ASA Recording/Log events

Get the top talkers on an ASA

Connect to the ASA with Putty and capture the output of “show conn” to a CSV file.
Then edit the file with Notepad++ and replace “bytes” with “”
Save the file, then open it up in Excel and sort by size

Set the local clock and and the ASA as an ntp client

ciscoasa(config)#clock set 21:24:37 NOV 1 2010
ciscoasa(config)#clock timezone gmt 0
ciscoasa(config)#clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
ciscoasa(config)#ntp server 10.0.0.5 key 1 source inside prefer                !prefer internal ntp server
ciscoasa(config)#ntp server 192.43.244.18 source outside                    !as fallback use external
ciscoasa(config)#ntp authenticate
ciscoasa(config)#ntp authentication-key 1 md5 UEB34mid@#9C
ciscoasa(config)#ntp trusted-key 1
ciscoasa(config)#show clock detail
ciscoasa(config)#show ntp associations

Login events

The two major classifications of events
1]system events (cpu,memory etc)
2]network events (DOS attach, packet drop etc)

Configuring Event and Session Logging

!save log contents to ftp server
!IP address: 192.168.1.15
!dir: /ASALogs
!username: foo
!Password: fooSecurity

ciscoasa(config)#logging enable
ciscoasa(config)#logging ftp-bufferwrap
ciscoasa(config)#logging ftp-server 192.168.1.15 /ASALogs foo fooSecurity

Configuration > Device Management > Logging > Logging Filters
Double click ASDM
Click “Filter on Severity” and select “Informational”
You can now use the ASDM real time monitor to debug issues and view rela time data.
Monitoring > Logging > Real-Time Log Viewer !note right click on messages to see options

or from the cli
ciscoasa(config)#logging asdm Informational

Syslog Server(s)

IP address 192.168.1.7,
Standard UDP-based syslog transport to port 514 (the default UDP port)
Default TCP port is 1470
Out the management interface

ciscoasa(config)#logging trap Warnings
ciscoasa(config)#logging host management 192.168.1.7

email

2 SMTP email servers 172.16.0.5 and 172.16.0.6
Will use event list ALERT_ADMIN_BY_EMAIL. Only the highest warnings (1) get email.

ciscoasa(config)#logging list ALERT_ADMIN_BY_EMAIL level Alerts
ciscoasa(config)#logging mail ALERT_ADMIN_BY_EMAIL
ciscoasa(config)#smtp-server 172.16.0.5 172.16.0.6
ciscoasa(config)#logging from-address asa@foo.foo
ciscoasa(config)#logging recipient-address Admin@foo.foo level Alerts

NetFlow

NetFlow export destination
IP address 192.168.1.13
Default NetFlow port of UDP 2055
Delay Transmission of Flow Creation Events for Short-Lived Flows has been enabled, and the delay set to 10 seconds

ciscoasa(config)#flow-export delay flow-create 10
ciscoasa(config)#flow-export destination management 192.168.1.13 2055

Tags: ,

About Alexis Katsavras

Working as Freelance Cisco Unified Communications Consultant in the UK. www.NetPacket.co.uk