cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6889
Views
0
Helpful
14
Replies
Highlighted
Beginner

ASA Log Entry Format

I am hoping this is a simple question for someone:  Why does the ASA report log events in differnt formats?  For example, permits and denys are not formatted the same.  It would be incredibly convinient if they formats would be the same, at least from my perspective when grepping or running the data into splunk. 

A deny looks like this:

Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]

While a permitted ACL hit looks like this:

Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Is there a way to get the permits and denys to match in format?  Perhaps there is a reason they don't...?

- Be sure to rate all helpful posts
14 REPLIES 14
Highlighted

Hi bro

Please kindly re-explain your question. This is because Cisco ASA's PERMIT and DENY for a typical ACL is the same, as shown below;

Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.203.230.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]

Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/204.61.216.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]

Regards,

Ram

Warm regards,
Ramraj Sivagnanam Sivajanam
Highlighted

That is what I thought as well, however, the ASA I am working with is generating log messages as I indicated above.  I am wondering what I have to do to have the unit generate log messages like you indicated you your response.

- Be sure to rate all helpful posts
Highlighted

Hi Bro

I think, I may know where your problem is but before I confirm anything, please paste the output of show run logging and show logging here, please.

Warm regards,
Ramraj Sivagnanam Sivajanam
Highlighted

asa# show run logging

logging enable

logging timestamp

logging console alerts

logging monitor errors

logging buffered informational

logging trap informational

logging history warnings

logging asdm warnings

logging facility 23

logging host inside 10.X.X.X 17/1025

no logging message 507003

no logging message 733100

no logging message 111008

no logging message 304002

no logging message 304001

asa# sho logging

Syslog logging: enabled

    Facility: 23

    Timestamp logging: enabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: level alerts, 0 messages logged

    Monitor logging: level errors, 3824213 messages logged

    Buffer logging: level informational, 395145791 messages logged

    Trap logging: level informational, facility 23, 274270414 messages logged

        Logging to inside 10.X.X.X udp/1025 errors: 8  dropped: 775

    History logging: level warnings, 4040728 messages logged

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level warnings, 4042233 messages logged

- Be sure to rate all helpful posts
Highlighted

Hi Bro

I don't see any logs that appeared under your show logging output. Since logging buffer and logging trap are the same level i.e. informational, what ever logs you see in your Syslog server, should be the same logs you see in show logging.

Please paste the show logging output here, once you have it.

Warm regards,
Ramraj Sivagnanam Sivajanam
Highlighted

asa# sh logging

Syslog logging: enabled

    Facility: 23

    Timestamp logging: enabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: level alerts, 0 messages logged

    Monitor logging: level errors, 3824252 messages logged

    Buffer logging: level informational, 395174037 messages logged

    Trap logging: level informational, facility 23, 274298660 messages logged

        Logging to inside 10.X.X.X udp/1025 errors: 8  dropped: 775

    History logging: level warnings, 4040890 messages logged

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level warnings, 4042395 messages logged

08.67.222.222/53 to inside:X.X.1.35/53289 duration 0:00:00 bytes 128

Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:X.X.3.42/4952 to outside:X.X.X.130/12834

Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:X.X.X.43/443 (X.X.X.43/443) to inside:X.X.3.42/4952 (X.X.X.130/12834)

Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from inside:X.X.1.35/52925 to outside:X.X.X.130/25882

Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:X.X.X.222/53 (X.X.X.222/53) to inside:X.X.1.35/52925 (X.X.X.130/25882)

Apr 29 2013 12:59:50: %ASA-6-305012: Teardown dynamic UDP translation from inside:X.X.1.24/63322 to outside:X.X.X.130/59309 duration 0:00:30

Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:X.X.3.42/4953 to outside:X.X.X.130/45392

Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:X.X.X.1/80 (X.X.X.1/80) to inside:X.X.3.42/4953 (X.X.X.130/45392)

Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:X.X.X.222/53 to inside:X.X.1.35/52925 duration 0:00:00 bytes 140

Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:X.X.3.42/4954 to outside:X.X.X.130/10879

Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:X.X.X.17/80 (X.X.X.17/80) to inside:X.X.3.42/4954 (X.X.X.130/10879)

- Be sure to rate all helpful posts
Highlighted

Hi Bro

All I see is teardown and build messages. I don't see the logs for permit and deny acl. Please kindly resend.

Warm regards,
Ramraj Sivagnanam Sivajanam
Highlighted

Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query

Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2006) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49734) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49735) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49736) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49737) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49738) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49746) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2007) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.13(43013) -> dmz/x.x.x.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2008) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from X.X.X.66/137 to X.X.X.42/137 on interface inside

Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query

Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2009) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49776) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2010) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2011) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:33: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query

Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2012) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:X.X.X.126/53638 dst inside:X.X.X.132/8111 by access-group "acl_out" [0x71761f18, 0x0]

Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:X.X.X.126/53638 dst inside:X.X.X.132/8111 by access-group "acl_out" [0x71761f18, 0x0]

Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.46(49840) -> outside/X.X.X.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]

Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2013) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

- Be sure to rate all helpful posts
Highlighted

I suspect the issue is in part that my Deny events are 106007's and the permits are106100.  In your example they are both 106100's and also in the same format.  How do our configurations differ?

- Be sure to rate all helpful posts
Highlighted

Hi Bro

The syslog message 106007 isn’t ACL denies but 106100 is. Let me try to explain.

Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from X.X.X.66/12981 to X.X.X.60/53 due to DNS Query

This is an error message that the FW is telling you, that you need to fix. This simply indicates that the FW is denying the communication from X.X.X.66/12981 to X.X.X.60/53 due to other reasons e.g. asymmetric routing, DNS server was probably too slow to respond etc. This is not ACL deny.

Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/204.61.216.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]

This is ACL deny. This is not an error message. This message indicates that the FW is dropping the communication between 172.29.2.3(1065) -> outside/204.61.216.57(53) because you’ve specified so, in your ACL. This behavior is correct. There’s nothing you need to look into or even fix.

Conclusion : 106007 tells you something is wrong and you need to fix it, and 106100, tells you all are behaving as expected.

Regards,

Ram

Warm regards,
Ramraj Sivagnanam Sivajanam
Highlighted

Ok, I see what your saying there.  I guess I ended up getting away from the origonal question...  How about the two permit / deny events listed at the very top of this discussion?   I am still seeing a lot of them as well.  106100 and 106023.

- Be sure to rate all helpful posts
Highlighted

I can't see anything at the top of the discussion... All I see is the scroll bar but empty.. Could you repaste again, please

Warm regards,
Ramraj Sivagnanam Sivajanam
Highlighted

The two major types of events I am getting are these:

Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]

Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

As you indicated you are getting a 106100 event for permit and denied events.   My system, however gives the events as shown here.

- Be sure to rate all helpful posts
Highlighted

Hello by default you are not going to log the implicit deny at the end of an ACL, to log those events you MUST manually create that ACL line

access-list test deny ip any any

Then you will get the logs same to the permit ones,

Remember to rate all of the helpful posts

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Content for Community-Ad