Recording ASA Activity

Overview:

• System time:local && NTP
• Managing Event and Session Logging
• Configuring Event and Session Logging
• Verifying Event and Session Logging
• Troubleshooting Event and Session Logging

Effective troubleshooting of network or device activity, from the perspective of the security appliance, requires accurate Information. Many times, the best source of accurate and complete information'll be various logs, if logging is properly configured T o Capture the necessary information.

Part 1:system time1. Locally

The default ASA time is set to UTC (coordinated Universal time)

The configured time is retained in memory when the power was off, by a battery on the security appliance motherboard.

2. NTP

Or you can use CLI:

Clock set +: -:Panax NotoginsengNOV1  -Clock timezone CST+8 0Clock Summer- TimeCDT Recurring2Sun Mar2:xx 1Sun Nov2:xx  -NTP server10.0.0.5Key1source inside PREFERNTP Server192.43.244.18source OUTSIDENTP AUTHENTICATENTP Authentication-key1MD5 ueb34mid@ #9Cntp Trusted-key1

When setting from the CLI, the date can is specified as month day year or day month, whichever Prefer.

Note:the Security Appliance can act only as a NTP client, not as an NTP server.

3. Verifying System time Settings

firewall# Show Clock Ten: the:16.309CDT Tue Nov2  .firewall# Show Clock detailTen:Geneva:55.129CDT Tue Nov2  .Time source is Ntpsummer TimeStarts Geneva:xx:xxCST Sun Mar -  .Summer TimeEnds Geneva:xx:xxCDT Sun Nov7  .

firewall# Show NTP associationsaddress ref Clock St When poll reach delay offset disp*~10.0.0.5 127.0.0.1 3  the 1024x768 377 2.5-0.23 1.8-~192.43.244.18. ACTS.1 147 1024x768 377 41.5-1.08 16.5* Master (synced), # Master (unsynced), + selected,-candidate, ~ configured

Part 2:managing Event and Session Logging

The Cisco Adaptive Security Appliance supports a full audit trail of system log messages this describe its activities and Security events. The major classifications of events, such as resource depletion, and network EVENTS, such as denied sessions or packets.

The security appliance supports sending log messages to the following destinations:

1. console:the Security Appliance Console, a low-bandwidth serial connection to which messages can is sent for dis Play on a console CLI session. This mode was useful for limited debugging, or in production environments with limited traffic or a lack of centralized man Agement tools.
2. asdm:the ASDM Graphical user interface, which provides a powerful real-time Event Viewer useful for troubleshooting I Ssues or monitoring network activity.
3. Monitor:telnet or SSH administrative sessions. This mode was useful to receive realtime debugging information when troubleshooting.
4. buffered:the Internal In-memory buffer on the security appliance. Although useful for storage and an analysis of recent activity, the internal buffer was limited in size, and it was not persist ENT, by default, across appliance reboots. The buffer can optionally is archived to a external FTP server or to the security appliance ' s internal flash memory.

Host:remote syslog servers, using the standard syslog protocol. Use the logging
Host command in conjunction with the Logging Trap command to define both a destination
Server and a logging level.
Snmp:remote network Management Servers, using the standard Simple network
Management Protocol (SNMP) Trap to send event messages. This mode is configured
With the Snmp-server enable traps syslog command, rather than directly with a
Logging Destination command.
Mail:remote email systems, using the standard simple Mail Transfer Protocol
(SMTP) To send event messages to a defined SMTP server, or set of SMTP servers.
Flow-export-syslogs:remote NetFlow collectors, using the standard NetFlow V9
Protocol to send event messages to the defined collector.

Recording ASA Activity