topic Re: ASA url logging in Network Security

ASA url logging

scottwilliamson — Fri, 21 Feb 2020 11:48:02 GMT

Hi,

I'm attempting to make our ASA log urls and I am getting some success. However, the output presents the IP instead of the actual domain, e.g, when browsing to imdb it is logged as:

Nov 16 2009 14:12:35: %ASA-5-304001: 30.30.30.30 Accessed URL 209.85.229.148:/ad

j/imdb2.consumer.homepage/;tile=2;sz=468x60,728x90,1008x150,9x1;p=t;s=32;;ord=99

73051011677648

rather than imdb.com/....(or whatever it happens to be).

How do I get the ASA to log the domain rather than the corresponding IP address?

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#related

states the ASA has to run vers 8.0.4.24 or later, ours has 8.2(1).

Thanks,

Scott

Re: ASA url logging

Panos Kampanakis — Mon, 16 Nov 2009 18:43:50 GMT

Scott,

The ASA will not log the url. There is an enhancement request for the syslog 304001 to log the url but it hasn't been fixed and I don't have an ETA for it as it is not in roadmap.

FYI, the enhancement request is CSCdt32288.

I hope it makes it clear.

Re: ASA url logging

Panos Kampanakis — Mon, 16 Nov 2009 18:52:23 GMT

Testing it here locally it seems there are changes that have been implemented.

When going to microsoft.com I saw log

%ASA-5-304001: 192.168.1.2 Accessed URL 207.46.19.190:http://www.microsoft.com/

I was doing just http inspection.

policy-map global_policy

class inspection_default

...

inspect http

running ASA 8.2.1.

Re: ASA url logging

scottwilliamson — Tue, 17 Nov 2009 09:10:01 GMT

Thanks Panos,

So would the best summary of the situation be to say that the ASA does log the full url in a proportion of cases, dependant on how the website's url is put together, perhaps?

Regards,

Scott

Re: ASA url logging

scottwilliamson — Tue, 17 Nov 2009 09:21:39 GMT

Hi,

I've tried browsing to www.microsoft.com and although I get different IP addresses (possibly as I'm in the UK) it doesn't resolve the url. Can you specify a dns server in the ASA somehow?

thanks

Scott

Re: ASA url logging

Panos Kampanakis — Tue, 17 Nov 2009 15:26:20 GMT

Hi Scott,

That is correct. Note that even in your log you have "/adj/imdb2.consumer.homepage/" which is probably the uri of the GET request. So the URL in the get is logged.I believe you would have a log for the initial GET to imdb.com.

How about if you try microsoft as I did? You should see the same initial log there an then a bunch of other logs for the subsequent GETs done to complete the page.

Re: ASA url logging

Panos Kampanakis — Tue, 17 Nov 2009 15:28:07 GMT

The DNS server on the ASA. It is the GEt that the ASA should be logging.

Re: ASA url logging

scottwilliamson — Tue, 17 Nov 2009 15:32:50 GMT

Hi Panos,

Sorry, I don't underestand - could you explain this to me.

Thanks

Scott

Re: ASA url logging

scottwilliamson — Tue, 17 Nov 2009 16:19:52 GMT

Hi Panos,

here is what I get when I browse to http://www.microsoft.com - no sign of www.microsoft.com here, I'm afraid.

Scott

ciscoasa# Nov 17 2009 16:16:23: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.1

9.190:/

Nov 17 2009 16:16:24: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/en/

shared/core/2/js/js.ashx?s=Csp;shared

Nov 17 2009 16:16:24: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/en/

shared/core/2/css/css.ashx?sc=/en/us/site.config&pc=/En/us/PageConfig/win7/Direc

tInstall.config.xml&m=cspMscomHomePageBase&ie=true

Nov 17 2009 16:16:25: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/en/

shared/core/2/css/css.ashx?sc=/en/us/site.config&pc=/En/us/PageConfig/win7/Direc

tInstall.config.xml&c=cspMscomHeader&ie=true

Nov 17 2009 16:16:26: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.48:/lib

rary/svy/broker.js

Nov 17 2009 16:16:27: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/glo

bal/en/us/RenderingAssets/win7/TakeOverScript.js

Nov 17 2009 16:16:28: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.48:/glo

bal/En/PublishingImages/m.ms1.png

Nov 17 2009 16:16:28: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.48:/glo

bal/en/publishingimages/sitebrand/microsoft.gif

Nov 17 2009 16:16:28: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/glo

bal/En/us/RenderingAssets/SLWindowPane/WindowPane_eventHandlers_111609.js

Nov 17 2009 16:16:29: %ASA-5-304001: 30.30.30.30 Accessed URL 213.199.141.139:/A

DSAdClient31.dll?GetSAd=&DPJS=4&PG=CMSNGN&AP=1087

Nov 17 2009 16:16:30: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.148.31:/MRT

/iview/173914879/direct/01?click=

Nov 17 2009 16:16:31: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.35:/lib

rary/svy/broker-config.js?1258474626906

Nov 17 2009 16:16:31: %ASA-5-304001: 30.30.30.30 Accessed URL 213.199.149.93:/b/

NMMRTSHARPCU/FY10_WinPhone_180x150_intrepid_v3_1022091609.gif

Re: ASA url logging

roderickm — Fri, 20 Nov 2009 02:16:12 GMT

From the logs posted, it appears the GET is being logged, but not the Host header. The Host header is the part of the request that would tell you which site at the logged IP address was accessed.It comes before the GET.

Name-based virtual hosts (in HTTP 1.1) require a Host header in the HTTP request, because many website domains can share the same IP address.

Re: ASA url logging

scottwilliamson — Fri, 20 Nov 2009 09:54:42 GMT

Hi Roderick,

Thanks for your reply - so is there a way to get the ASA to log the url or is it dependant on how the website is constructed?

Regards

Scott

Re: ASA url logging

roderickm — Fri, 20 Nov 2009 13:54:43 GMT

Scott, I'm not aware of a way to log the Host header of an HTTP request using the ASA. Panos' reply to this thread seems more informative to that end, saying that this enhancement request is CSCdt32288 but is not on the roadmap. I would also use this feature if the ASA were not overly burdened by enabling it.

If you absolutely must log the entire HTTP request, you may need to consider a different solution to meet that need. A sniffer with appropriate filters, an HTTP-aware IDS (snort.org), or a web filtering product could all handle this easily.

Re: ASA url logging

roderickm — Fri, 20 Nov 2009 15:36:06 GMT

Well, I spoke too soon. Here's a method to log the entire request, with Host and URI. I found this on the CCIE_Security mailing list archive. Basically, you set up a regex to match the sites you wish to log. I used a simple dot "." to match anything.

regex matchall "."
!
class-map type regex match-any DomainLogList
 match regex matchall
class-map type inspect http match-all LogDomainsClass
 match request header host regex class DomainLogList
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect http http_inspection_policy
 parameters
 class LogDomainsClass
  log

Then check your logging:

Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.255.19:http://cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.226.26:http://www.cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/common.css
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/main.css

Beware -- this logs every HTTP request that the ASA sees. I have no idea how much load this places on an ASA with significant HTTP traffic. As described in the linked mailing list post, you may create more specific regex lists to match specific Hosts and/or URIs, and may take actions other than logging, including blocking/resetting.

Re: ASA url logging

scottwilliamson — Fri, 20 Nov 2009 15:47:07 GMT

Hi Roderick,

This looks very promising - I'll give it a go on our spare ASA and let you know

hopefully my limited experience on the ASA will still allow me emulate your config

best Regards

Scott

Re: ASA url logging

scottwilliamson — Mon, 23 Nov 2009 11:36:06 GMT

Hi again,

I've configured the regex matchall etc this morning and I'm afraid nothing appears in the logs - I'm starting with an ASA config "out of the box" so maybe I'm missing something, though I have enabled logging .....

logging enable
logging timestamp
logging standby
logging list Weblog message 304001
logging console Weblog
logging buffered debugging
logging history Weblog
logging facility 21

the "Weblog" entries are from the NAC guest server / ASA url stuff mentioned in my original post.

Thanks

Scott

Re: ASA url logging

scottwilliamson — Fri, 27 Nov 2009 11:32:03 GMT

Hi Folks,

Any ideas would be welcome - I feel that with your help this is very close to being resolved.

Many Thanks

Scott

Re: ASA url logging

ronniekendrick — Wed, 09 Dec 2009 16:05:09 GMT

Scott,

I have my ASA sending logs to a syslog server. Here is my ASA logging:

logging enable
logging timestamp
logging trap debugging
logging host inside x.x.x.x

My syslog server is setup to only receive NOTICE events from the ASA. However, I'm now stuck where Scott was in his original post. It's logging the IP and URI, but isn't showing the actual host. I'm running 8.0(4). Here's what I see in my logs:

Dec 9 10:07:27 10.0.0.1 Dec 09 2009 08:07:05: %ASA-5-304001: 10.0.8.108 Accessed URL 208.80.152.3:/wikipedia/en/b/bc/Wiki.png
Dec 9 10:07:27 10.0.0.1 Dec 09 2009 08:07:05: %ASA-5-415008: HTTP - matched Class 30: LogDomainsClass in policy-map http_inspection_policy, header matched from inside:10.0.8.108/1512 to outside: 208.80.152.3/80

Here is a snippet from my running config:

regex matchall "."

class-map type regex match-any DomainLogList
match regex matchall

class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList

class-map inspection_default
match default-inspection-traffic

policy-map type inspect http http_inspection_policy
description http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class LogDomainsClass
log

policy-map inside-policy
class inside-classAccept
inspect http http_inspection_policy
class inside-class
inspect http http_inspection_policy
class inspection_default
inspect http

Was this a feature added in a later firmware? If so, I'll make the upgrade.

Re: ASA url logging

scottwilliamson — Mon, 14 Dec 2009 15:17:51 GMT

Hi Ronald,

from sh version "System image file is "disk0:/asa821-k8.bin" - is there a feature that is missing from our respective ASAs that the others have?

I doubt it but I cannot see what I've missed from the config.

Scott

Re: ASA url logging

claytonchumby — Mon, 22 Feb 2010 18:48:11 GMT

Any new news on this issue? I haven't been able to get the ASA (running version 8.2(1)) to log the hostname using any of the techniques above. However, if you look at this cisco.com page, it indicates indirectly that this is meant to work, simply by adding "inspect http" to class inspection_default.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#asac

The inspect http command is placed under a
      class-map within a policy-map. When enabled with the
      service-policy command, http inspection logs Get
      requests with syslog message 304001. ASA code 8.0.4.24 or later is required for
      syslog message 304001 to show the hostname as part of the URL.

I'm baffled. It is hard to believe this should be so difficult. How else are you supposed to log web usage without 3rd party products or a proxy server?

Re: ASA url logging

dedmundson — Sun, 07 Nov 2010 13:19:48 GMT

I have been trying to get URL Logging to work too. I have found that if I browse to one of out internal sites it will log the URL name but if I go to a external site it will log the IP Address .

Has anyone gotten this to work for external sites?

Accessed URL 63.69.72.58:/js/pass.html?cb=23844
Accessed URL 96.17.72.144:/_media/uac/anatp.html?t=160afrf1088k4h&s=99999,
Accessed URL 64.236.79.229:/adcedge/lb?site=695501&betr=tc=1,99999,52588,5
Accessed URL 69.31.116.120:/assets/images/home/icons/video.gif
Accessed URL 216.246.75.227:/rsrc.php/zx/r/DmvbpGB-fMy.swf
Accessed URL 66.220.146.32:/extern/login_status.php?api_key=61b68b0702fb92
Accessed URL 209.234.252.57:/js/api_lib/v0.4/XdCommReceiver.js?v2
Accessed URL www.expresspros.com:/
Accessed URL www.expresspros.com:/shared/style/ie.css
Accessed URL www.expresspros.com:/shared/javascript/swfobject.js
Accessed URL www.expresspros.com:/shared/javascript/thickbox.js
Accessed URL www.expresspros.com:/shared/javascript/jquery-1-2-3-min.js
Accessed URL www.expresspros.com:/shared/images/socialmedia/twitter-sm.gif
Accessed URL 74.125.67.138:/ga.js
Accessed URL www.expresspros.com:/favicon.ico
Accessed URL 199.7.57.72:/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsK8Var42Wv2Ct%2BB