topic Help Syslog in Network Security

Help Syslog

smetieh001 — Tue, 12 Mar 2019 02:55:31 GMT

Hi Experts,

Syslog is only showing me hit messages on access-list denying inbound traffic from external (i.e. internet) on outside interface but does not show deny hits from inside traffic going out to any smtp.

i can see increamental hitcounts when i do "show access-list" which tells me the acl is working as should, however i am not able to see that on syslog message.

access-list inside_access_in line 2 extended deny tcp 10.x.x.x 255.0.0.0 any eq smtp log informational interval 300 (hitcnt=1910) 0x73edd974

see output of show run logging

firewall01# show run logging
logging enable
logging timestamp
logging emblem
logging console errors
logging trap warnings
logging asdm notifications
logging queue 0
logging device-id context-name
logging host Inside 10.x.x.1
logging debug-trace
logging permit-hostdown
logging class auth console emergencies
no logging message 313001
no logging message 313008
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
logging message 103012 level alerts
firewall01#

can some help please.

Thanks.

Help Syslog

Jouni Forss — Wed, 23 Oct 2013 17:53:33 GMT

Hi,

You have disabled the syslog ID/message that your are looking for with the below command

no logging message 106100

You could enter

logging message 106100

To re-enable the syslog ID

If I recall correct you also have some other connection/translation forming log messages disabled.

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

Help Syslog

Julio Carvajal — Wed, 23 Oct 2013 17:54:54 GMT

Hello,

Here is the thing:

logging host Inside 10.x.x.1

logging trap warnings (level 4)

logging console errors (level 3)

access-list inside_access_in line 2 extended deny tcp 10.x.x.x 255.0.0.0 any eq smtp log informational interval 300 (hitcnt=1910) 0x73edd974 (Level 6)

Do u see the problem? Changed the log keyword on the ACL to be level 3 or 4 depending of where you want to send it (4 if you wanna send it to boths)

Regards,

Jcarvaja

follow me on http://laguiadelnetworking.com

Help Syslog

Jouni Forss — Wed, 23 Oct 2013 18:01:59 GMT

Seems I remembered the syslog ID wrong

It was actually 106023 that shows the denied connections.

You should see them in the ASDM with current logging settings. And as Julio mentioned for other destinations of logging you would have to make changes or change the above syslog IDs logging level to something that fits the current levels set.

- Jouni

Help Syslog

jumora — Wed, 23 Oct 2013 18:21:14 GMT

The default syslog message for drops based on ACL applied on access-group is 106023 when you enable log option at the end of an ACL the syslopg option would be 106100.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_logging.html

If you enter the log option without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). if you want to change the interval it can be changed up to 1 second but remember that you pass more then one packet per second so it probably won't capture all tries but will most definitively drop all tries based on the deny on the ACL.

If you try to change the log message level for 106100 through the next command:

logging message 106100 level 4

It will not do it and give you the next information log

INFO: Please use the access-list command to change the severity level of this syslog

Help Syslog

smetieh001 — Wed, 23 Oct 2013 18:52:46 GMT

Hi Jouni,

Thanks for your response. The syslogID 106023 is enabled and the logging level set is "warning". I do see syslog messages of ID 106023, however it's only deny acl inbound on my outside interface. I would like to see syslog messages of deny acl hits inbound on my inside interface.

Re: Help Syslog

Jouni Forss — Wed, 23 Oct 2013 18:58:06 GMT

Hi,

I noticed that I actually mistook the correct syslog ID myself before I checked it from the Syslog documentation for ASA.

I guess you have defined a separate level for your ACL rule at the end of the ACL rule? The original post mentions "Informational" that doesnt match your current levels set in the "logging" commands.

If you had not modified any ACL rules default logging level and had enabled Notifications level logging to the logging destination of your choosing (server, asdm, buffer, etc) , you should see ALL log messages that deny traffic based on ACL rules.

So you you will have to change the logging level of either the actual ACL rules or change the logging level globally for some of the logging destinations you are viewing logs from.

- Jouni

Help Syslog

jumora — Wed, 23 Oct 2013 19:06:01 GMT

Hello,

Just add the log option with the interval defined as one second on the ACE that is denying traffic on tcp/25.

Just change delete the ACL and readd it with the correct logging level as Julio asked.

no access-list inside_access_in line 2 extended deny tcp 10.x.x.x 255.0.0.0 any eq smtp log

access-list inside_access_in line 2 extended deny tcp 10.x.x.x 255.0.0.0 any eq smtp log 4 interval 1

Help Syslog

Julio Carvajal — Wed, 23 Oct 2013 19:10:21 GMT

It all ends with the correct level definition!!

That's it...

Help Syslog

smetieh001 — Wed, 23 Oct 2013 20:00:14 GMT

Thanks all for your response.

present logging level on deny acl is now warning.

I do see logging messages from 106023 for inbound acl on outside interface however i do not for inbound inside interface.

however, 106100 is not enabled yet.

Question,

Shouldn't 106023 be able to show messages? or i do have to enable 106100? hope my question is not confusing?

Help Syslog

Julio Carvajal — Wed, 23 Oct 2013 20:05:10 GMT

Hello,

you have not denied either and by default is enabled. As long as you have it set for informational,

You should be able to see the messages now,

Regards,

Jcarvaja

Help Syslog

jumora — Wed, 23 Oct 2013 20:26:55 GMT

If you enable the keyword log on the ACL for traffic that is logged for what matches the ACL it will only report on syslog ID 106100.

Help Syslog

jumora — Tue, 29 Oct 2013 01:10:53 GMT

Did the information given to you help out for your solution, please let us know?

Help Syslog

jumora — Thu, 31 Oct 2013 17:54:57 GMT

Please update the ticket as resolved or answered so we can close out followup.