Set Audit Trails and Alerts
Real-time alerts send syslog error messages to central
management consoles upon detecting suspicious activity, allowing network
managers to respond immediately to intrusions. Enhanced audit-trail features use
syslog to track all transactions, recording time stamps, source host,
destination host, ports used, session duration, and the total number of
transmitted bytes for advanced, session-based reporting.
Cisco IOS Firewall alerts and audit-trail features are now
configurable, enabling more flexible reporting and error tracking. The
configurable audit-trail features support mod- ular tracking of specific
CBAC-supported applications and Java blocking. Both the real-time alerts and the
audit-trail features are supported by a variety of third-party reporting
Use the Global Configuration Mode command ip inspect audit-trail to turn on CBAC audit-trail messages. The
messages are displayed on the console after each CBAC session closes. Use the no
form of the command to turn off the feature. The syntax is
Rtr1(config)#ip inspect audit-trail
Rtr1(config)#no ip inspect audit-trail
This command has no arguments or keywords. By default, the
audit-trail messages aren’t displayed. This command was introduced in IOS 11.2
The following messages are two examples of audit-trail messages.
To determine which protocol was inspected, refer to the responder’s port number
following the responder’s IP address.
%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192)
sent 22 bytes -- responder (192.168.129.11:25) sent 208 bytes
%FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194)
sent 336 bytes -- responder (192.168.129.11:21) sent 325 bytes
CBAC alert messages are displayed on the console by default. Use
the Global Configuration Mode command ip inspect
alert-off to disable these messages. To reenable CBAC alert messages, use
the no form of the command. The syntax is
Rtr1(config)#ip inspect alert-off Rtr1(config)#no ip inspect
This command has no arguments or keywords. This command was
introduced in IOS 12.0(5)T.
While it isn’t a CBAC feature, make sure logging is enabled
and a syslog server is specified, so any incidents are properly logged for
Rtr1(config)#service timestamps log datetime
Rtr1(config)#logging host Rtr1(config)#logging facility facility-type Rtr1(config)#logging trap level
The commands,—in order,—do the following:
Adds the date and time to syslog and audit-trail
Defines the host name or IP address of the host to send
syslog messages to.
Configures the syslog facility in which error messages are
(Optional) Limits messages logged to the syslog servers
based on severity. The default is level 7 (informational).