Create a Custom Event List

Create a custom event list when you are sending ASA syslog events to the Cisco Cloud using one of these methods:

You can create an event list, also referred to as a message_list, based on the following three criteria:

  • Event Class

  • Severity

  • Message ID

To create a custom event list to send to a specific logging destination (for example, a syslog server or a Secure Event Connector), perform the following steps:

Procedure


Step 1

From the left navigation bar, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate tab and select the ASA whose syslog messages you want to include in a custom event list.

Step 4

In the Device Actions pane, click >_ Command Line Interface.

Step 5

Use this command syntax to issue the logging list command to the ASA:

logging list name { level level [ class message_class ]| message start_id [ -end_id ]}

The name argument specifies the name of the list. The level level keyword and argument pair specify the severity level. The class message_class keyword-argument pair specify a particular message class. The message start_id [-end_id] keyword-argument pair specify an individual syslog message number or a range of numbers.

Note

Do not use the names of severity levels as the name of a syslog message list. Prohibited names include emergencies, alert, critical, error, warning, notification, informational, and debugging. Similarly, do not use the first three characters of these words at the beginning of an event list name. For example, do not use an event list name that starts with the characters "err."

  • Add syslog messages to the event list based on severity. For example, if you set the severity level to 3, then the ASA sends syslog messages for severity levels 3, 2, and 1.

    Example:

    > logging list asa_syslogs_to_cloud level 3 
  • Add syslog messages based on other criteria to the event list:

    Enter the same command as in the previous step, specifying the name of the existing message list and the additional criterion. Enter a new command for each criterion that you want to add to the list. For example, you can specify criteria for syslog messages to be included in the list as the following:

    • Syslog message IDs that fall into the range of 302013-302018.

    • All syslog messages with the critical severity level or higher (emergency, alert, or critical).

    • All HA class syslog messages with the warning severity level or higher (emergency, alert, critical, error, or warning).

      Example:

      > logging list asa_syslogs_to_cloud message 302013-302018 
      > logging list asa_syslogs_to_cloud level critical 
      > logging list asa_syslogs_to_cloud level warning class ha 
      Note

      A syslog message is logged if it satisfies any of these conditions. If a syslog message satisfies more than one of the conditions, the message is logged only once.

Step 6

Save your Changes to the Startup Config

At the command prompt, type write memory.

Example:

> write memory