Welcome, Guest

TOPIC: How to audit cisco ASA administrator login

How to audit cisco ASA administrator login 2 years 6 months ago #38605

azh
Offline
New Member
Posts: 1
Karma: 0

Hi

We need to audit administrators' login to cisco asa firewall(to monitor how many times the admin login to firewall in a month). Firewall is sending syslog level 6(info) to syslog server which is including syslog id 605004 and 605005.

We've managed to extract the access log but the firewall log a lot of log for each single login attempt.

I would like to know how many lines the ASA log for each login and is there any tools/software to audit the login attempt? Thank you....

34588: 3/3/2015 14:05:04 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55791 to MGMT:10.27.1.12/https for user "admin"
37192: 3/3/2015 14:05:27 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55792 to MGMT:10.27.1.12/https for user "admin"
38441: 3/3/2015 14:05:36 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55793 to MGMT:10.27.1.12/https for user "admin"
39639: 3/3/2015 14:05:45 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55794 to MGMT:10.27.1.12/https for user "admin"
41364: 3/3/2015 14:06:02 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55795 to MGMT:10.27.1.12/https for user "admin"
42527: 3/3/2015 14:06:16 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55796 to MGMT:10.27.1.12/https for user "admin"
43654: 3/3/2015 14:06:33 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55797 to MGMT:10.27.1.12/https for user "admin"
44140: 3/3/2015 14:06:40 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55798 to MGMT:10.27.1.12/https for user "admin"
45132: 3/3/2015 14:06:51 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55799 to MGMT:10.27.1.12/https for user "admin"
46429: 3/3/2015 14:07:05 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55800 to MGMT:10.27.1.12/https for user "admin"
47072: 3/3/2015 14:07:10 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55801 to MGMT:10.27.1.12/https for user "admin"
48745: 3/3/2015 14:07:28 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55802 to MGMT:10.27.1.12/https for user "admin"
49666: 3/3/2015 14:07:39 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55803 to MGMT:10.27.1.12/https for user "admin"
51012: 3/3/2015 14:07:48 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55804 to MGMT:10.27.1.12/https for user "admin"
53178: 3/3/2015 14:08:03 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55805 to MGMT:10.27.1.12/https for user "admin"
55247: 3/3/2015 14:08:17 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55806 to MGMT:10.27.1.12/https for user "admin"
55931: 3/3/2015 14:08:22 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55807 to MGMT:10.27.1.12/https for user "admin"
57705: 3/3/2015 14:08:34 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55808 to MGMT:10.27.1.12/https for user "admin"
58013: 3/3/2015 14:08:36 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55809 to MGMT:10.27.1.12/https for user "admin"
58023: 3/3/2015 14:08:36 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55810 to MGMT:10.27.1.12/https for user "admin"
58356: 3/3/2015 14:08:39 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55811 to MGMT:10.27.1.12/https for user "admin"
58368: 3/3/2015 14:08:39 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55812 to MGMT:10.27.1.12/https for user "admin"
59747: 3/3/2015 14:08:54 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55813 to MGMT:10.27.1.12/https for user "admin"