ASA ASDM real-time log viewer issue

Tzy Chun Chong · ‎01-18-2016

Hi Guys,

I got a question about ASDM real-time log viewer. I tried to simplified my question to easy understand version below.

ACL

access-list FROM-CORE permit tcp any host 10.1.1.1 eq 53

access-list FROM-CORE permit ip any any log

I've enabled the log for only "any any" ACL at the bottom. From ASDM, if i highlighted the line1 ACL and right click for option, select "show log" i'll open for empty logs since i did not enable the "log" statement at the end of list, this is alright. But when i tried the same "show log" for the line2 "any any". All the traffic logs pumping in.... this sound alright. But the IP and protocol that matching the line1 (random ip that goes to 10.1.1.1 with port 53) also appears to this traffic logs.

My questions:

My purpose is i would like to see what is the genuine traffic that riding on the any any line and configure a specific ACL above the bottom line then end of the day i will get rid of the "permit any any" line. But if the logs still logging the specific ACL i defined above, I can't fulfill my purpose.

What's my mind are the traffic that hits the ACL line1 shouldn't be hitting the ACL at the bottom and shouldn't be logged. Am i right or wrong? Pls advised and let me know if i'm hitting certain bugs? I'm using ASA5585 version 9.2(4) and this is setup as transparent firewall.

Thanks, i'll rate for helpful reply.

Regards

Tzy

Philip D'Ath · ‎01-18-2016

I have never had any luck getting that method to work (right click, show log).

It might be easier catching the log in a text file and then using a text editor to show all the lines not containing 10.1.1.1/53.

Tzy Chun Chong · ‎01-25-2016

You just need to add the "log" statement at the end of the ACL and that will activate the real time log viewer (right click, show log) to works. My problem is my first ACL in line 1 shouldn't appear on the any any log but it still shown there.