Configuring a Cisco ASA to Send Syslogs (2024)

To configure Cisco ASA or virtual context syslogs to be sent, configure either from the CLI or from ADSM according to the instructions below.

Syslog traffic must be configured to arrive to the TOS Aurora cluster that monitors the device at the Syslog VIP.

For more information see Sending Additional Information via Syslog.

Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.

Only rules that are marked for logging in the device are included in the syslogs.

CLI Commands

ASDM Configuration

1. Log into the ASDM and enter the syslog configuration for the ASA device:

   1. Log into the ASDM, and select the device from the Device List.

      

      See Also

      Cisco ASA 5505 Configuration: 6-Steps Easy Tutorial - RouterFreakKnowledge Base | Duo SecurityConfigure Cisco Devices via ASDM | Forward Syslog | Firewall Analyzer

   2. Click Configuration.

      

   3. Click Device Management.

      

2. Enable logging on the ASA device:

   • In Logging > Logging Setup, select Enable logging.

     

3. Add the event IDs that you want to the ASA device to send:

   1. Select Event Lists, and click Add.

      

   2. In the Add Event List window, type a Name, and under Message ID Filters, click Add.

      

   3. Enter a syslog ID and click OK.

      Syslog ID	Purpose	Notes
      111008	Full accountability
      106023 106100	SecureTrack APG and SecureApp connection discovery	Syslog ID 106100 only sends syslogs for logged rules. For APG, you can use either of the syslog IDs or both IDs Click OK to close the Add Event List window.

4. Configure the logging filters to use the specified event IDs:

   1. Select Logging Filters, and double-click Syslog Servers.

      

   2. In the Edit Logging Filters window, select Use event list and select the event list configured above.

      

   3. Click OK.

5. Configure SecureTrack as a syslog server:

   1. Select Syslog Servers, and click Add.

      

   2. In the Add Syslog Server window, select the interface used to access SecureTrack, and enter the syslog VIP of the cluster that is managing the device.
   3. Select UDP, Port: 514 , and clear Log messages in Cisco EMBLEM format.
   4. 
   5. Click OK.

6. Configure the format for the syslogs:

   1. Select Syslog Setup.

      

   2. Select Include timestamp in syslogs.

   3. By Facility Code to Include in Syslogs, select LOCAL7(23).

      To use a different facility, you must configure SecureTrack as described in this tech note: Configuring SecureTrack for Non-Default Syslogs

   4. Scroll down and double-click entry 111008. Set its Logging Level to Notifications, and click OK.
   5. Click Apply.

   6. Still in the Syslog Setup page, click Advanced and select Enable syslog device ID.

      If the device is not in context mode, you must enable the syslog device ID from the device's CLI with this command: logging device-id string <Enter the ID>

   7. Configure a unique logging ID by selecting one of the following. No other device, including virtual contexts even on other devices, may have the same ID:

      • Hostname

        The Hostname for the device must be explicitly set via syslog for Real Time Monitoring to retrieve data.

      • Context name (in a Virtual Context)

      • IP address (select an interface)

      • String (type the desired ID)

   8. Click OK, and Apply.

      For virtual contexts, configure a logging ID for each context.