SHH Sessions in Syslog

Similar Messages

• Programs not closing/opening DirectoryService problem?

  Hi all,
  all of the machines we're testing using 10.6.2 are experiencing the same problem at intermittent intervals of failure to launch and close various programs,, safari, terminal, finder windows, etc. When this happens even external ssh connection attempts just hang. (I'll provide a tcpdump if desired).
  When this issue happens the system is somewhat responsive, top still runs, the tail -f on the log files continues to produce output, xrg program reports various system status, etc.
  I'll keep a root terminal ssh-ed in and run 'killall DirectoryService' the system then opens and also closes the waiting programs. I notice that any local waiting terminals start and request a login password.
  When the system exhibits this issue top doesn't indicate any stuck processes, no entries in the DirectoryService.error.log or server.log or /var/log/system.log...
  Our setup uses openldap, and home exported NFS directories. We have had no issue with leopard or prior releases.
  Please let me know what additional info you'd like .. and thanks in advance!

  thanks again for the reply!
  we're not using kerberos. I setup a test ldap server from the ubuntu lts repos without making any changes to the schemas,, pretty much a stock install. I added 1 account and authenticated to it and keep the debuging terminal open and ran dtrace on the osx client. Below is the output when the client was in the problem state. What's interesting is that no calls to the ldap server were made until running 'Killall -9 DirectoryService' ,,, after that the shh session along with all the other programs that were hung resumed normal operation.
  ---dtrace output just before restarting DirectoryService---
  3 18470 open:entry dashboardadviso /System/Library/WidgetResources/.parsers/.version
  3 19256 open_nocancel:entry dashboardadviso /etc/sysinfo.conf
  0 18470 open:entry launchd /private/var/db
  0 18470 open:entry launchd /private/var/db
  2 19256 open_nocancel:entry ntpd /var/db/ntp.drift.TEMP
  3 18470 open:entry UserEventAgent /Library/Caches/com.apple.DiagnosticReporting.Networks.plist
  0 19256 open_nocancel:entry launchd /etc/localtime
  0 19256 open_nocancel:entry launchd /etc/localtime
  0 19256 open_nocancel:entry launchd /etc/localtime
  0 19256 open_nocancel:entry launchd /etc/localtime
  dtrace: error on enabled probe ID 1 (ID 19256: syscall::open_nocancel:entry): invalid address (0x7fff5fc2dc77) in action #2 at DIF offset 24
  1 18470 open:entry newsyslog /dev/dtracehelper
  1 19256 open_nocancel:entry newsyslog /dev/urandom
  1 19256 open_nocancel:entry newsyslog /dev/urandom
  1 19256 open_nocancel:entry newsyslog /etc/localtime
  1 19256 open_nocancel:entry newsyslog /etc/newsyslog.conf
  1 19256 open_nocancel:entry newsyslog /etc/newsyslog.d/
  1 19256 open_nocancel:entry newsyslog /etc/newsyslog.d/files.conf
  1 19256 open_nocancel:entry newsyslog /etc/newsyslog.d/kerberos.conf
  3 18470 open:entry UserEventAgent /Library/Application Support/CrashReporter/UserCrashHistory_00000000-0000-1000-8000-0017F20A7544.pli st
  3 19256 open_nocancel:entry syslogd /var/log/asl/2009.11.20.asl
  3 18470 open:entry syslogd /var/log/system.log
  0 18470 open:entry securityd /var/db/SystemEntropyCache

• 3030 Concentrator Site to Site

  Trying to setup L2L VPN. Once the L2L is enabled, does it attempt to connect immediately? Also, how can I view the logs to see what is successful/failing on this or any other VPN connection.
  Thank you.

  You need to generate traffic requiring crypto protection (defined by your crypto ACL) in order to initiate the negotiation of an ISAKMP SA, which will establish a secure channel through which IPSec SAs will be negotiated.
  Don't have access to a 3030 Concentrator, but on an IOS system you'd check status with:
  show crypto isakmp sa detail
  show crypto ipsec sa detail
  Perhaps, log crypto sessions in syslog with:
  crypto logging session
  ... and perhaps:
  deny ip any any log
  ... as the last ACE in interface ACLs to identify configuration errors, and the presence of traffic that violates security policy.

• SessMAx is exceeded then RAC fails

  My RAC cluster seems to have had the load on one node go through the roof and then eventually die.
  This was the first message I received:
  ORA-24418: Cannot open further sessions
  Some syslog messages started coming in after this and then the node in the cluster failed. What would cause the ORA-24418 error?
  Thank you.

  jackiebaron wrote:
  My RAC cluster seems to have had the load on one node go through the roof and then eventually die.
  This was the first message I received:
  ORA-24418: Cannot open further sessions
  Some syslog messages started coming in after this and then the node in the cluster failed. What would cause the ORA-24418 error?
  Thank you.Hello, you will have to do the follow steps:
  Check the SGA parameters;+
  Check the Sessions parameters;+
  Check the version of your Oracle database;+
  After that, you will analyze de changes for solve the problem. Follow bellow theses steps:
  oradba> oerr ora 24418
  24418, 00000, "Cannot open further sessions."
  // *Cause:  Sufficient number of sessions are not present in the pool to
  // execute the call. No new sessions can be opened as the
  // sessMax parameter supplied in OCISessionPoolCreate has been
  // reached.
  // *Action: Call OCISessionPoolCreate in OCI_SPOOL_REINITIALIZE mode and
  // increase the value of the sessMax parameter.
  oradba@> sqlplus "/as sysdba"
  SQL*Plus: Release 11.2.0.3.0 Production on Wed Feb 13 04:19:54 2013
  Copyright (c) 1982, 2011, Oracle. All rights reserved.
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> show parameters sga
  NAME TYPE VALUE
  lock_sga boolean FALSE
  pre_page_sga boolean FALSE
  sga_max_size big integer 45G
  sga_target big integer 45G
  SQL> show parameters sess
  NAME TYPE VALUE
  java_max_sessionspace_size integer 0
  java_soft_sessionspace_limit integer 0
  license_max_sessions integer 0
  license_sessions_warning integer 0
  session_cached_cursors integer 50
  session_max_open_files integer 10
  sessions integer 2726
  shared_server_sessions integer
  SQL> select from v$version;*
  BANNER
  Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
  PL/SQL Release 11.2.0.3.0 - Production
  CORE 11.2.0.3.0 Production
  Best regards,
  Bruno Reis.
  www.brunors.com
  Edited by: brunors on 13/02/2013 04:26
  Edited by: brunors on 13/02/2013 04:26
  Edited by: brunors on 13/02/2013 04:27

• Anyconnect session accounting via radius or syslog ?

  Hi
  Does anyone have a deployed accounting method to log Anyconnect session details ?  Do you do it via a radius server or via logging messages to a syslog server ?
  If so could you assist with appropriate configuration ?  I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.
  I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require.  Similarly I have tried to catch appropriate syslog messages but again without much success.
  Many thanks for any input, St.

  What all you have configured for radius accounting on ASA?
  Can you paste the o/p of show run aaa-server and show run tunnel-group
  Basically all you need to define radius server group and call that group under tunnel-group parameters.
  !--- Configure the AAA Server group.
  ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
  ciscoasa(config-aaa-server-group)# exit
  !--- Configure the AAA Server.
  ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
  ciscoasa(config-aaa-server-host)# key secretkey
  ciscoasa(config-aaa-server-host)# exit
  !--- Configure the tunnel group to use the new AAA setup.
  ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
  ciscoasa(config)#accounting-server-group RAD_SRV_GRP.
  Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.
  In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• CGNAT: ¿ syslog reporting of CGNAT sessions?

  Hello team.
  I would like to know if besides the comprehensive Netflow support for session accounting, there also is (or is not) chance to configure basic SYSLOG reporting when NAT sessions area created/deleted.
  Thank you very much in advance
  Best regards, Rogelio Alvez

  Hi Rogelio,
  starting from 4.2.1, the syslog is also supported as a logging mechanism for Nat44 and DS Lite on both ISM and CGSE.
  You can also configure Bulk Port Allocation to reduce the number of reports generated.
  Cheers,
  N.

• LMS4.1 OGS doesnt work for Eventconsole/Syslog

  Hello,
  Device selection doesnt work for Monitoring=>Eventconsole/Syslog, but you can filter with the filter function inside Eventconsole/Syslog
  but without the possibility for device filtering. Message-Box "No device found ... " will appear also with selecting "All devices"
  Device selection (OGS) works in any other applications - with being extremly slow for nested user defined groups btw - including to generate syslog reports from report generator.
  Because Spectrum is used for FM in this network, customer will save resources at the slow GUI responding LMS server and switched DFM off, by deactivation at Admin > System > Device Management Functions.
  Is the device selection issue in Monitoring=>Eventconsole/Syslog a known bug and can count with a bugfix in future?
  Steffen
  P.S.: after switching the GUI to https, the syslog subscription has been stopped due to a cerificate trusting issue. I expect from a prime SW that this should be included in the https mode switching automaticly.

  Please try the following steps:
  1. Stop the daemon manager (Net stop crmdmgtd).
  2. Regenerate the SSL certificate (Dont forget to start you shell/command prompt session as Administrator):
       *Remove server.*  files under NMSROOT\MDC\Apache\conf\ssl (take backup of all 4 files before deleting).
       *NMSROOT\bin\perl NMSROOT\MDC\Apache\ConfigSSL.pl -disable
       *NMSROOT\bin\perl NMSROOT\MDC\Apache\ConfigSSL.pl -enable
       *Fill all the details it request for.
       *Ensure that the following files are created under NMSROOT\MDC\Apache\conf\ssl :
  server.crt
  server.csr
  server.key
  server.pk8
  3. Start the daemon manager (net start crmdmgtd).
  4. Try to access the GUI with https://xxxxxx:443.
  -Thanks

• Issue: admin activity is not fully logged to syslog

  Hello!
  cisco 7606, IOS 12.2(33r)SRC3
  For exalmple, while activating ipv6 bgp session, when entering command:
  #neighbour 2001:7F8:S:FF::109 password PASSWD
  Syslog gets such an entry:
  Wed Oct 10 14:20:00 2011 router1  admin  syslogserv stop        cmd=neighbor password *****
  I wonder, why neighbor's IPV6 address is not present in the entry. It makes some difficulties in account activity monitoring.
  #sh run
  <cut>
  logging buffered 2000000
  logging console errors
  logging monitor errors
  aaa authentication username-prompt "login: "
  aaa authentication login default group tacacs+ line enable
  aaa authentication login CONSOLE line none
  aaa authorization exec default local group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa session-id common
  logging event link-status default
  <cut>
  WBR, Alex.

  Hi Lawrence ,
  Yes, I have the answers for your questions, please find the same below.
  1 ) No , I haven't got any 'weblogic.application.ModuleException' at the server or stdout log.
  2 ) While trying to telnet from my window maching, It is not connected to my server.
  C:\Documents and Settings\Administrator>telnet 20.10.5.2 7001
  Connecting To 20.10.5.2...Could not open connection to the host, on port 7001: Connect failed
  C:\Documents and Settings\Administrator>
  3 ) Yes, I have flushed the cache , tmp folder by taken backup of the domain folder and then restarted the weblogic - but no luck , Still not able to accessible.
  Hope , Second question & answer will be the cause for the issue ( But not sure Why it was accessing from the same windows machine earlier ? ).
  Please suggest... Thanks!

• Xfce4-session-helper NOT FOUND

  After upgrading xfce4-session the other day,
  [PACMAN] upgraded xfce4-session (4.10.0-6 -> 4.10.0-7)
  These errors appear in syslog:
  Apr 29 13:27:56 arch-top slim[342]: (xfce4-session:397): xfce4-session-WARNING **: Unable to launch "xfce4-settings-helper": Failed to execute child process "xfce4-settings-helper" (No such file or directory)
  Apr 29 13:27:56 arch-top slim[342]: (xfce4-session:397): xfce4-session-WARNING **: Unable to launch "xfce4-settings-helper": Failed to execute child process "xfce4-settings-helper" (No such file or directory)
  They appear twice, together, like above (on startup).

  According to http://www.xfce.org/about/tour (one of the first hits for  xfce4-session-helper), this helper was merged into a settings daemon in 4.10. Either it's a bug or you have some leftover bits from 4.8.

• CRYPTO-4-PKT_REPLAY_ERR syslog parsing

  Every time ios generates the "CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed" log msg I receive 3 syslog messages, like ios is not concatenating them into 1 msg string before sending.  It's really annoying because I can't filter a null string that also has a null message type on my nms. I tried changing the facility settings and get the same result.  If i use TCL to filter the syslog msg by type "CRYPTO-4-PKT_REPLAY_ERR" it will only filter the 1st syslog message since the types on the other 2 msgs are null. 
  I can't find a bug or discussion about this so I am hoping somebody out there might have a solution ... 
  DEVICE INFO:
  c3825-advipservicesk9-mz.124-25b.bin
  logging buffered 15000 debugging
  logging rate-limit all 3
  no logging console
  no logging monitor
  crypto logging session
  logging origin-id hostname
  logging facility syslog
  logging source-interface GigabitEthernet0/0
  logging 11.22.33.44
  FROM LOGGING BUFFER:
       Dec 14 08:00:37 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success       [user: johndoe] [Source: 1.2.3.4] [localport: 22] at 08:00:37       CST Wed Dec 14 2011
  #1>> Dec 14 08:01:41 CST: %CRYPTO-4-PKT_REPLAY_ERR:       decrypt: replay check failed
  #2>>     connection id=70, sequence       number=43990
  #3>>
      Dec 14 08:10:36 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login       Success [user: johndoe] [Source: 1.2.3.4] [localport: 22] at       08:10:36 CST Wed Dec 14 2011
  THREE SYSLOG MSG's RECEIVED:
       #1
           MSG TYPE:   CRYPTO-4-PKT_REPLAY_ERR
           MSG STRING: 7015321: routerA: decrypt:       replay check failed
       #2
          MSG TYPE:   null
           MSG STRING: 7015322: routerA: connection id=70, sequence       number=43990
      #3
          MSG TYPE:   null
           MSG STRING: 7015323: routerA:       

  Every time ios generates the "CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed" log msg I receive 3 syslog messages, like ios is not concatenating them into 1 msg string before sending.  It's really annoying because I can't filter a null string that also has a null message type on my nms. I tried changing the facility settings and get the same result.  If i use TCL to filter the syslog msg by type "CRYPTO-4-PKT_REPLAY_ERR" it will only filter the 1st syslog message since the types on the other 2 msgs are null. 
  I can't find a bug or discussion about this so I am hoping somebody out there might have a solution ... 
  DEVICE INFO:
  c3825-advipservicesk9-mz.124-25b.bin
  logging buffered 15000 debugging
  logging rate-limit all 3
  no logging console
  no logging monitor
  crypto logging session
  logging origin-id hostname
  logging facility syslog
  logging source-interface GigabitEthernet0/0
  logging 11.22.33.44
  FROM LOGGING BUFFER:
       Dec 14 08:00:37 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success       [user: johndoe] [Source: 1.2.3.4] [localport: 22] at 08:00:37       CST Wed Dec 14 2011
  #1>> Dec 14 08:01:41 CST: %CRYPTO-4-PKT_REPLAY_ERR:       decrypt: replay check failed
  #2>>     connection id=70, sequence       number=43990
  #3>>
      Dec 14 08:10:36 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login       Success [user: johndoe] [Source: 1.2.3.4] [localport: 22] at       08:10:36 CST Wed Dec 14 2011
  THREE SYSLOG MSG's RECEIVED:
       #1
           MSG TYPE:   CRYPTO-4-PKT_REPLAY_ERR
           MSG STRING: 7015321: routerA: decrypt:       replay check failed
       #2
          MSG TYPE:   null
           MSG STRING: 7015322: routerA: connection id=70, sequence       number=43990
      #3
          MSG TYPE:   null
           MSG STRING: 7015323: routerA:       

• VPN session in cisco ASA reflect a different source public ip

  Hi all,
  I tested and manage to establish vpn on my cisco asa 5520 successfully.
  On my syslog i can see "anyconnect parent session started" upon my vpn establishment and "webvpn session terminated" upon terminating my vpn session
  where the correct public ip used to establish the vpn is reflected. However after the "webvpn session terminated" line, i can see other lines in my syslog, example "Group=vpngroup, username=test, ip = x.x.x.x, session disconnected, session type:anyconnect parent, duration 0h:00m23s, bytes xmt: 0, bytes rcv:0, reason: user requested" where x.x.x.x is not the ip address used to establish my remote access vpn, neither is it the ip related to my vpn infra. I am very sure that the ip x.x.x.x did not establish any vpn to my cisco asa5520. Hence why is it reflected in my cisco asa logs? Pls advise, TIA!

  Hi,
  Think I remember some posting about a similiar issue in the past. Did a couple of google searches and the following BugID was mentioned in the discussion.
  syslog 113019 reports invalid address when VPN client disconnects.
  CSCub72545
  Description
  Symptom:
  Syslog reports an invalid IP Address.
  Conditions:
  This condition occurs when a VPN Client is disconnected.
  Workaround:
  There is no mention of a workaround. Just mention of software versions that should correct the problem
  The link to the actual page/document is the following
  https://tools.cisco.com/bugsearch/bug/CSCub72545
  Perhaps this is the bug you are running into or something similiar.
  - Jouni

• Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.

  Hi,
  Can anyone explain this error and what is a stray Segment with the IP ident 46866. I can't seem to find this error on the Cisco web site the only bug appears to be to do with Zone firewalls. I have an 877 Router on a remote site configured with IPSEC and a Tunnel back to the main office and I'm getting reported connection issues to network drives on servers located local to the LAN and on the headend LAN. Can't seem to find any other errors apart from this one.
  %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.X.X.X due to
  Stray Segment with ip ident 46866 tcpflags 0x5010 seq.no 1237259566 ack 3465174792
  If any one could help or point me in the right direction that would be great. Failing that I'm jumping off this building.
  Ta
  Jim

  This may help:
  Caveat "CSCsj30582"
  http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.html
  Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
  Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
  For example:
  class-map type inspect match-any cm-esp match access-group 100
  policy-map type inspect in2out class type inspect cm-esp pass
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2
  Workaround: Configure the access list so that the source is "any", for example:
  access-list 100 permit esp any host 10.1.1.2 access-list 100 permit esp any host 10.0.0.2
  First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect".
  Further Problem Description: If an explicit deny rule is added to the above example, for example:
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2 access-list 100 deny esp any any
  Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:
  Router# show access-lists 100
  Extended IP access list 100 10 permit esp host 10.0.0.2 host 10.1.1.2 (999 matches) 20 permit esp host 10.1.1.2 host 10.0.0.2 (999 matches) 30 deny ip any any (1 match)

• BSM / audit_syslog ... how to get command line parameters in syslog?

  Hi All!
  I have been experimenting with Sun Basic Security Module (BSM) and was trying to send audit data via syslog to a central logging server like so:
  # cat /etc/security/audit_startup
  /usr/sbin/auditconfig -setpolicy +argv,arge
  # cat /etc/security/audit_control
  plugin: name=audit_syslog.so;p_flags=lo,ex,fr,fc,fd,fw,fmThis does produce the desired log output on the central logging server, except that the log lines do not contain command line parameters / environment variables:
  2008-10-14T15:04:26-06:00 csadm4/csadm4 audit: [ID 702911 audit.notice] execve(2) ok session 1576737601 by rem_adm as root:root in csadm4 from csadm1-16.shell.ca obj /usr/bin/lessAs this makes it pretty useless for keeping proper audit records (there is a difference between
  rm ~/file and
  rm /file that I would like to see) I was wondering if there is a way to customize what is actually produced by audit_syslog.so?
  Thanks in advance,
  Rudolf

  No, your plugin doesn't get any access to the command line.  Look for other methods of IAC (COM, DDE, shared memory, shared file, etc.)

• MARS didnt captured the Syslog for a Switch

  Hi All,
  I have CSMARS configured for my enterprise network. In one of the major incidents, one of the line card of my 6509 went faulty with following syslog,
  09-19-2010 09:59:40 UTC Local0.Error 192.168.228.3 150: Sep 19 15:19:32 IST: %EARL-SP-3-RESET_LC: Resetting module in slot 1. (Errorcode 1)
  09-19-2010 09:59:40 UTC Local0.Error 192.168.228.3 151: Sep 19 15:19:32 IST: %PF_ASIC-SPSTBY-3-ASIC_DUMP: [0:0x20C] ME_AR_P2MMU_FREE_TAIL = 0x28E
  However this syslog message was not captured by the CSMARS, or may be i am not getting a way to locate this error in the incidents tab.
  Please help me in understanding if CSMARS captures all the events or not. Or i have to enable some events to be forwarded to CSMARS. Or if the log is registered, how can i find this log in the MARS.

  EDIT:
  I just noticed the attachment in your last message.  It looks like you've mis-configured the device type in MARS. 
  If you are running Native IOS on your 6509 (such as 12.2SXH or SXI), the device type should be "Cisco Switch-IOS 12.2" to parse the logs correctly.  The device type "Cisco IOS 12.2" is for routers running IOS 12.2.
  I'm going to assume the faulty line card is not in the critical path between this switch and your MARS server (correct?).  Otherwise, halijenn's comment applies.
  Anyway, have you verified that you're receiving logs from that switch in MARS?  Have you verified they are being parsed correctly?  The easiest way is to run a query in MARS.
  - Run a query for the last 7 or more days
  - "Result Format" should be "All Matching Events" (or all matching sessions)
  - Under "Reporting Device", select the switch in question
  This will return any events from that switch, and verify that it's reporting (and being parsed) properly.
  If that's successful, I would run a second query.
  - Change the "Result Format" to "All Matching Event Raw Messages"
  - Limit the time frame to an hour before and after the timestamp on the log you pasted above
  - Under "Keyword", add "EARL\-SP\-3\-RESET\_LC" (without quotes), and set "Operation" to "OR"
  - In the second field, enter "PF\_ASIC\-SPSTBY\-3\-ASIC\_DUMP" (no quotes)
  This is a regular expression that should match the logs you're looking for.  Apply the settings and run the query.  This should tell you if MARS at least received the log.  If it did, then more work will need to be done to figure out why it didn't report properly.
  Just FYI -- it's very possible that MARS could not completely parse that specific log, which happens with a lot of messages from the 6509s.  It often reports them as "Generic IOS Syslog" or something similar.

• Session logs for shop admin

  Hi Team,
  I need some inputs and help.
  We are using CRM ISA 6.0 SP06. We are using the webshop functionality.
  We currently analyze the errors in the webshop via the session logs which we have configured.
  Now, when we have done the same setup for shop admin, we are unable to see any session logs.
  Session logs for shop admin are not working. Session logs for webshop works and we are able to view the same.
  We have already done the below settings in http://host:port/shopadmin/admin
  XCM -
  appinfo:True
  logfiledownload:True and restart of the J2EE engine.
  We get the below error when we check for the logs:
  Application error occurred during request processing.
    java.lang.Exception: java.io.FileNotFoundException: /session-2010-2-25_13-10_(J2EE967404400)ID1521894650DB00028780023514142548End.log (No such file or directory (errno:2))
  Exception id: [0017A477401000660000016A00005E840004806C842020FC]
  Please let me know if we are missing something.
  Thanks
  Warm Regards,
  Rajeet

  For VPN session, it's best to log the following syslog messages:
  For WebVPN:
  Syslog#: 716001 - user connects:
  http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913
  Syslog#: 716002 - user disconnects:
  http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776918
  For IPSec VPN Client:
  Syslog#: 611101 - user connects:
  http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774570
  Syslog#: 611102 - user authentication fails:
  http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774576
  Syslog#: 611103 - user logoff:
  http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774581