In a recent class a student asked how to be notified if a failover occurred with their ASA. This can be accomplished using the ASA SMTP logging. To begin, configure the ASA with a source and destination email address to send log events to. In this example I have set the ASA logging level to emergencies. The ASA will use the higher level between this configuration and the email logging destination configuration. We will see that in another screenshot.
Next, configure the smtp server to use for relaying log messages.
There are two ways to get HA events to be sent via email. One way is to create an event list allowing you determine exactly what classes or specific events you want to be included. In the image below, we are creating an event class called FAILOVER and indicating that we are interested only in events 104001, 104002, 104003. While the ASA has a number of HA events that would be beneficial to know about, each of these three events indicates a change in the failover state as seen in the following table.
|Error Message %ASA–1–104001: (Primary) Switching to ACTIVE (cause: string ).||Error Message %ASA–1–104002: (Primary) Switching to STANDBY (cause: string ).||Error Message %ASA–1–104003: (Primary) Switching to FAILED.|
You can find all log message information in the ASA Syslog Message Guide here.
In the next step we are going to tie the event list with our specific log messages to our email logging destination. First, access the logging filters configuration page. This is where you define the what is sent to each destination. In this case we are concerned with the email destination and we can see that it is disabled. Double click the word “disabled” to set the event list to send to email.
Next you’ll select the event list radio button and make sure our FAILOVER list is seen.
Click OK and APPLY and you’re done. There is however, an alternate method. Rather than selecting each individual message, you could choose to receive emails for the entire class of HA log messages. The alternative is to select an event class rather than use an event list. This is seen in the image below. Note that you also specify the severity level, in this case emergencies has been set.
At this point you’re good to go. As mentioned, the SMTP server is a relay. If you’re using Google Apps in your organization you might be interested in this support document which details the relay information.
Being able to send email when something catastrophic happens is nice, but use it sparingly. The more you throw to your inbox the less you’re likely to read. I recommend the least privilege type model. Send only what’s absolutely necessary, not what’s nice. This way you’re likely to trust your inbox.
Side Point For GTDers: I like to do is create a recurring Omnifocus task to review any emails I have received from my ASA. I create an email filter so only critical messages hit the inbox, and some “less critical” emails auto-archive. A daily Omnifocus task to review that archive helps me to not worry about the archive until it’s time to check it.
Do you have any thoughts on Email Notifications? Sound Off By Adding A Comment Below!