https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198870#M859565 <HTML><HEAD></HEAD><BODY><P>Thank you for this - it didn't work quite correctly - I get a unknown command. If I expand it to incl hash, I get a blank. However, just doing a 'sh access-list <BLAH>' did give me the identifiers, just not how I expected. The nicer thing is that it gave me the hitcounts per ip address, instead of just per ACE.</BLAH></P><P></P><P></P></BODY></HTML> Wed, 03 Jun 2009 14:17:40 GMT RICH FRUEH 2009-06-03T14:17:40Z https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198868#M859556 <P>Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?</P><P></P><P>frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched. </P><P></P><P>I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.</P><P></P><P>I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?</P><P></P><P>Thanks,</P><P>Rich</P> Mon, 11 Mar 2019 15:38:48 GMT https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198868#M859556 RICH FRUEH 2019-03-11T15:38:48Z https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198869#M859560 <HTML><HEAD></HEAD><BODY><P>The deny usually has a hash value.</P><P></P><P>To see which ACE that is you need to issue sh access-l blah | i hash</P><P></P><P>Presently it is not possible to get the appropriate ACE in the syslog deny message only the hash.</P><P></P><P></P></BODY></HTML> Wed, 03 Jun 2009 01:42:00 GMT https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198869#M859560 Kureli Sankar 2009-06-03T01:42:00Z https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198870#M859565 <HTML><HEAD></HEAD><BODY><P>Thank you for this - it didn't work quite correctly - I get a unknown command. If I expand it to incl hash, I get a blank. However, just doing a 'sh access-list <BLAH>' did give me the identifiers, just not how I expected. The nicer thing is that it gave me the hitcounts per ip address, instead of just per ACE.</BLAH></P><P></P><P></P></BODY></HTML> Wed, 03 Jun 2009 14:17:40 GMT https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198870#M859565 RICH FRUEH 2009-06-03T14:17:40Z https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198871#M859569 <HTML><HEAD></HEAD><BODY><P>you have to include for the hash value that you see in the syslogs when you issue sh access-list output.</P><P></P><P>example:</P><P>TK00FWSM# show access-list vl998</P><P>access-list vl998; 102 elements</P><P>access-list vl998 line 1 extended permit tcp any object-group</P><P>sisj-cgp-mailfe-svc eq smtp 0xb7e52495</P><P>access-list vl998 line 1 extended permit tcp any host</P><P>sisj-cgp-mailfe00-svc eq smtp (hitcnt=0) 0x4115ae92</P><P>access-list vl998 line 1 extended permit tcp any host</P><P>sisj-cgp-mailfe01-svc eq smtp (hitcnt=0) 0x9b15500</P><P></P><P></P><P>sh access-l v1998 | i 0x9b15500</P><P></P><P>Put the hash that you see in the syslogs in the above command.</P></BODY></HTML> Thu, 04 Jun 2009 19:26:43 GMT https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198871#M859569 Kureli Sankar 2009-06-04T19:26:43Z https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198872#M859571 <HTML><HEAD></HEAD><BODY><P><FACE palm=""></FACE></P><P></P><P>I see. I read the literal 'hash' not the variable hash.</P><P></P><P>Thank you!</P><P>R</P></BODY></HTML> Thu, 04 Jun 2009 19:43:25 GMT https://community.cisco.com/t5/network-security/quick-syslog-question-asa-5500-8-04/m-p/1198872#M859571 RICH FRUEH 2009-06-04T19:43:25Z