https://community.cisco.com/t5/network-security/logging-acl-permit-statements/m-p/986191#M938252 <HTML><HEAD></HEAD><BODY><P>This is very easy:</P><P></P><P>conf t</P><P> logging on</P><P> logging timestamp</P><P> logging facility 19 </P><P> logging host outside 192.168.15.10</P><P> logging trap 6</P><P></P><P>Once you have this, assume your syslog server</P><P>is 192.168.15.10 and it is Linux, modify the</P><P>/etc/syslog.conf to include this line:</P><P></P><P>local3.* /var/log/cisco.log</P><P></P><P>make sure you allow syslog to your linux box</P><P>in the /etc/sysconfig/syslog file:</P><P></P><P># Options to syslogd</P><P># -m 0 disables 'MARK' messages.</P><P># -r enables logging from remote machines</P><P># -x disables DNS lookups on messages recieved with -r</P><P># See syslogd(8) for more details</P><P>SYSLOGD_OPTIONS="-m 0 -r -x"</P><P></P><P>restart your syslog with "service syslog restart"</P><P></P><P>Now do this: tail -f /var/log/cisco.log | grep 192.168.15.25 where 192.168.15.25 is the</P><P>External IP address of my Pix firewall:</P><P></P><P>May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-106100: access-list External permitted tcp outside/172.20.20.1(33563) -&gt; inside/192.168.15.70(139) hit-cnt 1 first hit</P><P>May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-302013: Built inbound TCP connection 237480 for outside:172.20.20.1/33563 (172.20.20.1/33563) to inside:192.168.4.70/139 (192.168.15.70/139)</P><P></P><P></P><P>I am using NebBiOS as an example but you get</P><P>the idea. You may also want to supress lot</P><P>of translation messages with "no logging</P><P>message xxxxxx"</P><P></P><P>Easy right?</P><P></P><P>CCIE Security</P><P></P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 05 May 2008 23:33:30 GMT cisco24x7 2008-05-05T23:33:30Z https://community.cisco.com/t5/network-security/logging-acl-permit-statements/m-p/986190#M938251 <P>I have a customer with a PIX 515 running 6.3. They have an appliance running a web server and they allow port 80 to a public IP. This is working but they want to log the actual IPs being used to access the web server. They have this currently:</P><P>access-list out_in permit tcp any host 1.2.3.4 eq https</P><P></P><P>I've tried</P><P>access-list out_in permit tcp any host 1.2.3.4 eq https log</P><P></P><P>but this does not generate any syslog messages. I tried using log-input but it gives me an extra command arguement(s).</P><P></P><P>The customer doesn't have access to the external router so is there any way to record the IP addresses that are being allowed through this acl? The appliance has a log but it does not include this information and is not customizable.</P> Mon, 11 Mar 2019 12:40:19 GMT https://community.cisco.com/t5/network-security/logging-acl-permit-statements/m-p/986190#M938251 nutflush11 2019-03-11T12:40:19Z https://community.cisco.com/t5/network-security/logging-acl-permit-statements/m-p/986191#M938252 <HTML><HEAD></HEAD><BODY><P>This is very easy:</P><P></P><P>conf t</P><P> logging on</P><P> logging timestamp</P><P> logging facility 19 </P><P> logging host outside 192.168.15.10</P><P> logging trap 6</P><P></P><P>Once you have this, assume your syslog server</P><P>is 192.168.15.10 and it is Linux, modify the</P><P>/etc/syslog.conf to include this line:</P><P></P><P>local3.* /var/log/cisco.log</P><P></P><P>make sure you allow syslog to your linux box</P><P>in the /etc/sysconfig/syslog file:</P><P></P><P># Options to syslogd</P><P># -m 0 disables 'MARK' messages.</P><P># -r enables logging from remote machines</P><P># -x disables DNS lookups on messages recieved with -r</P><P># See syslogd(8) for more details</P><P>SYSLOGD_OPTIONS="-m 0 -r -x"</P><P></P><P>restart your syslog with "service syslog restart"</P><P></P><P>Now do this: tail -f /var/log/cisco.log | grep 192.168.15.25 where 192.168.15.25 is the</P><P>External IP address of my Pix firewall:</P><P></P><P>May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-106100: access-list External permitted tcp outside/172.20.20.1(33563) -&gt; inside/192.168.15.70(139) hit-cnt 1 first hit</P><P>May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-302013: Built inbound TCP connection 237480 for outside:172.20.20.1/33563 (172.20.20.1/33563) to inside:192.168.4.70/139 (192.168.15.70/139)</P><P></P><P></P><P>I am using NebBiOS as an example but you get</P><P>the idea. You may also want to supress lot</P><P>of translation messages with "no logging</P><P>message xxxxxx"</P><P></P><P>Easy right?</P><P></P><P>CCIE Security</P><P></P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 05 May 2008 23:33:30 GMT https://community.cisco.com/t5/network-security/logging-acl-permit-statements/m-p/986191#M938252 cisco24x7 2008-05-05T23:33:30Z