Cisco ASA Series Cli Configuration Manual page 1968

Information About Logging
This section includes the following topics:
•
•
•
•
•
•
•
•
Logging in Multiple Context Mode
Each security context includes its own logging configuration and generates its own messages. If you log
in to the system or admin context, and then change to another context, messages you view in your session
are only those messages that are related to the current context.
Syslog messages that are generated in the system execution space, including failover messages, are
viewed in the admin context along with messages generated in the admin context. You cannot configure
logging or view any logging information in the system execution space.
You can configure the ASA and ASASM to include the context name with each message, which helps
you differentiate context messages that are sent to a single syslog server. This feature also helps you to
determine which messages are from the admin context and which are from the system; messages that
originate in the system execution space use a device ID of system, and messages that originate in the
admin context use the name of the admin context as the device ID.
Analyzing Syslog Messages
The following are some examples of the type of information you can obtain from a review of various
syslog messages:
•
•
•
•
•
•
•
•
Cisco ASA Series CLI Configuration Guide
1-2
Logging in Multiple Context Mode, page 1-2
Analyzing Syslog Messages, page 1-2
Syslog Message Format, page 1-3
Severity Levels, page 1-3
Message Classes and Range of Syslog IDs, page 1-4
Filtering Syslog Messages, page 1-4
Using Custom Message Lists, page 1-4
Using Clustering, page 1-5
Connections that are allowed by ASA and ASASM security policies. These messages help you spot
holes that remain open in your security policies.
Connections that are denied by ASA and ASASM security policies. These messages show what
types of activity are being directed toward your secured inside network.
Using the ACE deny rate logging feature shows attacks that are occurring on your ASA or
ASA Services Module.
IDS activity messages can show attacks that have occurred.
User authentication and command usage provide an audit trail of security policy changes.
Bandwidth usage messages show each connection that was built and torn down as well as the
duration and traffic volume used.
Protocol usage messages show the protocols and port numbers used for each connection.
Address translation audit trail messages record NAT or PAT connections being built or torn down,
which are useful if you receive a report of malicious activity coming from inside your network to
the outside world.
Chapter 1 Configuring Logging