topic Re: Taking out Any Any hitting loggs in Network Security

Taking out Any Any hitting loggs

Lahiruk — Fri, 21 Feb 2020 16:51:02 GMT

Hi All,

I have deployed Cisco 2100 series ASA with multi context mode and it contains any any rule in some contexts. So I need to take out all the traffic loggs which hitting any any rule.

Any idea of taking loggs for each any any rule. ? I need to remove this rule before it goes live.

-Dil

Re: Taking out Any Any hitting loggs

balaji.bandi — Fri, 22 Feb 2019 15:01:53 GMT

Have you configured external log server to log these ? if not you will not able to get that information.

if you like to have all the logs, configure syslog server and route the logs to log server.

Re: Taking out Any Any hitting loggs

Lahiruk — Fri, 22 Feb 2019 15:07:27 GMT

Hi BB,

I have not configured external server yet , and hope to configure.

I just need to taking out traffic loggs which hitting only any any ACLs.

Regards,

Dilk

Re: Taking out Any Any hitting loggs

balaji.bandi — Fri, 22 Feb 2019 17:18:21 GMT

Sure you configure only those to logs to export to syslog server.

Re: Taking out Any Any hitting loggs

Lahiruk — Sat, 23 Feb 2019 03:52:28 GMT

My rule number is 56 for Any Any ACL, how can i create a event for getting logs related to this rule only. please send me how it configure.

I need to capture source and destination with ports which hitting to rule number 56 only.

configured a syslog server also

regards,

Dilk

Re: Taking out Any Any hitting loggs

balaji.bandi — Sat, 23 Feb 2019 11:13:08 GMT

logging enable
logging timestamp
logging message 106100
logging trap informational or debug ( depends on your requirememt)
logging host MANAGEMENT 10.10.10.10
!
access-list 56 XXXXXXX  any any log

checking logs
show logging message 106100

here is teh guide

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc27

make sure you have syslog server running and you have ACL setup on ASA for that syslog host port 514.

Re: Taking out Any Any hitting loggs

Marius Gunnerud — Sat, 23 Feb 2019 22:18:55 GMT

Disable logging on all access control entries except the permit ip any any ACL. This can be done in ASDM by unchecking the logging enable check box in each ACL or adding the keywords "logging disable" at the end of each access control entry in the CLI.

Re: Taking out Any Any hitting loggs

Lahiruk — Mon, 25 Feb 2019 03:25:26 GMT

Thanks All,

I found a way to collect it from the ASDM itself.

1. Enable debugging in particular ACL
2. Go to Confiuration ⇒ Device Management ⇒ Logging ⇒ Logging filters ⇒Select the logging destination as ASDM and change the serevivity level into debugging
3. Go back to again ACL ⇒ Write click ⇒ and select show log

Regards,
Dilk

Re: Taking out Any Any hitting loggs

balaji.bandi — Mon, 25 Feb 2019 08:48:45 GMT

As for as i know that log do current until buffer over flow, that not cover history of the logs.

As per your orginal post you like to log them and analyse them for later use (correct me if my understanding was wrong) ?

Re: Taking out Any Any hitting loggs

Lahiruk — Mon, 25 Feb 2019 08:57:26 GMT

Thanks BB for your response and for the time being I had to analyze real time traffic. Later I will configure for old traffic using a syslog server.

Thanks for your answers

Regards,
Dilk