designetwork(EN)

IT technical memo of networking

Cisco ASA FW log (syslog) with Papertail

f:id:daichi703n:20161214005555p:plain

Cloud log management service Papertrail. Minimal features are available for free, making it ideal for managing FW logs etc in home labs. Also, since it is not necessary to construct a syslog server, it is highly effective even in verification environments and the like.

Output FW log of Cisco ASA used as home lab to Papertrail.

Using device

Cisco ASA 5505: ASA9.3(2) No additional license

Setting up Papertrail

Papertrail does not require any special configuration to receive syslog. You can start using it just by user registration.

Papertrail - cloud-hosted log management, live in seconds

Click here Add your first system after logging in.

f:id:daichi703n:20161213235324p:plain

The syslog destination is displayed. In my case logs5.papertrailapp.com:18xxx destinations were specified. (Mask for security protection)

f:id:daichi703n:20161214000122p:plain

Cisco ASA FW syslog settings

As described in the previous image, procedures are described for OS such as Linux, Windows etc .. Because Cisco is not included in this, search from Not shown here? As described here, the log setting procedure of various network devices is described.

f:id:daichi703n:20161214000629p:plain

The content of the explanation is very simple, and the setting procedure of the FW log (syslog) destination is described.

f:id:daichi703n:20161214000841p:plain

logging enable
logging host outside <host>.papertrailapp.com udp/11111
logging trap informational
logging severity 5

As a caution, setting to send a large number of logs like logging trap notification is deprecated. It is recommended to change to informational etc. after verifying the log.

It is recommended to use if rate-limit-logging is supported.

logging rate-limit 10 30 level debugging

Add setting to home ASA

I added the setting to home ASA (FW) by referring to the above. Basically you can add syslog settings as described. In my environment, trying to register as a host name resulted in an error.

ASA5505(config)# logging host outside ?

configure mode commands/options:
  Hostname or A.B.C.D  Specify the IP address or name of the syslog server.
ASA5505(config)# logging host outside logs5.papertrailapp.com ?
ERROR: % Unrecognized command

For this reason, confirm the DNS name resolution destination IP address and specify it by IP address. The protocol is indicated by protocol number 17 in running-config even if it is specified with udp.

logging host outside 169.46.82.181 17/18xxx

Check log

A new host is displayed in the Dashboard. By clicking this IP address you can check the log.

f:id:daichi703n:20161214004832p:plain

The Cisco ASA FW log (syslog) is displayed in Event. You can also search logs.

f:id:daichi703n:20161214004821p:plain

Capacity available

You can check the remaining capacity available for free use of Papertrail from Settings. The log can be searched for six days, and the past seven days can be acquired by archive.

f:id:daichi703n:20161214004242p:plain

Conclusion - Cisco ASA FW log (syslog) with Papertail

I started to manage the Cisco ASA FW log (syslog) with Papertrail. Since Papertrail can be used for free, it is considered useful in home laboratory testing environment.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork