Cisco ASA, Email Alerts

This little used feature (at least in my experience) is actually quite useful and works with all ASA versions.

The Cisco ASA 55xx Firewalls are actually able to send you an email based on *any* syslog’s that may be generated. This is very useful when you don’t run a syslog server, or just want some basic alerting instead of setting up a full syslog and alert system.

Any change on the device can be identified, its just a case of finding the correct Message ID’s.
Here are some to get you started, but you can see the full list on Cisco’s Website: ASA System Log Messages.

605005 – SSH Successful login
Example Output: 203.0.113.68 39744 203.0.113.1 ssh Login permitted from 203.0.113.68/39744 to outside:203.0.113.1/ssh for user "steveh"

104001 – ASA Switching to ACTIVE
Example Output: (Primary) Switching to ACTIVE (cause: string)

104002 – ASA Switching to STANDBY
Example Output: (Primary) Switching to STNDBY (cause: string)

113004 – AAA user success
Example Output: AAA user authentication Successful : server = 10.0.0.1 : user = steveh

113005 – AAA user Failure
Example Output: AAA user authentication Rejected : reason = AAA failure : server = 10.0.0.1 : user = l33t-Hack0r

722051 – Anyconnect SSL VPN connection [User Connect]
Example Output: Apr 13 2014 21:31:08: %ASA-4-722051: Group User IP Address assigned to session

113019 – Anyconnect SSL VPN connection [User Disconnect]
Example Output: Apr 13 2014 21:36:08: %ASA-4-113019: Group = vpn-users, Username = steveh, IP = 203.0.113.68, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:04m:59s, Bytes xmt: 163904, Bytes rcv: 328460, Reason: User Requested

Onto the configuration;

First, we need to set our SMTP servers, these could be internal, or a mail server that permits you to relay out. If you have multiple mail servers, you can add a maximum of 2, separated by just a space.

smtp-server 10.0.0.3 10.0.0.4

Next we specify the from address. This should identify the specific firewall as if you have more than 1 you may have difficulty working out which firewall sent the alert.

logging from-address my-firewall@my-company.net

Next we add the message ID’s we want, to a ‘logging list’. if you do not do this, you will only be able to chose a wide category of alerts and will overwhelm your inbox.

logging list Email-Events message 722051
logging list Email-Events message 113019

Next, we set our logging destination for email with the logging list we have just created above.

logging mail Email-Events

Finally, we set the email address you want to send the alerts to, along with a severity level. The severity level is important as if take for example an AnyConnect login, which is in the ‘informational’ severity class, and we set the email receipt level too high, maybe Warnings/Errors/Critical then the message will never be forwarded.

My advice is to set it here to debugging to ensure we capture all possible message ID’s you might need, and we use the logging list to ensure we don’t get all ‘debugging’ information which would be even worse!

logging recipient-address my-email-address@my-company.net level Debugging

Leave a Reply

Your email address will not be published. Required fields are marked *