Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: How to audit cisco ASA administrator login

How to audit cisco ASA administrator login 1 year 8 months ago #38605

  • azh
  • azh's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Hi

We need to audit administrators' login to cisco asa firewall(to monitor how many times the admin login to firewall in a month). Firewall is sending syslog level 6(info) to syslog server which is including syslog id 605004 and 605005.

We've managed to extract the access log but the firewall log a lot of log for each single login attempt.

I would like to know how many lines the ASA log for each login and is there any tools/software to audit the login attempt? Thank you....


34588: 3/3/2015 14:05:04 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55791 to MGMT:10.27.1.12/https for user "admin"
37192: 3/3/2015 14:05:27 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55792 to MGMT:10.27.1.12/https for user "admin"
38441: 3/3/2015 14:05:36 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55793 to MGMT:10.27.1.12/https for user "admin"
39639: 3/3/2015 14:05:45 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55794 to MGMT:10.27.1.12/https for user "admin"
41364: 3/3/2015 14:06:02 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55795 to MGMT:10.27.1.12/https for user "admin"
42527: 3/3/2015 14:06:16 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55796 to MGMT:10.27.1.12/https for user "admin"
43654: 3/3/2015 14:06:33 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55797 to MGMT:10.27.1.12/https for user "admin"
44140: 3/3/2015 14:06:40 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55798 to MGMT:10.27.1.12/https for user "admin"
45132: 3/3/2015 14:06:51 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55799 to MGMT:10.27.1.12/https for user "admin"
46429: 3/3/2015 14:07:05 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55800 to MGMT:10.27.1.12/https for user "admin"
47072: 3/3/2015 14:07:10 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55801 to MGMT:10.27.1.12/https for user "admin"
48745: 3/3/2015 14:07:28 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55802 to MGMT:10.27.1.12/https for user "admin"
49666: 3/3/2015 14:07:39 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55803 to MGMT:10.27.1.12/https for user "admin"
51012: 3/3/2015 14:07:48 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55804 to MGMT:10.27.1.12/https for user "admin"
53178: 3/3/2015 14:08:03 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55805 to MGMT:10.27.1.12/https for user "admin"
55247: 3/3/2015 14:08:17 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55806 to MGMT:10.27.1.12/https for user "admin"
55931: 3/3/2015 14:08:22 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55807 to MGMT:10.27.1.12/https for user "admin"
57705: 3/3/2015 14:08:34 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55808 to MGMT:10.27.1.12/https for user "admin"
58013: 3/3/2015 14:08:36 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55809 to MGMT:10.27.1.12/https for user "admin"
58023: 3/3/2015 14:08:36 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55810 to MGMT:10.27.1.12/https for user "admin"
58356: 3/3/2015 14:08:39 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55811 to MGMT:10.27.1.12/https for user "admin"
58368: 3/3/2015 14:08:39 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55812 to MGMT:10.27.1.12/https for user "admin"
59747: 3/3/2015 14:08:54 Local7.Info 10.27.1.1 %ASA-6-605005: Login permitted from 10.27.108.4/55813 to MGMT:10.27.1.12/https for user "admin"
:)
The administrator has disabled public write access.
Time to create page: 0.075 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup