04-15-2013 06:39 AM - edited 03-11-2019 06:28 PM
I am hoping this is a simple question for someone: Why does the ASA report log events in differnt formats? For example, permits and denys are not formatted the same. It would be incredibly convinient if they formats would be the same, at least from my perspective when grepping or running the data into splunk.
A deny looks like this:
Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]
While a permitted ACL hit looks like this:
Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
Is there a way to get the permits and denys to match in format? Perhaps there is a reason they don't...?
04-24-2013 01:02 AM
Hi bro
Please kindly re-explain your question. This is because Cisco ASA's PERMIT and DENY for a typical ACL is the same, as shown below;
Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.203.230.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]
Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/204.61.216.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]
Regards,
Ram
04-29-2013 06:01 AM
That is what I thought as well, however, the ASA I am working with is generating log messages as I indicated above. I am wondering what I have to do to have the unit generate log messages like you indicated you your response.
04-29-2013 09:27 AM
Hi Bro
I think, I may know where your problem is but before I confirm anything, please paste the output of show run logging and show logging here, please.
04-29-2013 09:40 AM
asa# show run logging
logging enable
logging timestamp
logging console alerts
logging monitor errors
logging buffered informational
logging trap informational
logging history warnings
logging asdm warnings
logging facility 23
logging host inside 10.X.X.X 17/1025
no logging message 507003
no logging message 733100
no logging message 111008
no logging message 304002
no logging message 304001
asa# sho logging
Syslog logging: enabled
Facility: 23
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level alerts, 0 messages logged
Monitor logging: level errors, 3824213 messages logged
Buffer logging: level informational, 395145791 messages logged
Trap logging: level informational, facility 23, 274270414 messages logged
Logging to inside 10.X.X.X udp/1025 errors: 8 dropped: 775
History logging: level warnings, 4040728 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level warnings, 4042233 messages logged
04-29-2013 09:54 AM
Hi Bro
I don't see any logs that appeared under your show logging output. Since logging buffer and logging trap are the same level i.e. informational, what ever logs you see in your Syslog server, should be the same logs you see in show logging.
Please paste the show logging output here, once you have it.
04-29-2013 10:26 AM
asa# sh logging
Syslog logging: enabled
Facility: 23
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level alerts, 0 messages logged
Monitor logging: level errors, 3824252 messages logged
Buffer logging: level informational, 395174037 messages logged
Trap logging: level informational, facility 23, 274298660 messages logged
Logging to inside 10.X.X.X udp/1025 errors: 8 dropped: 775
History logging: level warnings, 4040890 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level warnings, 4042395 messages logged
08.67.222.222/53 to inside:X.X.1.35/53289 duration 0:00:00 bytes 128
Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:X.X.3.42/4952 to outside:X.X.X.130/12834
Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:X.X.X.43/443 (X.X.X.43/443) to inside:X.X.3.42/4952 (X.X.X.130/12834)
Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from inside:X.X.1.35/52925 to outside:X.X.X.130/25882
Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:X.X.X.222/53 (X.X.X.222/53) to inside:X.X.1.35/52925 (X.X.X.130/25882)
Apr 29 2013 12:59:50: %ASA-6-305012: Teardown dynamic UDP translation from inside:X.X.1.24/63322 to outside:X.X.X.130/59309 duration 0:00:30
Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:X.X.3.42/4953 to outside:X.X.X.130/45392
Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:X.X.X.1/80 (X.X.X.1/80) to inside:X.X.3.42/4953 (X.X.X.130/45392)
Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:X.X.X.222/53 to inside:X.X.1.35/52925 duration 0:00:00 bytes 140
Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:X.X.3.42/4954 to outside:X.X.X.130/10879
Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:X.X.X.17/80 (X.X.X.17/80) to inside:X.X.3.42/4954 (X.X.X.130/10879)
04-29-2013 10:46 PM
Hi Bro
All I see is teardown and build messages. I don't see the logs for permit and deny acl. Please kindly resend.
04-30-2013 06:26 AM
Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query
Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2006) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49734) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49735) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49736) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49737) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49738) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49746) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2007) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.13(43013) -> dmz/x.x.x.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2008) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from X.X.X.66/137 to X.X.X.42/137 on interface inside
Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query
Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2009) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49776) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2010) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2011) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:23:33: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query
Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2012) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:X.X.X.126/53638 dst inside:X.X.X.132/8111 by access-group "acl_out" [0x71761f18, 0x0]
Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:X.X.X.126/53638 dst inside:X.X.X.132/8111 by access-group "acl_out" [0x71761f18, 0x0]
Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49840) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]
Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2013) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
04-30-2013 06:29 AM
I suspect the issue is in part that my Deny events are 106007's and the permits are106100. In your example they are both 106100's and also in the same format. How do our configurations differ?
04-30-2013 12:17 PM
Hi Bro
The syslog message 106007 isn’t ACL denies but 106100 is. Let me try to explain.
Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query
This is an error message that the FW is telling you, that you need to fix. This simply indicates that the FW is denying the communication from X.X.X.66/12981 to X.X.X.60/53 due to other reasons e.g. asymmetric routing, DNS server was probably too slow to respond etc. This is not ACL deny.
Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/204.61.216.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]
This is ACL deny. This is not an error message. This message indicates that the FW is dropping the communication between 172.29.2.3(1065) -> outside/204.61.216.57(53) because you’ve specified so, in your ACL. This behavior is correct. There’s nothing you need to look into or even fix.
Conclusion : 106007 tells you something is wrong and you need to fix it, and 106100, tells you all are behaving as expected.
Regards,
Ram
04-30-2013 12:47 PM
Ok, I see what your saying there. I guess I ended up getting away from the origonal question... How about the two permit / deny events listed at the very top of this discussion? I am still seeing a lot of them as well. 106100 and 106023.
04-30-2013 01:22 PM
I can't see anything at the top of the discussion... All I see is the scroll bar but empty.. Could you repaste again, please
05-02-2013 08:26 AM
The two major types of events I am getting are these:
Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]
Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
As you indicated you are getting a 106100 event for permit and denied events. My system, however gives the events as shown here.
05-02-2013 02:07 PM
Hello by default you are not going to log the implicit deny at the end of an ACL, to log those events you MUST manually create that ACL line
access-list test deny ip any any
Then you will get the logs same to the permit ones,
Remember to rate all of the helpful posts
Julio Carvajal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide