Logging facility on ASA

I noticed when i try to specify logging facility on the ASA; it only allows specify in the range of 16-23. My problem is the syslog server doesn't seems to have local 16-23 (it only has local 0-7). My goal is to specify different devices (eg. router -> local1;
switches -> local2; firewall ->local3 ..etc) to point to different facility on the syslog server.
Anyone has a quick answer to this, much appreciated.

0 - 7 are severity levels and
16 - 23 are facility levels
" Most UNIX systems expect the system log messages to arrive at facility 20 "
check the below links
"http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/l2.html#wp1750424"
"http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logconf.html#wp1106984"
And the syslog server's can listen only on one facility level, Pls let me know if you come across anything that can be configured with 2 facility levels.
HTH
Vikram

Similar Messages

How to Enable logging of the ASA 5525?

I need help to enable logging of the ASA 5525 for all new rules created today from the firewall module, rules changed, deleted desabilidas and disabled rules.
Not found in the historic level of the ID on new firewall rules.
0 or emergencies—System is unusable.
1 or alerts—Immediate action needed.
2 or critical—Critical conditions.
3 or errors—Error conditions.
4 or warnings—Warning conditions.
5 or notifications—Normal but significant conditions.
6 or informational—Informational messages.
7 or debugging—Debugging messages.
Thank you.

You cannot log only those changes but you can log *all* changes.
The messages 111008 and 111010 are the ones to look for (as described in this post).

J2SE 1.4 Logging facility

Hi,
Can anyone provide me with links to examples of using J2SE 1.4's Logging API?
Thanks,
Amit
[email protected]

Hi,
Here's a couple of classes:
The first is simple logging facility I've written using the logging API (not a complete class - just the relevant method), the second is a generic error class to capture some consistent data across my application.
Drop me an e-mail if you're still stuck.
Regards
Peter.
public void logError(ClientError error)
FileHandler fh = null;
try
String logDirectoryPath = System.getProperty("user.home")
+ "/Pisces/Log/";
String filePath = logDirectoryPath + "Error_log.xml";
File logDirectory = new File(logDirectoryPath);
if (logDirectory.exists())
File logFile = new File(filePath);
else
logDirectory.mkdir();
fh = new FileHandler(filePath,true);
errorLog.addHandler(fh);
errorLog.logp(Level.SEVERE,
error.getClassName(),
error.getMethodName(),
error.getStackTrace());
catch (IOException e) { e.printStackTrace(System.out);}
finally { fh.close(); }
public class ClientError {
private String className;
private String methodName;
private Date errorTime;
private String errorMessage;
private String stackTrace;
public ClientError() { }
public void setClassName(String className)
this.className = className;
public String getClassName()
return className;
public void setMethodName(String methodName)
this.methodName = methodName;
public String getMethodName()
return methodName;
/* In case we want to set the time where the error occurred. */
public void setErrorTime(Date errorTime)
this.errorTime = errorTime;
/* Sets the date to the current time */
public void setErrorTime()
errorTime = new Date();
public Date getErrorTime()
return errorTime;
public void setErrorMessage(String errorMessage)
this.errorMessage = errorMessage;
public String getErrorMessage()
return errorMessage;
public void setStackTrace(String stackTrace)
this.stackTrace = stackTrace;
public String getStackTrace()
return stackTrace;

Best Log Setting for ASA & MARS

Hi,
I'm going back and trying to clean up our MARS install a little bit now that I have some time. I need to update MARS to the latest version, but right now I'm just trying to wade through some of the undefined logs coming from our ASA. Is there any guideline as what is the best log settings to use comming from the ASA for MARS? Right now it looks like everything is setup to be forwarded. Anyone have any suggestions for what they have their log settings at to capture the best amount of information, but not have to wade through everything else?
Thanks

Which syslogs are these specifically? We don't get any undefined events from our FWSM(s)? We get a plenty from the Netscreen (but AFAIR this is documented on CCO) that the support is not 'complete' as of yet.
The recommended level for ASA/PIX as per the Cisco Guide and 'many' discussion on Cisco MARS User Group is 'debugging'. Under normal operation not a lot of level 7 messages are generated.
Regards
Farrukh

Error logging facility and approach

What kind of facilities does Java provide for error logging? I like to be able to globally turn logging on and off, and the logging output can be directly to either the console or log file.
What are some of the general logging approaches java programmers take?

Adding to my question:
Some application provide crash reporting capabilities.
How do I do that in Java, and where can I read more
about this subject? Should logging generally be
turned off in production system for to improve
performance?If it is turned on in the same way that it is turned on when it is delivered to QA.

Logging facility for BC4J developers... any idea?

Guys,
Has someone implemented any logging tool like log4j with BC4J?
This is a quite basic requirement in my development project and I'd certainly appreciate any information about the subject.
Thanks
Sandro Rehder

Steve,
The issue is that the Tester startup cmd line does not append the Project JPR
Runner-->java options and Runner program args to the cmd line like what I have for java options:
This means that 3rd party libs can not be properly parameterized under the tester, unless I'm missing
something (again). :)
Just a ffew of my java options:
-Djscribe.scribeHostEnvVar=http://otn.oracle.com -Djscribe.scribeFindOffenderURLEnvVar=/products/jdev/content.html -Dorg.apache.commons.logging.simplelog.showlogname=true -Dorg.apache.commons.logging.simplelog.showdatetime=true -Dorg.apache.commons.logging.simplelog.defaultlog=all -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.SimpleLog -Dlog4j.debug -Djbo.logging.trace.threshold=9 -Djbo.logging.show.timing=true -Djbo.debugoutput=console -Djbo.jdbc.trace=trueare not appended to the Tester cmd line. I've just launched a Tester and here's it's cmd line:
"D:\Jdev\jdk\bin\javaw.exe" -classpath "D:\Jdev\BC4J\jlib\bc4jtester.jar;D:\Jdev\jlib\jdev-cm.jar;D:\Jdev\lib\xmlparserv2.jar;D:\Jdev\jlib\help4-nls.jar;D:\Jdev\jlib\help4.jar;D:\Jdev\jlib\share.jar;D:\Jdev\jlib\jewt4-nls.jar;D:\Jdev\jlib\jewt4.jar;D:\Jdev\jlib\oracle_ice5.jar;D:\Jdev\jdk\jre\lib\rt.jar;D:\Jdev\jdk\jre\lib\i18n.jar;D:\Jdev\jdk\jre\lib\sunrsasign.jar;D:\Jdev\jdk\jre\lib\jsse.jar;D:\Jdev\jdk\jre\lib\jce.jar;D:\Jdev\jdk\jre\lib\charsets.jar;D:\Jdev\jdk\jre\classes;D:\Jscribe\common\classes;H:\commonwa\commonws\common\public_html\WEB-INF\lib\datatags.jar;H:\jotfwa\otfws\otf\public_html\WEB-INF\lib\datatags.jar;D:\Jscribe\common\classes;D:\Jdev\j2ee\home\lib\ojsp.jar;D:\Jdev\j2ee\home\lib\ojsputil.jar;D:\Jdev\j2ee\home\oc4j.jar;D:\Jdev\lib\servlet.jar;D:\Jdev\jdev\lib\ojc.jar;D:\Jdev\BC4J\lib\bc4jhtml.jar;D:\Jdev\BC4J\lib\datatags.jar;D:\Jdev\BC4J\lib\uixtags.jar;D:\Jdev\BC4J\lib\bc4juixtags.jar;D:\Jdev\BC4J\jlib\bc4jjdbcpatch817.jar;D:\Jdev\BC4J\jlib\bc4jdatum817.jar;D:\Jdev\jdk\jre\lib\ext\activation.jar;D:\Jdev\jdk\jre\lib\ext\jcert.jar;D:\Jdev\jdk\jre\lib\ext\jndi.jar;D:\Jdev\jdk\jre\lib\ext\jnet.jar;D:\Jdev\jdk\jre\lib\ext\jta.jar;D:\Jdev\jdk\jre\lib\ext\mail.jar;D:\Jdev\j2ee\home\ejb.jar;D:\Jdev\j2ee\home\jaxp.jar;D:\Jdev\j2ee\home\jdbc.jar;D:\Jdev\j2ee\home\jaas.jar;D:\Jdev\j2ee\home\jsse.jar;D:\Jdev\BC4J\lib\bc4jct.jar;D:\Jdev\BC4J\lib\bc4jctejb.jar;D:\Jdev\BC4J\lib\collections.jar;D:\Jdev\j2ee\home\ejb.jar;D:\Jdev\jdk\jre\lib\ext\jndi.jar;D:\Jdev\jdk\jre\lib\ext\jta.jar;D:\Jdev\j2ee\home\oc4jclient.jar;D:\Jdev\j2ee\home\jaas.jar;D:\Jdev\BC4J\jlib\bc4jdomgnrc.jar;D:\Jdev\BC4J\jlib\bc4jui.jar;D:\Jdev\jlib\bigraphbean.jar;D:\Jdev\jlib\LW_PfjBean.jar;D:\Jdev\jdev\lib\jdev.jar;D:\Jdev\j2ee\home\lib\log4j-1.2.3.jar;D:\Jdev\j2ee\home\config;D:\Jdev\j2ee\home\lib\commons-logging.jar;D:\Jdev\jlib\regexp.jar;D:\Jdev\jlib\uix2.jar;D:\Jscribe\common\classes;D:\Jdev\lib\xmlcomp.jar;D:\Jdev\jdev\lib\jdev-rt.jar;D:\Jdev\sqlj\lib\runtime12.jar;D:\Jdev\BC4J\lib\bc4jmt.jar;D:\Jdev\BC4J\lib\collections.jar;D:\Jdev\BC4J\lib\bc4jct.jar;D:\Jdev\jdk\jre\lib\ext\jndi.jar;D:\Jdev\jdbc\lib\classes12.jar;D:\Jdev\jdbc\lib\nls_charset12.jar;D:\Jdev\BC4J\lib\bc4jimdomains.jar;D:\Jdev\ord\jlib\ordim.jar;D:\Jdev\ord\jlib\ordhttp.jar;D:\Jdev\BC4J\lib\bc4jdomorcl.jar;D:\Jdev\BC4J\jlib\bc4jdatum.jar;" oracle.jbo.jbotester.MainFrame -X EE7F4DB6AD -H "jar:file:/D:/Jdev/jdev/doc/ohj/developing_bc_projects.jar!/developing_bc_projects.hs" curt

ASA Logging

Hi,
I want to save the logs generated in ASA , how can i acheive this ???
i configured a syslog server , however the logs cant be saved giving an "invalid format" error
any other method ?
Thanks

I export ASA logs to Redhat Linux using syslog. On the ASA sending side this looks like:
logging enable
logging timestamp
logging buffer-size 40960
logging trap informational
! facility number is Unix local6
logging facility 22
! syslog server interface and IP here
logging host SYSLOG-INTERFACE www.xxx.yyy.zzz
On the Redhat Linux 6.x receiving side (rsyslog) this looks like:
$ModLoad imudp
$UDPServerRun 514
local6.* /var/log/asa/asa.log
-- Jim Leinweber, WI State Lab of Hygiene

E-mail logging over SSL on ASA?

Hi There,
Is there a way to do e-mail logging using SSL/TLS on a Cisco ASA? SMTP seems straight forward, however, I can't do SMTP (Port 25 TCP) outbound as my ISP has it blocked.
Thanks in advance!
Matt

Hi Donny,
I am not using an ESA, I cannot seem to find any Cisco documentation on how to configure e-mail logging on an ASA using SSL/TLS. Does this documentaion exist? I am not having inspect issues, my pcaps show no 465/587 TCP traffic leaving my outside interface when a logging event occurs. When I configure e-mail logging using SMTP I see port 25 TCP traffic leaving, so I must not be configuring it correctly for SSL/TLS.
Thanks,
Matt

ASA has messages log in denied from CSM to ASA

Hi Everyone,
Since i added ASA   to csm 4.3 our syslog server always see the message message
: Login denied from x.x.x.x/56432 to inside y.y.y.y/https.or user ""
where x   is csm server ip
y is fw interface ip.
And after this message just after few secs i can see the CSM   has successfully log to cisco ASA.
Need to know why i get this message with blank usernam
Regards
Mahesjh
Message was edited by: mahesh parmar

Hi MArvin,
I checked under --configuration manager, right click on firewall in question and choose Device properties, credentials
Under Primary Credentials username,password and enable password are the same.
Also below that   under
HTTP Credentials
Use PRimary Credentials is checked.
Do i have to config Credentials under Polices window,platform,credentials also?
Regards
MAhesh

Activity log/audit trail log on asa

my customer is asking how to have an audit trail log and activity log on there ASA.
I need help please.
Thanks

Use a AAA server such as Cisco ACS (http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html)
Hope that helps.

Need ASA DHCPD log with client hostname

I recently switched from a Linux DHCP server to using DHCPD configuration on Cisco ASA 8.4 code. With the Linux DHCP servers, the logs showed the hostname of the requesting DHCP client. Unfortunately, I'm not seeing the hostname information in the DHCPD logs from the ASA. How can I get the ASA to log the clients' hostname?
Thanks

I've got the Cisco VPN client 5.x setup with connection profile to Tunnel Group name and pre-shared key.
Client is communicating with the ASA and is getting prompted for user login. I have the ASA configured for aaa radius authentication to MS IAS on Windows 2003K server. Experimenting on the IAS side between the IAS config "connection policies" and AD user profile. I can now assign a static IP address to the remote VPN client which is nice! This can be done two ways... either in IAS connection profile or in AD user profile. What I'm working on next is having the IAS server pass back to the ASA (radius client) a acl list # (filter.id = 80.id) where I have an access-list 80 statement defined. Not finished up with setup. Any advice/input on this piece would be helpful.
The basic goals of this exercise/project include:
1. Remote Cisco VPN users authenticating with AD.
2. Pre-configured .pcf file created and deployed to remote users.
3. Unique static IP's assigned to all VPN users for audit purposes (or troubleshooting).
4. Apply ACL's to VPN users based on their assigned static IP so I can control what subnet's/IP's they can reach.
So far so go... We are a month or so away from implementing our first Windows 2008 server, so I'm fine with getting this to work for our 20-30 remote users with IAS in Win2Kserver environment while I get educated on NSP.
Joe

ASA does not propagate routes to VPN users

Good afternoon
I´m having an issue regarding the propagation of routes to VPN users that authenticate through the asa tunnel-group.
I have a VPN-Users-Pool from where my users receive their IP address, and after authentication and the tunnel is established the idea is for the user to get to the following networks defined in the following ACL:
access-list Inside standard permit 10.1.0.0 255.255.0.0
access-list Inside standard permit 192.168.15.0 255.255.224.0
Now the problem is that after the tunnel is established the only route the user receives is the default route (which is not suposed to be sent). The user does not receive the specified routes in the ACL above. He also does not receive the netmask and assumes a /8 netmask (given that the network pool from where he is receiving the IP is a class A network).
The network routing is working as expected (when I add the static routes directly to the users PC, everything works OK). It´s just the issue of the ASA not propagating the routes as it should.
Here are my split tunneling settings:
group-policy DefaultRAGroup attributes
vpn-idle-timeout 1
vpn-tunnel-protocol l2tp-ipsec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside
Any ideas?
I apreciate your help
Best regards

ajaychauhan
Thank you for your reply. I´m sending the config bellow (I´ve cleared all info confidential such as IPs, passwords, timeout values, etc, but i think what you have bellow is enough to get a clear picture):
ASA Version 8.2(1)
hostname asa-xxxx
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 197.X.XX.XX 255.255.255.248
interface GigabitEthernet0/1
nameif vpncorp
security-level 50
ip address 10.X.XX.XX 255.255.255.248
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
duplex full
nameif mgmt
security-level 100
ip address 10.x.xx.xx 255.255.255.240
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name zz.df.es
access-list Inside standard permit 10.1.0.0 255.255.0.0
access-list Inside standard permit 192.168.15.0 255.255.224.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 14000
logging buffered debugging
logging asdm debugging
logging facility 21
logging host mgmt 10.xx.x.x
logging class auth trap informational
logging class config trap informational
logging class ha trap informational
logging class sys trap informational
logging class vpdn trap informational
logging class vpn trap informational
mtu outside 1500
mtu vpncorp 1500
mtu mgmt 1500
ip local pool VPN-01-pool 10.XX.XX.X-10.XX.XX.XX mask 255.255.252.0
ip local pool VPN-02-pool 10.xx.xx.x-10.xx.xx.xx mask 255.255.252.0
ip local pool VPN-USER-pool 192.168.xx.x-192.168.xx.xx mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
route outside 0.0.0.0 0.0.0.0 197.xx.xx.xx 1
route vpncorp 10.x.x.x 255.xx.xx.xx 10.xx.xx.xx 1
route vpncorp 10.xx.xx.xx 255.255.0.0 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.248 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
dynamic-access-policy-record DfltAccessPolicy
aaa-server mgmtt protocol radius
aaa-server mgmtt (mgmt) host 10.xx.x.xx
timeout xxx
key xxxxxxxxxx
authentication-port xxx
accounting-port xxxx
aaa-server mgmtt (mgmt) host 10.xx.xx.xx
timeout xxx
key xxxxxx
authentication-port xxxx
accounting-port xxxx
aaa-server Users protocol radius
accounting-mode simultaneous
interim-accounting-update
aaa-server Users (mgmt) host 10.xx.xx.xx
key xxxxx
authentication-port xxxx
accounting-port xxxx
aaa-server Users-2 protocol radius
accounting-mode simultaneous
interim-accounting-update
aaa-server users-2 (mgmt) host 10.xx.xx.xxx
key xxxx
authentication-port xxx
accounting-port xxxx
aaa authentication ...
aaa authentication ...
aaa authentication ...
aaa authorization ...
aaa accounting ...
aaa accounting ...
aaa accounting ...
snmp-server ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec security-association lifetime seconds xxx
crypto ipsec security-association lifetime kilobytes xxx
crypto dynamic-map vpn-ra-dyn_map 10 set ...
crypto map outside_map 100 ipsec-isakmp dynamic vpn-ra-dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy ...
authentication pre-share
encryption xxx
hash xxx
group x
lifetime xxx
crypto isakmp policy xxx
authentication pre-share
encryption xxx
hash xxx
group x
lifetime xxx
telnet timeout xxx
ssh 10.x.x.x 255.255.255.255 mgmt
ssh timeout x
ssh version x
console timeout x
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-idle-timeout 1
vpn-tunnel-protocol l2tp-ipsec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside
default-domain value xx.xx.es
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-idle-timeout 1
split-tunnel-policy tunnelspecified
username ...
username ...
username ...
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) Users
accounting-server-group users
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key xxxxx
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group asa type remote-access
tunnel-group asa general-attributes
address-pool VPN-user-pool
authentication-server-group (outside) test
accounting-server-group test
tunnel-group asa ipsec-attributes
pre-shared-key xxxx
tunnel-group asa ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group tstvpn type remote-access
tunnel-group tstvpn general-attributes
authentication-server-group (outside) users-2
accounting-server-group users-2
default-group-policy DefaultRAGroup
tunnel-group tstvpn ipsec-attributes
pre-shared-key xxxx
tunnel-group tstvpn ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum xxxx
policy-map global_policy
class inspection_default
inspect xxxx
inspect ...
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxx
: end

ASA 5510 FireWall Problem

Hi All
After some advise and direction
Our ASA firewall using ASA version 8.4 has recently started presenting us with a problem to one external website
called http://partners.highnet.com/login/ ip address 62.233.82.181.
Our firewall is letting everything on our inside Trusted site 192.168.254.0/24 out through our outside interface on x.x.x.x
to any website and brings back the details
However when we try to reach http://partners.highnet.com/login/ we recently started receiving (Internet Explorer cannot display the webpage)
on checking the ASA under Home TAB       -       Firewall Dashboard    -    and then under     -      Top 10 protected Servers under SYN attack we are receiving the below error.
Rank        Server IP-Port           Interface     Average          Current                    Total                           Source IP (Last Attack Time)
5
           62.233.82.181:80
      INSIDE
            0
                 0
                        8
                          192.168.254.130 (1 mins ago)
I have tried rebooting the ASA firewall (Still did not resolve).
I have also disabled basic threat detection and threat detection statistics and then re-enabled after a period of time under > configuration > Firewall > threat detection (Still did not resolve).
Have created a number of access list both from the inside to outside and outside to inside allowing TCP just to the specific IP address 62.233.82.181 (Still did not resolve).
Tried editing Global Policy for Http configuration > connection settings TCP and UDP connections and also Embryonic connections (Still did not resolve).
Also tried using the shun command on the ASA to clear connection and statistics and (Still did not resolve).
So you see there is nothing else I can think of doing, so that is why I have asked you for some pointers maybe someone has come across this sort of issue before.
If you can help or advise it is much appreciated.

Hi,
Are you sending logs from your ASA to any Syslog server from which you could pull all the connection logs for that destination IP address?
On the ASA you can naturally use "packet-tracer" also to simulate one such packet coming from your LAN towards this WAN IP address (of the server) and confirm that all rules are correct.
packet-tracer input INSIDE tcp 192.168.254.130 12345 62.233.82.181 80
You could maybe also try to generate TCP SYNs directly from the ASA
ping tcp 62.233.82.181 80
And see if the server replies
- Jouni

How to log exceptions and imp logging info in Portal Service via ILogger?

Hi Experts,
I m trying to use ILogger for my application.
Information about my application:
I have created a Portal Service and exposed it as a Web Service which is deployed as a PAR file on to the SAP J2EE Engine.
I need to use the Logging facility of ILogger in this Portal Service.
I have written the following code in the Init() function of the Portal Service
public void init(IServiceContext serviceContext)
mm_logger = serviceContext.getLogger("com.persistent.pankaj");
I have put the logger.xml in the logger folder of PORTAL-INF
my logger.xml is as follows:
<Server>
<Logger name="testLog" loggerInterface="com.sapportals.portal.prt.logger.ILogger" locationName="com.sap.portal.testLog" pattern="%d # %20t %15s %m #" isActive="true">
<LoggerClass className="com.sapportals.portal.prt.logger.SimpleFileLogger" level="INFO">
<param filename="logs/com.persistent.pankaj.log" append="true">
</param>
</LoggerClass>
</Logger>
</Server>
On deploying my portal service as a web service
I m unable to get the logs.
I even dont know where will i get the log file, means wat is the exact location where i can check my log results
I m a newbie for this
Please help me out
Help will be rewarded n appreciated
-pankaj

Hi Pankaj,
In your init method try this code to create the logger:
ILogger logger = PortalRuntime.getLogger("testLog");
In your logger.xml the logger name was testLog and not com.persistent.pankaj so while creating logger you should use testLog in the above code.
By default all the logs are written to defaultTrace.log files, to check them read this:
Portal Runtime Logs
If you want to log in a seperate logfile then you should set a seperate log destination, which is not recommended on productive systems due to performance problems.
Also read these to know how to set seperate log destinations:
Netweaver Portal Log Configuration & Viewing (Part 3)
Netweaver Portal Log Configuration & Viewing (Part 1)
Netweaver Portal Log Configuration & Viewing (Part 2)
Regards,
Praveen Gudapati

Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts

I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
I suspect it may be an issue with my firewall, but I am not really sure where to begin.
Here is a copy of my config, any pointers or tips are aprpeciated:
hostname mcfw
enable password Pt8fQ27yMZplioYq encrypted
passwd 2qaO2Gd6IBRkrRFm encrypted
names
interface Ethernet0/0
switchport access vlan 400
interface Ethernet0/1
switchport access vlan 400
interface Ethernet0/2
switchport access vlan 420
interface Ethernet0/3
switchport access vlan 420
interface Ethernet0/4
switchport access vlan 450
interface Ethernet0/5
switchport access vlan 450
interface Ethernet0/6
switchport access vlan 500
interface Ethernet0/7
switchport access vlan 500
interface Vlan400
nameif outside
security-level 0
ip address 58.13.254.10 255.255.255.248
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 58.13.254.11
network-object host 58.13.254.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
port-object eq 9000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
access-list outside_access_in remark ssh from outside to hub & studio
access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to hub
access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level warnings
logging host dmz 192.168.10.90 format emblem
logging permit-hostdown
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 59.159.40.188 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable outside
crypto isakmp enable public
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 59.159.40.188 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
dhcpd address 192.168.10.190-192.168.10.195 dmz
dhcpd enable dmz
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol l2tp-ipsec
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol IPSec
username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group ocmc type remote-access
tunnel-group ocmc general-attributes
address-pool OfficePool
tunnel-group ocmc ipsec-attributes
pre-shared-key *****
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
address-pool VPN_Pool
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 192.168.10.10
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
: end
asdm location 192.168.10.10 255.255.255.255 inside
asdm location 192.168.0.29 255.255.255.255 inside
asdm location 58.13.254.10 255.255.255.255 inside
no asdm history enable

Hi Conor,
What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
Regards,
Umair

Logging facility on ASA

Similar Messages

Maybe you are looking for