77-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter77 Configuring Logging
Information About Logging
This section includes the following topics:
Logging in Multiple Context Mode, page 77-2
Analyzing Syslog Messages, page77-2
Syslog Message Format, page77-3
Severity Levels, page77-3
Message Classes and Range of Syslog IDs, page 77-4
Filtering Syslog Messages, page77-4
Using Custom Message Lists, page 77-4
Logging in Multiple Context Mode
Each security context includes its own logging configuration and generates its own messages. If you log
in to the system or admin context, and then change to another context, messages you view in your session
are only those messages that are related to the current context.
Syslog messages that are generated in the system execution space, including failover messages, are
viewed in the admin context along with messages generated in the admin context. You cannot configure
logging or view any logging information in the system execution space.
You can configure the ASA to include the context name with each message, which helps you differentiate
context messages that are sent to a single syslog server. This feature also helps you to determine which
messages are from the admin context and which are from the system; messages that originate in the
system execution space use a device ID of system, and messages that originate in the admin context use
the name of the admin context as the device ID.
Analyzing Syslog Messages
The following are some examples of the type of information you can obtain from a review of various
syslog messages:
Connections that are allowed by ASA security policies. These messages help you spot holes that
remain open in your security policies.
Connections that are denied by ASA security policies. These messages show what types of activity
are being directed toward your secured inside network.
Using the ACE deny rate logging feature shows attacks that are occurring on your ASA.
IDS activity messages can show attacks that have occurred.
User authentication and command usage provide an audit trail of security policy changes.
Bandwidth usage messages show each connection that was built and torn down as well as the
duration and traffic volume used.
Protocol usage messages show the protocols and port numbers used for each connection.
Address translation audit trail messages record NAT or PAT connections being built or torn down,
which are useful if you receive a report of malicious activity coming from inside your network to
the outside world.