How to audit Configuration Change Events on your ASAs

Document created by rkent on Jul 22, 2015
Version 1Show Document
  • View in full screen mode

Wrote up the following response below and thought I'd share it as a KB article of sorts. Still some cleanup/editing to do so bear with me


---


If your Cisco ASAs are not connected to an ACS server, then you'll want to look at event codes 111008 and 111010 directly from the ASA firewall, and the 'File Name' field will have the command that is run in it.


Here's the link to examine those specific events and Cisco's official description:

 

Cisco ASA Series Syslog Messages - Syslog Messages 101001-520025 [Cisco ASA 5500-X Series Next-Generation Firewalls] - C…

 

    111008

Error Message %ASA-5-111008: User user executed the command string

Explanation" The user entered any command, with the exception of a show command.

Recommended Action" None required.

 

    111010

Error Message %ASA-5-111010: User username, running application-name from IP ip addr, executedcmd

Explanation: A user made a configuration change.

  • username —The user making the configuration change
  • application-name —The application that the user is running
  • ip addr —The IP address of the management station
  • cmd —The command that the user has executed

Recommended Action: None required.

 

In a nutshell, you get an 111008 event for every command executed, and an 111010 for those that modify configuration. For the 111008 event, the command executed is stored in the field  'fileName'. For 111010, it's in 'destinationProcessName'

 

You'll also notice, both of the events start with %ASA-5-*, meaning that they're log level Notification = '5'. If your current log level is set to 1-4, then you need to configure the ASA to send these events despite not meeting the logging threshold ->ASA send syslog messages for configuration changes

logging list notif-cfg-changes message 111008-111010

logging list notif-cfg-changes level errors

logging trap notif-cfg-changes

 

To have these messages sent by your ASA, you will have to have your log level set to either Notification, Informational or Debug:

E.g.

hostname (config)# logging trap info

 

If using Cisco ASDM, use the following guide to ensure you get the events: ASA 8.2: Configure Syslog using ASDM - Cisco

Attachments

    Outcomes