Step-by-Step Guide for Achieving our Standard Syslog Configuration

This document describes our basic standard for syslog configuration on ASA firewalls.

Setup NTP:

First, let me say you should never trust another device’s time. Always use local time stamps for anything received when you setup a syslog server. That being said, the first thing you should do when configuring a device to send syslog, is to make sure the time is properly configured and NTP is setup. This is not to be friendly to the syslog server (which should be using local time for all received messages), but to make the logs useful when accessed locally for troubleshooting.

• Login to the ASA and run the following command in config mode to set the NTP server. In terms of picking NTP servers grab something near the bottom of the list provided by NIST:

ASA(config)# ntp server 128.138.140.44

• Wait a couple minutes and check the status

ASA(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is dd108a3a.a67f3cc0 (11:44:58.650 GMT Wed Jul 12 2017)
clock offset is 28960349.9706 msec, root delay is 35.39 mse
root dispersion is 28976241.07 msec, peer dispersion is 16000.00 msec

• You only care about the first line of output. If time is completely un-synchronized, the server will show up as ‘Stratum 16’, if you are synchronized with a good clock it will show ‘Stratum 2’ like the following:

ASA(config)# show ntp status
Clock is synchronized, stratum 2, reference is 128.138.140.44
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is dd10fb9a.ffde64f0 (19:48:42.999 GMT Wed Jul 12 2017)
clock offset is 11.0599 msec, root delay is 35.11 msec
root dispersion is 15902.16 msec, peer dispersion is 15890.63 msec

• Check out
• Set the local timezone for the device. You must specify a short name (set to timezone name) for the timezone and offset from UTC:

ASA(config)# clock timezone MST -6

Configure Local Syslog:

• First turn on timestamps for all syslog messages

ASA(config)# logging timestamp

• Turn up debug level logging for the local buffer. It’s a circular log, so we don’t care much about the space.

ASA(config)# logging buffered debugging

• Speaking of space, set the local logging buffer to something generous:

ASA(config)# logging buffer-size 409600

• Now check the local buffer to make sure timestamps and all that good stuff are working

ASA(config)# show log
Jul 12 2017 14:14:19: %ASA-7-609002: Teardown local-host outside:xxxxx duration 0:12:34
Jul 12 2017 14:14:19: %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:xxxxx dst inside:xxxx (type 3, code 3) on outside interface.  Original IP payload: udp src xxxx/53 dst xxxx/xxxx.
Jul 12 2017 14:14:19: %ASA-4-106023: Deny icmp src outside:xxxx dst inside:xxxx (type 3, code 1) by access-group “outside_access_in” [0x0, 0x0]
Jul 12 2017 14:14:20: %ASA-6-106015: Deny TCP (no connection) from xxxx/xxxx to xxxxx/xxxx flags FIN ACK  on interface inside
Jul 12 2017 14:14:20: %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:xxxxx dst outside:xxxxx (type 3, code 10) on inside interface.  Original IP payload: tcp src xxxxx/xxxx dst xxxxx/xxxxx.

Filter Syslog Connection Setup and Teardown Messages:

By default the ASA will log all connection setup and teardown, which creates quite a bit of noise in the logs. It is now time to whittle that down. Here are the messages that we will be excluding as identified by Cisco in this handy-dandy document.

• %ASA-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(acl-name)]:real_address/{real_port|real_ICMP_ID} [(idfw_user)] to interface_name:mapped_address/{mapped_port|mapped_ICMP_ID} duration time
• %ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name:real_address/real_port [(idfw_user)] to interface_name:mapped_address/mapped_port
• %ASA-6-302015: Built {inbound|outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) [(idfw_user)] to interface_name:real_address/real_port (mapped_address/mapped_port) [(idfw_user)] [(user)]
• %ASA-6-302014: Teardown TCP connection id for interface:real-address/real-port [(idfw_user)] to interface:real-address/real-port [(idfw_user)] duration hh:mm:ss bytes bytes [reason] [(user)]
• %ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]
• %ASA-6-302016: Teardown UDP connection number for interface:real-address/real-port [(idfw_user)] to interface:real-address/real-port [(idfw_user)] duration hh:mm:ss bytes bytes [(user)]
• %ASA-6-302021: Teardown ICMP connection connection_id from interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]
• %ASA-6-302020: Built ICMP connection connection_id from interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]

From config mode turn off all of the setup and tear messages

ASA(config)# no logging message 305012
ASA(config)# no logging message 305011
ASA(config)# no logging message 302015
ASA(config)# no logging message 302014
ASA(config)# no logging message 302013
ASA(config)# no logging message 302016
ASA(config)# no logging message 302021
ASA(config)# no logging message 302020

Add Syslog Messaging for Configuration Changes

Now we need to add logging for all configuration changes, for this we only really care about about the last message in this list:

• %ASA-5-111008: User user executed the command string
• %ASA-5-111009: User user executed cmd: cmd
• %ASA-5-111010: User username, running application-name from IP ip addr, executed cmd

• Create logging list for config changes and set the level to informational.

ASA(config)# logging list CONFIG_CHANGES message 111010
ASA(config)# logging list CONFIG_CHANGES level informational

• Issue a ‘write mem’ and check logs for the message

ASA(config)# sh log | i 111010
Jul 12 2017 14:55:20: %ASA-5-111010: User ‘peiadmin’, running ‘CLI’ from IP x,x,x,x, executed ‘write memory'</P

Turn off Weird Syslog TCP Behavior

If the syslog server is down, and you are configured to send syslog over TCP, by default the ASA will deny all traffic and you will basically brick your ASA until you can console into it. To prevent this behavior, we go ahead and run the following command:

ASA(config)# logging permit-hostdown

Configure Syslog Destination

Pretty simple, just point at an IP and interface to send the traffic out of. Of course, one should never stream syslog over the internet, so assume you will always log to the inside interface.

ASA(config)# logging host inside 10.222.2.202

Max Fuller, PEI