topic ASA Log Entry Format in Network Security

ASA Log Entry Format

schaef350 — Tue, 12 Mar 2019 01:28:20 GMT

I am hoping this is a simple question for someone: Why does the ASA report log events in differnt formats? For example, permits and denys are not formatted the same. It would be incredibly convinient if they formats would be the same, at least from my perspective when grepping or running the data into splunk.

A deny looks like this:

Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]

While a permitted ACL hit looks like this:

Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Is there a way to get the permits and denys to match in format? Perhaps there is a reason they don't...?

ASA Log Entry Format

Ramraj Sivagnanam Sivajanam — Wed, 24 Apr 2013 08:02:12 GMT

Hi bro

Please kindly re-explain your question. This is because Cisco ASA's PERMIT and DENY for a typical ACL is the same, as shown below;

Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.203.230.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]

Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/204.61.216.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]

Regards,

Ram

ASA Log Entry Format

schaef350 — Mon, 29 Apr 2013 13:01:20 GMT

That is what I thought as well, however, the ASA I am working with is generating log messages as I indicated above. I am wondering what I have to do to have the unit generate log messages like you indicated you your response.

ASA Log Entry Format

Ramraj Sivagnanam Sivajanam — Mon, 29 Apr 2013 16:27:34 GMT

Hi Bro

I think, I may know where your problem is but before I confirm anything, please paste the output of show run logging and show logging here, please.

ASA Log Entry Format

schaef350 — Mon, 29 Apr 2013 16:40:44 GMT

asa# show run logging

logging enable

logging timestamp

logging console alerts

logging monitor errors

logging buffered informational

logging trap informational

logging history warnings

logging asdm warnings

logging facility 23

logging host inside 10.X.X.X 17/1025

no logging message 507003

no logging message 733100

no logging message 111008

no logging message 304002

no logging message 304001

asa# sho logging

Syslog logging: enabled

Facility: 23

Timestamp logging: enabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: level alerts, 0 messages logged

Monitor logging: level errors, 3824213 messages logged

Buffer logging: level informational, 395145791 messages logged

Trap logging: level informational, facility 23, 274270414 messages logged

Logging to inside 10.X.X.X udp/1025 errors: 8 dropped: 775

History logging: level warnings, 4040728 messages logged

Device ID: disabled

Mail logging: disabled

ASDM logging: level warnings, 4042233 messages logged

ASA Log Entry Format

Ramraj Sivagnanam Sivajanam — Mon, 29 Apr 2013 16:54:43 GMT

Hi Bro

I don't see any logs that appeared under your show logging output. Since logging buffer and logging trap are the same level i.e. informational, what ever logs you see in your Syslog server, should be the same logs you see in show logging.

Please paste the show logging output here, once you have it.

ASA Log Entry Format

schaef350 — Mon, 29 Apr 2013 17:26:46 GMT

asa# sh logging

Syslog logging: enabled

Facility: 23

Timestamp logging: enabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: level alerts, 0 messages logged

Monitor logging: level errors, 3824252 messages logged

Buffer logging: level informational, 395174037 messages logged

Trap logging: level informational, facility 23, 274298660 messages logged

Logging to inside 10.X.X.X udp/1025 errors: 8 dropped: 775

History logging: level warnings, 4040890 messages logged

Device ID: disabled

Mail logging: disabled

ASDM logging: level warnings, 4042395 messages logged

08.67.222.222/53 to inside:X.X.1.35/53289 duration 0:00:00 bytes 128

Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:X.X.3.42/4952 to outside:X.X.X.130/12834

Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:X.X.X.43/443 (X.X.X.43/443) to inside:X.X.3.42/4952 (X.X.X.130/12834)

Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from inside:X.X.1.35/52925 to outside:X.X.X.130/25882

Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:X.X.X.222/53 (X.X.X.222/53) to inside:X.X.1.35/52925 (X.X.X.130/25882)

Apr 29 2013 12:59:50: %ASA-6-305012: Teardown dynamic UDP translation from inside:X.X.1.24/63322 to outside:X.X.X.130/59309 duration 0:00:30

Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:X.X.3.42/4953 to outside:X.X.X.130/45392

Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:X.X.X.1/80 (X.X.X.1/80) to inside:X.X.3.42/4953 (X.X.X.130/45392)

Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:X.X.X.222/53 to inside:X.X.1.35/52925 duration 0:00:00 bytes 140

Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:X.X.3.42/4954 to outside:X.X.X.130/10879

Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:X.X.X.17/80 (X.X.X.17/80) to inside:X.X.3.42/4954 (X.X.X.130/10879)

ASA Log Entry Format

Ramraj Sivagnanam Sivajanam — Tue, 30 Apr 2013 05:46:07 GMT

Hi Bro

All I see is teardown and build messages. I don't see the logs for permit and deny acl. Please kindly resend.

ASA Log Entry Format

schaef350 — Tue, 30 Apr 2013 13:26:34 GMT

Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query

Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2006) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49734) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49735) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49736) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49737) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49738) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49746) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2007) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.13(43013) -> dmz/x.x.x.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2008) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from X.X.X.66/137 to X.X.X.42/137 on interface inside

Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query

Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2009) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49776) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2010) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2011) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:33: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query

Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2012) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:X.X.X.126/53638 dst inside:X.X.X.132/8111 by access-group "acl_out" [0x71761f18, 0x0]

Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:X.X.X.126/53638 dst inside:X.X.X.132/8111 by access-group "acl_out" [0x71761f18, 0x0]

Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49840) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2013) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

ASA Log Entry Format

schaef350 — Tue, 30 Apr 2013 13:29:16 GMT

I suspect the issue is in part that my Deny events are 106007's and the permits are106100. In your example they are both 106100's and also in the same format. How do our configurations differ?

ASA Log Entry Format

Ramraj Sivagnanam Sivajanam — Tue, 30 Apr 2013 19:17:42 GMT

Hi Bro

The syslog message 106007 isn’t ACL denies but 106100 is. Let me try to explain.

Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query

This is an error message that the FW is telling you, that you need to fix. This simply indicates that the FW is denying the communication from X.X.X.66/12981 to X.X.X.60/53 due to other reasons e.g. asymmetric routing, DNS server was probably too slow to respond etc. This is not ACL deny.

Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/204.61.216.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]

This is ACL deny. This is not an error message. This message indicates that the FW is dropping the communication between 172.29.2.3(1065) -> outside/204.61.216.57(53) because you’ve specified so, in your ACL. This behavior is correct. There’s nothing you need to look into or even fix.

Conclusion : 106007 tells you something is wrong and you need to fix it, and 106100, tells you all are behaving as expected.

Regards,

Ram

ASA Log Entry Format

schaef350 — Tue, 30 Apr 2013 19:47:04 GMT

Ok, I see what your saying there. I guess I ended up getting away from the origonal question... How about the two permit / deny events listed at the very top of this discussion? I am still seeing a lot of them as well. 106100 and 106023.

ASA Log Entry Format

Ramraj Sivagnanam Sivajanam — Tue, 30 Apr 2013 20:22:45 GMT

I can't see anything at the top of the discussion... All I see is the scroll bar but empty.. Could you repaste again, please

ASA Log Entry Format

schaef350 — Thu, 02 May 2013 15:26:10 GMT

The two major types of events I am getting are these:

Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]

Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

As you indicated you are getting a 106100 event for permit and denied events. My system, however gives the events as shown here.

ASA Log Entry Format

Julio Carvajal — Thu, 02 May 2013 21:07:13 GMT

Hello by default you are not going to log the implicit deny at the end of an ACL, to log those events you MUST manually create that ACL line

access-list test deny ip any any

Then you will get the logs same to the permit ones,

Remember to rate all of the helpful posts

Julio Carvajal