Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
0
Helpful
0
Replies

ASA syslog problem

Stuart Patton
Level 1
Level 1

‎12-04-2018 07:41 AM - edited ‎02-21-2020 08:32 AM

Hi,

 

Note: posted elsewhere in another thread.

 

I'm trying to use a searchable syslog server to track the flows on one of my ASAs but have run into a problem.  Hypothetically, let's say I have a web server behind an ASA with IP address 192.168.1.1 and I allow access from anywhere to the web server.  I know some but not all of the IP addresses accessing the server (eg clients in 10.1.1.0/24).

 

Question: If I put a specific access rule in permitting 10.1.1.0/24 to 192.168.1.1 with logging disabled followed by a less specific rule of any to 192.168.1.1 with logging enabled, should I expect to only see the events relating to the "unknown" traffic flows being logged?  As I identify clients accessing my web server, I can add them to the first ACE to prevent logging.

 

I'm only interested in message 302014 (teardowns) so I can see whether they are FINs, resets or SYN timeouts etc, so the config looks like this:

 

access-list outside_access_in extended permit tcp object-group KNOWN_SOURCES host 192.168.1.1 eq http log disable
access-list outside_access_in extended permit any host 192.168.1.1 eq http 

logging enable
logging list Syslog_events message 302014
logging trap Syslog_events
logging host management a.b.c.d

 

Something is not right because I'm still seeing events logged against the ACE's with logging disabled.  Have I missed something?

 

Thanks,

Stuart

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card