Recording ASA Activity

标签：

Overview:

• System Time: local && NTP
• Managing Event and Session Logging
• Configuring Event and Session Logging
• Verifying Event and Session Logging
• Troubleshooting Event and Session Logging

Effective troubleshooting of network or device activity, from the perspective of the security appliance, requires accurate information. Many times, the best source of accurate and complete information will be various logs, if logging is properly configured to capture the necessary information.

Part 1: System Time

1. Locally

The default ASA time is set to UTC (Coordinated Universal Time)

The configured time is retained in memory when the power is off, by a battery on the security appliance motherboard.

2. NTP

or You can use CLI:

clock set 21:24:37 NOV 1 2015
clock timezone CST +8 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60
ntp server 10.0.0.5 key 1 source inside prefer
ntp server 192.43.244.18 source outside
ntp authenticate
ntp authentication-key 1 md5 UEB34mid@#9C
ntp trusted-key 1

When setting from the CLI, the date can be specified as MONTH DAY YEAR or DAY MONTH YEAR, whichever you prefer.

Note: The security appliance can act only as an NTP client, not as an NTP server.

3. Verifying System Time Settings

FIREWALL# show clock
10:09:16.309 CDT Tue Nov 2 2010
FIREWALL# show clock detail
10:03:55.129 CDT Tue Nov 2 2010
Time source is NTP
Summer time starts 02:00:00 CST Sun Mar 14 2010
Summer time ends 02:00:00 CDT Sun Nov 7 2010

FIREWALL# show ntp associations
address ref clock st when poll reach delay offset disp
*~10.0.0.5 127.0.0.1 3 87 1024 377 2.5 -0.23 1.8
-~192.43.244.18 .ACTS. 1 147 1024 377 41.5 -1.08 16.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Part 2: Managing Event and Session Logging

The Cisco Adaptive Security Appliance supports a full audit trail of system log messages that describe its activities and security events. The two major classifications of events are system events, such as resource depletion, and network events, such as denied sessions or packets.

The security appliance supports sending log messages to the following destinations:

1. Console: The security appliance console, a low-bandwidth serial connection to which messages can be sent for display on a console CLI session. This mode is useful for limited debugging, or in production environments with limited traffic or a lack of centralized management tools.
2. ASDM: The ASDM graphical user interface, which provides a powerful real-time event viewer useful for troubleshooting issues or monitoring network activity.
3. Monitor: Telnet or SSH administrative sessions. This mode is useful to receive realtime debugging information when troubleshooting.
4. Buffered: The internal in-memory buffer on the security appliance. Although useful for storage and analysis of recent activity, the internal buffer is limited in size, and it is not persistent, by default, across appliance reboots. The buffer can optionally be archived to an external FTP server or to the security appliance’s internal flash memory.

■ Host: Remote syslog servers, using the standard syslog protocol. Use the logging
host command in conjunction with the logging trap command to define both a destination
server and a logging level.
■ SNMP: Remote network management servers, using the standard Simple Network
Management Protocol (SNMP) Trap to send event messages. This mode is configured
with the snmp-server enable traps syslog command, rather than directly with a
logging destination command.
■ Mail: Remote email systems, using the standard Simple Mail Transfer Protocol
(SMTP) to send event messages to a defined SMTP server, or set of SMTP servers.
■ Flow-export-syslogs: Remote NetFlow collectors, using the standard NetFlow v9
protocol to send event messages to the defined collector.

Recording ASA Activity

标签：

原文地址：http://www.cnblogs.com/elewei/p/4877996.html