|
Welcome,
Guest
|
TOPIC: How to audit cisco ASA administrator login
How to audit cisco ASA administrator login 4 years 10 months ago #38605
|
Hi
We need to audit administrators' login to cisco asa firewall(to monitor how many times the admin login to firewall in a month). Firewall is sending syslog level 6(info) to syslog server which is including syslog id 605004 and 605005. We've managed to extract the access log but the firewall log a lot of log for each single login attempt. I would like to know how many lines the ASA log for each login and is there any tools/software to audit the login attempt? Thank you.... 34588: 3/3/2015 14:05:04 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55791 to MGMT:10.27.1.12/https for user "admin" 37192: 3/3/2015 14:05:27 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55792 to MGMT:10.27.1.12/https for user "admin" 38441: 3/3/2015 14:05:36 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55793 to MGMT:10.27.1.12/https for user "admin" 39639: 3/3/2015 14:05:45 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55794 to MGMT:10.27.1.12/https for user "admin" 41364: 3/3/2015 14:06:02 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55795 to MGMT:10.27.1.12/https for user "admin" 42527: 3/3/2015 14:06:16 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55796 to MGMT:10.27.1.12/https for user "admin" 43654: 3/3/2015 14:06:33 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55797 to MGMT:10.27.1.12/https for user "admin" 44140: 3/3/2015 14:06:40 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55798 to MGMT:10.27.1.12/https for user "admin" 45132: 3/3/2015 14:06:51 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55799 to MGMT:10.27.1.12/https for user "admin" 46429: 3/3/2015 14:07:05 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55800 to MGMT:10.27.1.12/https for user "admin" 47072: 3/3/2015 14:07:10 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55801 to MGMT:10.27.1.12/https for user "admin" 48745: 3/3/2015 14:07:28 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55802 to MGMT:10.27.1.12/https for user "admin" 49666: 3/3/2015 14:07:39 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55803 to MGMT:10.27.1.12/https for user "admin" 51012: 3/3/2015 14:07:48 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55804 to MGMT:10.27.1.12/https for user "admin" 53178: 3/3/2015 14:08:03 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55805 to MGMT:10.27.1.12/https for user "admin" 55247: 3/3/2015 14:08:17 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55806 to MGMT:10.27.1.12/https for user "admin" 55931: 3/3/2015 14:08:22 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55807 to MGMT:10.27.1.12/https for user "admin" 57705: 3/3/2015 14:08:34 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55808 to MGMT:10.27.1.12/https for user "admin" 58013: 3/3/2015 14:08:36 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55809 to MGMT:10.27.1.12/https for user "admin" 58023: 3/3/2015 14:08:36 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55810 to MGMT:10.27.1.12/https for user "admin" 58356: 3/3/2015 14:08:39 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55811 to MGMT:10.27.1.12/https for user "admin" 58368: 3/3/2015 14:08:39 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55812 to MGMT:10.27.1.12/https for user "admin" 59747: 3/3/2015 14:08:54 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55813 to MGMT:10.27.1.12/https for user "admin"  |
|
Time to create page: 0.098 seconds