ASA Recording/Log events

Get the top talkers on an ASA

Connect to the ASA with Putty and capture the output of “show conn” to a CSV file.
Then edit the file with Notepad++ and replace “bytes” with “”
Save the file, then open it up in Excel and sort by size

Set the local clock and and the ASA as an ntp client

ciscoasa(config)#clock set 21:24:37 NOV 1 2010
ciscoasa(config)#clock timezone gmt 0
ciscoasa(config)#clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
ciscoasa(config)#ntp server key 1 source inside prefer                !prefer internal ntp server
ciscoasa(config)#ntp server source outside                    !as fallback use external
ciscoasa(config)#ntp authenticate
ciscoasa(config)#ntp authentication-key 1 md5 UEB34mid@#9C
ciscoasa(config)#ntp trusted-key 1
ciscoasa(config)#show clock detail
ciscoasa(config)#show ntp associations

Login events

The two major classifications of events
1]system events (cpu,memory etc)
2]network events (DOS attach, packet drop etc)

Configuring Event and Session Logging

!save log contents to ftp server
!IP address:
!dir: /ASALogs
!username: foo
!Password: fooSecurity

ciscoasa(config)#logging enable
ciscoasa(config)#logging ftp-bufferwrap
ciscoasa(config)#logging ftp-server /ASALogs foo fooSecurity

Configuration > Device Management > Logging > Logging Filters
Double click ASDM
Click “Filter on Severity” and select “Informational”
You can now use the ASDM real time monitor to debug issues and view rela time data.
Monitoring > Logging > Real-Time Log Viewer !note right click on messages to see options

or from the cli
ciscoasa(config)#logging asdm Informational

Syslog Server(s)

IP address,
Standard UDP-based syslog transport to port 514 (the default UDP port)
Default TCP port is 1470
Out the management interface

ciscoasa(config)#logging trap Warnings
ciscoasa(config)#logging host management


2 SMTP email servers and
Will use event list ALERT_ADMIN_BY_EMAIL. Only the highest warnings (1) get email.

ciscoasa(config)#logging list ALERT_ADMIN_BY_EMAIL level Alerts
ciscoasa(config)#logging mail ALERT_ADMIN_BY_EMAIL
ciscoasa(config)#logging from-address
ciscoasa(config)#logging recipient-address level Alerts


NetFlow export destination
IP address
Default NetFlow port of UDP 2055
Delay Transmission of Flow Creation Events for Short-Lived Flows has been enabled, and the delay set to 10 seconds

ciscoasa(config)#flow-export delay flow-create 10
ciscoasa(config)#flow-export destination management 2055

Tags: ,

About Alexis Katsavras

Working as Freelance Cisco Unified Communications Consultant in the UK.