Logging in multiple context mode, Analyzing syslog messages – Cisco ASA 5505 User Manual

Page 1744

Advertising
background image

77-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 77 Configuring Logging

Information About Logging

This section includes the following topics:

Logging in Multiple Context Mode, page 77-2

Analyzing Syslog Messages, page 77-2

Syslog Message Format, page 77-3

Severity Levels, page 77-3

Message Classes and Range of Syslog IDs, page 77-4

Filtering Syslog Messages, page 77-4

Using Custom Message Lists, page 77-4

Logging in Multiple Context Mode

Each security context includes its own logging configuration and generates its own messages. If you log
in to the system or admin context, and then change to another context, messages you view in your session
are only those messages that are related to the current context.

Syslog messages that are generated in the system execution space, including failover messages, are
viewed in the admin context along with messages generated in the admin context. You cannot configure
logging or view any logging information in the system execution space.

You can configure the ASA to include the context name with each message, which helps you differentiate
context messages that are sent to a single syslog server. This feature also helps you to determine which
messages are from the admin context and which are from the system; messages that originate in the
system execution space use a device ID of system, and messages that originate in the admin context use
the name of the admin context as the device ID.

Analyzing Syslog Messages

The following are some examples of the type of information you can obtain from a review of various
syslog messages:

Connections that are allowed by ASA security policies. These messages help you spot holes that
remain open in your security policies.

Connections that are denied by ASA security policies. These messages show what types of activity
are being directed toward your secured inside network.

Using the ACE deny rate logging feature shows attacks that are occurring on your ASA.

IDS activity messages can show attacks that have occurred.

User authentication and command usage provide an audit trail of security policy changes.

Bandwidth usage messages show each connection that was built and torn down as well as the
duration and traffic volume used.

Protocol usage messages show the protocols and port numbers used for each connection.

Address translation audit trail messages record NAT or PAT connections being built or torn down,
which are useful if you receive a report of malicious activity coming from inside your network to
the outside world.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals