLI commands generated by the changes made are as follows:

logging enable
logging ftp-bufferwrap
logging ftp-server 



2. Altering Settings of Specific Messages


  • 某公司使用一台ASA5520作为内外网安全设备及互联网出口,现网还有一台ASA5520放置于出口,但两台设备没有形成HA,并没有配置failover.出于提升网络安全性和冗余的考虑,现对设备进行failover配置.整个配置过程内容如下: 前提条件 要实现failover,两台设备需要满足以下的一些 ...
  • Xperf Basics: Recording a Trace (the easy way)(轉)   Some time ago I wrote a long and detailed post about how ...
  • Android學習筆記_22_服務Service應用之—與Activity進行相互通信的本地服務
    一.启动服务的两种方法方法: 第一种:  startService()和stopService()启动关闭服务.适用于服务和Activity之间没有调用交互的情况.如果相互之间需要方法调用或者传递参数,需要使用bindService()和unbindService()方法启动关闭服务.     第二
  • 安卓開發筆記——深入Activity
    在上一篇文章<安卓开发笔记——重识Activity >中,我们了解了Activity生命周期的执行顺序和一些基本的数据保存操作,但如果只知道这些是对于我们的开发需求来说是远远不够的,今天我们继续探索Activity,来了解下关于Activity任务栈和Activity四种启动模式的区别. ...
  • Android學習筆記(九)一個例子弄清Service與Activity通信
    上一篇博文主要整理了Service的创建.綁定过程,本篇主要整理一下Service与Activity的通信方式.包括在启动一个Service时向它传递数据.怎样改变运行中的Service中得数据和侦听Service内数据的改变. 本篇将写一个demo来说明以下三个问题: 1.怎样在启动一个Servi ...

    		    使用Windows2008 NPS做爲Radius伺服器實現ASA的VPN用戶撥入
    用户需求: 1. 用户需要对ASA上的用户进行radius认证,基于组用户授权不同的group-policy和download ACL.但用户预算有限,又不想再买一台ACS服务器,希望利用现在的Windows 2008(AD服务器)通过设置实现通过域账号来登录VPN. 实现功能: 1. 在AD上基于
  • 1. 不带数据 @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); s
  • 安卓開發_深入理解Activity和Fragment的關系
    Fragment(碎片)是必须嵌入在 Activity(活动) 中使用的.Fragment的生命周期随着Activity的生命周期的变化而变化 一.首先让我们看下Activity和Fragment的生命周期对比 二.通过代码来看一下 1 package com.xqx_life; 2 3 impor