Recording ASA Activity

Overview:

  • System Time: local && NTP
  • Managing Event and Session Logging
  • Configuring Event and Session Logging
  • Verifying Event and Session Logging
  • Troubleshooting Event and Session Logging

 

Effective troubleshooting of network or device activity, from the perspective of the security appliance, requires accurate information. Many times, the best source of accurate and complete information will be various logs, if logging is properly configured to capture the necessary information.

 

Part 1: System Time

1. Locally

The default ASA time is set to UTC (Coordinated Universal Time)

 

The configured time is retained in memory when the power is off, by a battery on the security appliance motherboard.

 

2. NTP

 

or You can use CLI:

clock set 21:24:37 NOV 1 2015
clock timezone CST +8 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60
ntp server 10.0.0.5 key 1 source inside prefer
ntp server 192.43.244.18 source outside
ntp authenticate
ntp authentication-key 1 md5 UEB34mid@#9C
ntp trusted-key 1

 

 

When setting from the CLI, the date can be specified as MONTH DAY YEAR or DAY MONTH YEAR, whichever you prefer.

Note: The security appliance can act only as an NTP client, not as an NTP server.

 

3. Verifying System Time Settings

FIREWALL# show clock
10:09:16.309 CDT Tue Nov 2 2010
FIREWALL# show clock detail
10:03:55.129 CDT Tue Nov 2 2010
Time source is NTP
Summer time starts 02:00:00 CST Sun Mar 14 2010
Summer time ends 02:00:00 CDT Sun Nov 7 2010

 

 

FIREWALL# show ntp associations
address ref clock st when poll reach delay offset disp
*~10.0.0.5 127.0.0.1 3 87 1024 377 2.5 -0.23 1.8
-~192.43.244.18 .ACTS. 1 147 1024 377 41.5 -1.08 16.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

 

 

 

Part 2: Managing Event and Session Logging

The Cisco Adaptive Security Appliance supports a full audit trail of system log messages that describe its activities and security events. The two major classifications of events are system events, such as resource depletion, and network events, such as denied sessions or packets.

 

 

The security appliance supports sending log messages to the following destinations:

  1. Console: The security appliance console, a low-bandwidth serial connection to which messages can be sent for display on a console CLI session. This mode is useful for limited debugging, or in production environments with limited traffic or a lack of centralized management tools.
  2. ASDM: The ASDM graphical user interface, which provides a powerful real-time event viewer useful for troubleshooting issues or monitoring network activity.
  3. Monitor: Telnet or SSH administrative sessions. This mode is useful to receive realtime debugging information when troubleshooting.
  4. Buffered: The internal in-memory buffer on the security appliance. Although useful for storage and analysis of recent activity, the internal buffer is limited in size, and it is not persistent, by default, across appliance reboots. The buffer can optionally be archived to an external FTP server or to the security appliance’s internal flash memory.
  5. Host: Remote syslog servers, using the standard syslog protocol. Use the logging host command in conjunction with the logging trap command to define both a destination server and a logging level.
  6. SNMP: Remote network management servers, using the standard Simple Network Management Protocol (SNMP) Trap to send event messages. This mode is configured with the snmp-server enable traps syslog command, rather than directly with a logging destination command.
  7. Mail: Remote email systems, using the standard Simple Mail Transfer Protocol (SMTP) to send event messages to a defined SMTP server, or set of SMTP servers.
  8. Flow-export-syslogs: Remote NetFlow collectors, using the standard NetFlow v9 protocol to send event messages to the defined collector.

 

1. NetFlow Support

Cisco NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, denialof-service monitoring capabilities, and network monitoring.

 

For a detailed discussion on Cisco ASA NetFlow event generation, consult the “Cisco ASA 5500 Series Implementation Note for NetFlow Collectors, 8.2,” at

www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html.

 

2. Logging Message Format

Jan 5 2011 09:27:16 FIREWALL : %ASA-6-725002: Device completed SSL handshake with client management:192.168.1.8/49287

 

 

This message consists of the following:

  • An optional timestamp (disabled by default)
  • An optional device-id (disabled by default), which can include the interface name, IP address, hostname, context name, or a custom string up to 16 characters, if configured
  • A message identifier (%ASA-6-725002 in the example), which identifies the device type (ASA), the message severity level (6, Informational), and the event message number (725002)
  • The message text (Device completed SSL handshake...)

Additional data may be added to the message, depending on its destination. For example, a time stamp and hostname may be added for the syslog destination.

 

3. Message Severity

Numeric Equivalent String Definition
0 Emergencies Extremely critical “system unusable” messages
1 Alerts Messages that require immediate administrator action
2 Critical A critical condition
3 Errors An error message (also the level of many access list deny
messages)
4 Warnings A warning message (also the level of many other access list
deny messages)
5 Notifications A normal but significant condition (such as an interface coming
online)
6 Informational An informational message (such as a session being created or
torn down)
7 Debugging A debug message or very detailed accounting message

 

Part 3: Configuring Event and Session Logging

Configuring event and session logging consists of some or all of the following tasks:

  • Globally enabling system logging and configuring global logging properties
  • Optionally, disabling logging of specific messages
  • Optionally, changing the level of specific messages
  • Optionally, configuring message event filters that will govern which system messages to send to particular destinations
  • Configuring event destinations and specifying message filters that apply to each of those destinations

 

1. Configuring Global Logging Properties

 

The CLI commands generated by the changes made are as follows:

logging enable
logging ftp-bufferwrap
logging ftp-server 192.168.1.15 

 

 

2. Altering Settings of Specific Messages

 

更多相关文章
  • 某公司使用一台ASA5520作为内外网安全设备及互联网出口,现网还有一台ASA5520放置于出口,但两台设备没有形成HA,并没有配置failover.出于提升网络安全性和冗余的考虑,现对设备进行failover配置.整个配置过程内容如下: 前提条件 要实现failover,两台设备需要满足以下的一些 ...
  • Xperf Basics: Recording a Trace (the easy way)(轉)
      http://randomascii.wordpress.com/2013/04/20/xperf-basics-recording-a-trace-the-easy-way/   Some time ago I wrote a long and detailed post about how ...
  • Android學習筆記_22_服務Service應用之—與Activity進行相互通信的本地服務
    一.启动服务的两种方法方法: 第一种:  startService()和stopService()启动关闭服务.适用于服务和Activity之间没有调用交互的情况.如果相互之间需要方法调用或者传递参数,需要使用bindService()和unbindService()方法启动关闭服务.     第二
  • 安卓開發筆記——深入Activity
    在上一篇文章<安卓开发笔记——重识Activity >中,我们了解了Activity生命周期的执行顺序和一些基本的数据保存操作,但如果只知道这些是对于我们的开发需求来说是远远不够的,今天我们继续探索Activity,来了解下关于Activity任务栈和Activity四种启动模式的区别. ...
  • Android學習筆記(九)一個例子弄清Service與Activity通信
    上一篇博文主要整理了Service的创建.綁定过程,本篇主要整理一下Service与Activity的通信方式.包括在启动一个Service时向它传递数据.怎样改变运行中的Service中得数据和侦听Service内数据的改变. 本篇将写一个demo来说明以下三个问题: 1.怎样在启动一个Servi ...
  • 


    		    使用Windows2008 NPS做爲Radius伺服器實現ASA的VPN用戶撥入
    用户需求: 1. 用户需要对ASA上的用户进行radius认证,基于组用户授权不同的group-policy和download ACL.但用户预算有限,又不想再买一台ACS服务器,希望利用现在的Windows 2008(AD服务器)通过设置实现通过域账号来登录VPN. 实现功能: 1. 在AD上基于
  • 1. 不带数据 @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); s
  • 安卓開發_深入理解Activity和Fragment的關系
    Fragment(碎片)是必须嵌入在 Activity(活动) 中使用的.Fragment的生命周期随着Activity的生命周期的变化而变化 一.首先让我们看下Activity和Fragment的生命周期对比 二.通过代码来看一下 1 package com.xqx_life; 2 3 impor
一周排行
  • 测试JDK1.6安装环境,报如下错误: java -version Error occurred during initialization of VM java/lang/NoClassDefFoundError: ...
  • Java8 终于要支持Lambda表达式!自2009年以来Lambda表达式已经在Lambda项目中被支持.在那时候,Lambda表达式仍被称为Java闭包.在我们进入一些代码示例以前,先来解释下为什么Lambda表
  • HackerRank# Hexagonal Grid
    原题地址   铺瓷砖的变种,做法也是类似   假设地板长下面这样,灰色的是无法填充的空洞,
  • Download any version source code of Windows Azure Powershell from https://github.com/Azure/azure-sdk-tools/r ...
  • Avira Free Antivirus 小红伞免费杀毒软件经常跳出广告, 用起来比较烦, 这里提供一个广告去除的免费小工具. 原理就是用组策略来阻止广告的跳出, 网上到处都是.   一键傻瓜式去除, 也可一键恢复.
  • 在正式理解这个概念前,先把 守护线程 与 守护进程 这二个极其相似的说法区分开,守护进程通常是为了防止某些应用因各种意外原因退出,而在后台独立运行的系统服务或应用程序. 比如:我们开发了一个邮件发送程序,一直不停的监
  • #!/bin/bash sendmail() { /usr/local/bin/sendEmail -f [email protected] -t [email protected] -s smtp.163.com - ...
  • 错误 1 Files 的值“ < < < < < < < .mine”无效.路径中具有非法字符.     今天使用SVN进行更新的时候,出现了如上问题,想起卓的一篇博客也是谈 ...
  • 


    		    實驗十一配置EIGRP路由協定二.doc
    EIGRP 预备知识: EIGRP是 基于IGRP的CISCO专有路由选择协议. EIGR ...
  • Combination Sum II Given a collection of candidate numbers (C) and a target number (T), find all unique comb