Anyconnect authentication syslog messages:
1. failure with invalid or non-exist username
<164>%FTD-4-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.2.100 : user = ***** : user IP = 203.0.113.138
<164>%FTD-4-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.2.100 : user = ***** : user IP = 203.0.113.138
2.failure with valid username
<164>%FTD-4-722041: TunnelGroup <SSLVPN-AD> GroupPolicy <SSLVPN-GP> User <vpnuser1> IP <203.0.113.138> No IPv6 address available for SVC connection
3. Successful login
<164>%FTD-4-722051: Group <SSLVPN-GP> User <vpnuser1> IP <203.0.113.138> IPv4 Address <192.168.100.100> IPv6 address <::> assigned to session
<164>%FTD-4-722051: Group <SSLVPN-GP> User <vpnuser1> IP <203.0.113.138> IPv4 Address <192.168.100.100> IPv6 address <::> assigned to session
Generate Email Alert for syslog
02-04-2022 13:38:47 Local4.Info 172.16.1.19 %FTD-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 172.16.1.12 : user = ***** : user IP = 192.168.2.250
1. Specify a SMTP Server
no way to configure SMTP login info in FMC, in the lab, use the SMTP service on Windows AD server, configured smart host points to home ISP SMTP server.
2. Specify sender, recipient email address and syslog severity.
3. Create a custom Event List, specify Message ID
4. Configure Email as Destination
=============================================
Generate syslog for traffic
syslog generates from platform setting only has connection info, syslog from ACP has rule info.
1. Use Syslog Alert as destination
1.1 Polices > Alerts, create a Syslog Alert
1.2 In ACP > Logging, tab, define the default syslog setting
2. Syslog setting in platform setting
2.1 define syslog server
Syslog for VPN
In Platform Setting, enable VPN logging to FMC
If choose Logging Level to "6-Informational ", deploy the policy will give you warning
Suggest to set Logging Level to "4 - Warning"
Then we can change a syslog severity from default Informational to Warning if we need see a specific log message in FMC, when its default severity is Informational.
Syslog Settings > Enable Individual Syslog Messages,
Here we can disable a Syslog ID or change a Syslog ID default Logging Level.
Comments
Post a Comment