Cisco ASA 5505 Configuration Manual page 1610

Information About Logging
This section includes the following topics:
•
•
•
•
•
•
•
•
Logging in Multiple Context Mode
Each security context includes its own logging configuration and generates its own messages. If you log
in to the system or admin context, and then change to another context, messages you view in your session
are only those messages that are related to the current context.
Syslog messages that are generated in the system execution space, including failover messages, are
viewed in the admin context along with messages generated in the admin context. You cannot configure
logging or view any logging information in the system execution space.
You can configure the adaptive security appliance to include the context name with each message, which
helps you differentiate context messages that are sent to a single syslog server. This feature also helps
you to determine which messages are from the admin context and which are from the system; messages
that originate in the system execution space use a device ID of system, and messages that originate in
the admin context use the name of the admin context as the device ID.
Analyzing Syslog Messages
The following are some examples of the type of information you can obtain from a review of various
syslog messages:
•
•
•
•
•
•
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
71-2
Logging in Multiple Context Mode, page 71-2
Analyzing Syslog Messages, page 71-2
Syslog Message Format, page 71-3
Severity Levels, page 71-3
Filtering Syslog Messages, page 71-4
Sorting in the Log Viewers, page 71-4
Message Classes and Range of Syslog IDs, page 71-4
Using Custom Message Lists, page 71-5
Connections that are allowed by adaptive security appliance security policies. These messages help
you spot holes that remain open in your security policies.
Connections that are denied by adaptive security appliance security policies. These messages show
what types of activity are being directed toward your secured inside network.
Using the ACE deny rate logging feature shows attacks that are occurring against your adaptive
security appliance.
IDS activity messages can show attacks that have occurred.
User authentication and command usage provide an audit trail of security policy changes.
Bandwidth usage messages show each connection that was built and torn down, as well as the
duration and traffic volume used.
Protocol usage messages show the protocols and port numbers used for each connection.
Address translation audit trail messages record NAT or PAT connections being built or torn down,
which are useful if you receive a report of malicious activity coming from inside your network to
the outside world.
Chapter 71 Configuring Logging
OL-20339-01