Skip to main content

 

 

Cisco Defense Orchestrator

Create a Custom Event List

Create a custom event list when you are sending ASA syslog events to the Cisco Cloud using one of these methods:

You can create an event list, also referred to as a message_list, based on the following three criteria: 

  • Event Class

  • Severity

  • Message ID

Procedure

To create a custom event list to send to a specific logging destination (for example, a Syslog server or the Secure Event Connector), perform the following steps:

  1. In the Devices & Services page, select the ASA whose syslog messages you want to include in a custom event list. 
  2. In the Device Actions pane, click >_ Command Line Interface.
  3. Use this command syntax to issue the logging list command to the ASA:

logging list name {level level [class message_class] | message start_id[-end_id]}

The name argument specifies the name of the list. The level level keyword and argument pair specify the severity level. The class message_class keyword-argument pair specify a particular message class. The message start_id [-end_id] keyword-argument pair specify an individual syslog message number or a range of numbers. 

Note: Do not use the names of severity levels as the name of a syslog message list. Prohibited names include emergencies, alert, critical, error, warning, notification, informational, and debugging. Similarly, do not use the first three characters of these words at the beginning of an event list name. For example, do not use an event list name that starts with the characters “err.”

  • Add syslog messages to the event list based on severity. For example, if you set the severity level to 3, then the ASA sends syslog messages for severity levels 3, 2, and 1.  

Example:

> logging list asa_syslogs_to_cloud level 3
  • Add syslog messages based on other criteria to the event list

Enter the same command as in the previous step, specifying the name of the existing message list and the additional criterion. Enter a new command for each criterion that you want to add to the list. For example, you can specify criteria for syslog messages to be included in the list as the following:

  • Syslog message IDs that fall into the range of 302013-302018.
  • All syslog messages with the critical severity level or higher (emergency, alert, or critical).
  • All HA class syslog messages with the warning severity level or higher (emergency, alert, critical, error, or warning).

Example:

> logging list asa_syslogs_to_cloud message 302013-302018
> logging list asa_syslogs_to_cloud level critical
> logging list asa_syslogs_to_cloud level warning class ha

Note: A syslog message is logged if it satisfies any of these conditions. If a syslog message satisfies more than one of the conditions, the message is logged only once. 

  1. Save your Changes to the Startup Config

At the command prompt, type write memory

Example:

> write memory