- System Time: local && NTP
- Managing Event and Session Logging
- Configuring Event and Session Logging
- Verifying Event and Session Logging
- Troubleshooting Event and Session Logging
Effective troubleshooting of network or device activity, from the perspective of the security appliance, requires accurate information. Many times, the best source of accurate and complete information will be various logs, if logging is properly configured to capture the necessary information.
Part 1: System Time
The default ASA time is set to UTC (Coordinated Universal Time)
The configured time is retained in memory when the power is off, by a battery on the security appliance motherboard.
or You can use CLI:
clock set 21:24:37 NOV 1 2015 clock timezone CST +8 0 clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60 ntp server 10.0.0.5 key 1 source inside prefer ntp server 22.214.171.124 source outside ntp authenticate ntp authentication-key 1 md5 UEB34mid@#9C ntp trusted-key 1
When setting from the CLI, the date can be specified as MONTH DAY YEAR or DAY MONTH YEAR, whichever you prefer.
Note: The security appliance can act only as an NTP client, not as an NTP server.
3. Verifying System Time Settings
FIREWALL# show clock 10:09:16.309 CDT Tue Nov 2 2010 FIREWALL# show clock detail 10:03:55.129 CDT Tue Nov 2 2010 Time source is NTP Summer time starts 02:00:00 CST Sun Mar 14 2010 Summer time ends 02:00:00 CDT Sun Nov 7 2010
FIREWALL# show ntp associations address ref clock st when poll reach delay offset disp *~10.0.0.5 127.0.0.1 3 87 1024 377 2.5 -0.23 1.8 -~126.96.36.199 .ACTS. 1 147 1024 377 41.5 -1.08 16.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
Part 2: Managing Event and Session Logging
The Cisco Adaptive Security Appliance supports a full audit trail of system log messages that describe its activities and security events. The two major classifications of events are system events, such as resource depletion, and network events, such as denied sessions or packets.
The security appliance supports sending log messages to the following destinations:
- Console: The security appliance console, a low-bandwidth serial connection to which messages can be sent for display on a console CLI session. This mode is useful for limited debugging, or in production environments with limited traffic or a lack of centralized management tools.
- ASDM: The ASDM graphical user interface, which provides a powerful real-time event viewer useful for troubleshooting issues or monitoring network activity.
- Monitor: Telnet or SSH administrative sessions. This mode is useful to receive realtime debugging information when troubleshooting.
- Buffered: The internal in-memory buffer on the security appliance. Although useful for storage and analysis of recent activity, the internal buffer is limited in size, and it is not persistent, by default, across appliance reboots. The buffer can optionally be archived to an external FTP server or to the security appliance’s internal flash memory.
- Host: Remote syslog servers, using the standard syslog protocol. Use the logging host command in conjunction with the logging trap command to define both a destination server and a logging level.
- SNMP: Remote network management servers, using the standard Simple Network Management Protocol (SNMP) Trap to send event messages. This mode is configured with the snmp-server enable traps syslog command, rather than directly with a logging destination command.
- Mail: Remote email systems, using the standard Simple Mail Transfer Protocol (SMTP) to send event messages to a defined SMTP server, or set of SMTP servers.
- Flow-export-syslogs: Remote NetFlow collectors, using the standard NetFlow v9 protocol to send event messages to the defined collector.
1. NetFlow Support
Cisco NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, denialof-service monitoring capabilities, and network monitoring.
For a detailed discussion on Cisco ASA NetFlow event generation, consult the “Cisco ASA 5500 Series Implementation Note for NetFlow Collectors, 8.2,” at
2. Logging Message Format
Jan 5 2011 09:27:16 FIREWALL : %ASA-6-725002: Device completed SSL handshake with client management:192.168.1.8/49287
This message consists of the following:
- An optional timestamp (disabled by default)
- An optional device-id (disabled by default), which can include the interface name, IP address, hostname, context name, or a custom string up to 16 characters, if configured
- A message identifier (%ASA-6-725002 in the example), which identifies the device type (ASA), the message severity level (6, Informational), and the event message number (725002)
- The message text (Device completed SSL handshake...)
Additional data may be added to the message, depending on its destination. For example, a time stamp and hostname may be added for the syslog destination.
3. Message Severity
|0||Emergencies||Extremely critical “system unusable” messages|
|1||Alerts||Messages that require immediate administrator action|
|2||Critical||A critical condition|
|3||Errors||An error message (also the level of many access list deny
|4||Warnings||A warning message (also the level of many other access list
|5||Notifications||A normal but significant condition (such as an interface coming
|6||Informational||An informational message (such as a session being created or
|7||Debugging||A debug message or very detailed accounting message|
Part 3: Configuring Event and Session Logging
Configuring event and session logging consists of some or all of the following tasks:
- Globally enabling system logging and configuring global logging properties
- Optionally, disabling logging of specific messages
- Optionally, changing the level of specific messages
- Optionally, configuring message event filters that will govern which system messages to send to particular destinations
- Configuring event destinations and specifying message filters that apply to each of those destinations
1. Configuring Global Logging Properties
The CLI commands generated by the changes made are as follows:
logging enable logging ftp-bufferwrap logging ftp-server 192.168.1.15
2. Altering Settings of Specific Messages