This little used feature (at least in my experience) is actually quite useful and works with all ASA versions.
The Cisco ASA 55xx Firewalls are actually able to send you an email based on *any* syslog’s that may be generated. This is very useful when you don’t run a syslog server, or just want some basic alerting instead of setting up a full syslog and alert system.
Any change on the device can be identified, its just a case of finding the correct Message ID’s.
Here are some to get you started, but you can see the full list on Cisco’s Website: ASA System Log Messages.
605005 – SSH Successful login
203.0.113.68 39744 203.0.113.1 ssh Login permitted from 203.0.113.68/39744 to outside:203.0.113.1/ssh for user "steveh"
104001 – ASA Switching to ACTIVE
(Primary) Switching to ACTIVE (cause: string)
104002 – ASA Switching to STANDBY
(Primary) Switching to STNDBY (cause: string)
113004 – AAA user success
AAA user authentication Successful : server = 10.0.0.1 : user = steveh
113005 – AAA user Failure
AAA user authentication Rejected : reason = AAA failure : server = 10.0.0.1 : user = l33t-Hack0r
722051 – Anyconnect SSL VPN connection [User Connect]
Apr 13 2014 21:31:08: %ASA-4-722051: Group User IP Address assigned to session
113019 – Anyconnect SSL VPN connection [User Disconnect]
Apr 13 2014 21:36:08: %ASA-4-113019: Group = vpn-users, Username = steveh, IP = 203.0.113.68, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:04m:59s, Bytes xmt: 163904, Bytes rcv: 328460, Reason: User Requested
Onto the configuration;
First, we need to set our SMTP servers, these could be internal, or a mail server that permits you to relay out. If you have multiple mail servers, you can add a maximum of 2, separated by just a space.
smtp-server 10.0.0.3 10.0.0.4
Next we specify the from address. This should identify the specific firewall as if you have more than 1 you may have difficulty working out which firewall sent the alert.
logging from-address firstname.lastname@example.org
Next we add the message ID’s we want, to a ‘logging list’. if you do not do this, you will only be able to chose a wide category of alerts and will overwhelm your inbox.
logging list Email-Events message 722051
logging list Email-Events message 113019
Next, we set our logging destination for email with the logging list we have just created above.
logging mail Email-Events
Finally, we set the email address you want to send the alerts to, along with a severity level. The severity level is important as if take for example an AnyConnect login, which is in the ‘informational’ severity class, and we set the email receipt level too high, maybe Warnings/Errors/Critical then the message will never be forwarded.
My advice is to set it here to debugging to ensure we capture all possible message ID’s you might need, and we use the logging list to ensure we don’t get all ‘debugging’ information which would be even worse!
logging recipient-address email@example.com level Debugging