Solved: Re: ASA url logging

scottwilliamson · ‎11-16-2009

Hi,

I'm attempting to make our ASA log urls and I am getting some success. However, the output presents the IP instead of the actual domain, e.g, when browsing to imdb it is logged as:

Nov 16 2009 14:12:35: %ASA-5-304001: 30.30.30.30 Accessed URL 209.85.229.148:/ad

j/imdb2.consumer.homepage/;tile=2;sz=468x60,728x90,1008x150,9x1;p=t;s=32;;ord=99

73051011677648

rather than imdb.com/....(or whatever it happens to be).

How do I get the ASA to log the domain rather than the corresponding IP address?

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#related

states the ASA has to run vers 8.0.4.24 or later, ours has 8.2(1).

Thanks,

Scott

roderickm · ‎11-20-2009

Well, I spoke too soon. Here's a method to log the entire request, with Host and URI. I found this on the CCIE_Security mailing list archive. Basically, you set up a regex to match the sites you wish to log. I used a simple dot "." to match anything.

regex matchall "."
!
class-map type regex match-any DomainLogList
 match regex matchall
class-map type inspect http match-all LogDomainsClass
 match request header host regex class DomainLogList
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect http http_inspection_policy
 parameters
 class LogDomainsClass
  log

Then check your logging:

Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.255.19:http://cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.226.26:http://www.cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/common.css
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/main.css

Beware -- this logs every HTTP request that the ASA sees. I have no idea how much load this places on an ASA with significant HTTP traffic. As described in the linked mailing list post, you may create more specific regex lists to match specific Hosts and/or URIs, and may take actions other than logging, including blocking/resetting.

View solution in original post

dedmundson · ‎11-11-2010

After Cisco getting back to me about the logging problem and loading the new code it works.

I was running 8.2(1) had to upgrade to 8.2(3) and now the loging is working.

The 10.10 is an inside test network that I am coming from to http://www.cisco.com

I hope that this helps everyone. Now off to write some code to put this in a database to see where people are going.

Nov 11 2010 19:18:31: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/
Nov 11 2010 19:18:32: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/offers/js/mbox.js
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/hub.swf
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.metrics_ut.js?v=ut2.1.201009
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.s_code_ut.js?v=ut2.1.2010091
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/hp-fatfooter-menu.png
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 198.133.219.119:http://newsroom.cisco.com/dlls/cdc_news_json_v1.js?cacheRese
Nov 11 2010 19:18:35: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/tsweb/searchplugins/cdc_search.xml
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/co/menu-content.html
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-box-shadow.png
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-corners.png
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-spinner.gif
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-sprite.png
Nov 11 2010 19:18:39: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/en.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/fr.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/ch.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/de.c
Nov 11 2010 19:18:41: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/swf/chic

View solution in original post

Panos Kampanakis · ‎11-16-2009

Scott,

The ASA will not log the url. There is an enhancement request for the syslog 304001 to log the url but it hasn't been fixed and I don't have an ETA for it as it is not in roadmap.

FYI, the enhancement request is CSCdt32288.

I hope it makes it clear.

PK

Panos Kampanakis · ‎11-16-2009

Testing it here locally it seems there are changes that have been implemented.

When going to microsoft.com I saw log

%ASA-5-304001: 192.168.1.2 Accessed URL 207.46.19.190:http://www.microsoft.com/

I was doing just http inspection.

policy-map global_policy

class inspection_default

...

inspect http

running ASA 8.2.1.

PK

scottwilliamson · ‎11-17-2009

Thanks Panos,

So would the best summary of the situation be to say that the ASA does log the full url in a proportion of cases, dependant on how the website's url is put together, perhaps?

Regards,

Scott

bquach001 · ‎09-10-2015

why cant the ASA log HTTPS ?

scottwilliamson · ‎11-17-2009

Hi,

I've tried browsing to www.microsoft.com and although I get different IP addresses (possibly as I'm in the UK) it doesn't resolve the url. Can you specify a dns server in the ASA somehow?

thanks

Scott

Panos Kampanakis · ‎11-17-2009

Hi Scott,

That is correct. Note that even in your log you have "/adj/imdb2.consumer.homepage/" which is probably the uri of the GET request. So the URL in the get is logged.I believe you would have a log for the initial GET to imdb.com.

How about if you try microsoft as I did? You should see the same initial log there an then a bunch of other logs for the subsequent GETs done to complete the page.

PK

scottwilliamson · ‎11-17-2009

Hi Panos,

here is what I get when I browse to http://www.microsoft.com - no sign of www.microsoft.com here, I'm afraid.

Scott

ciscoasa# Nov 17 2009 16:16:23: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.1

9.190:/

Nov 17 2009 16:16:24: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/en/

shared/core/2/js/js.ashx?s=Csp;shared

Nov 17 2009 16:16:24: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/en/

shared/core/2/css/css.ashx?sc=/en/us/site.config&pc=/En/us/PageConfig/win7/Direc

tInstall.config.xml&m=cspMscomHomePageBase&ie=true

Nov 17 2009 16:16:25: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/en/

shared/core/2/css/css.ashx?sc=/en/us/site.config&pc=/En/us/PageConfig/win7/Direc

tInstall.config.xml&c=cspMscomHeader&ie=true

Nov 17 2009 16:16:26: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.48:/lib

rary/svy/broker.js

Nov 17 2009 16:16:27: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/glo

bal/en/us/RenderingAssets/win7/TakeOverScript.js

Nov 17 2009 16:16:28: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.48:/glo

bal/En/PublishingImages/m.ms1.png

Nov 17 2009 16:16:28: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.48:/glo

bal/en/publishingimages/sitebrand/microsoft.gif

Nov 17 2009 16:16:28: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/glo

bal/En/us/RenderingAssets/SLWindowPane/WindowPane_eventHandlers_111609.js

Nov 17 2009 16:16:29: %ASA-5-304001: 30.30.30.30 Accessed URL 213.199.141.139:/A

DSAdClient31.dll?GetSAd=&DPJS=4&PG=CMSNGN&AP=1087

Nov 17 2009 16:16:30: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.148.31:/MRT

/iview/173914879/direct/01?click=

Nov 17 2009 16:16:31: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.35:/lib

rary/svy/broker-config.js?1258474626906

Nov 17 2009 16:16:31: %ASA-5-304001: 30.30.30.30 Accessed URL 213.199.149.93:/b/

NMMRTSHARPCU/FY10_WinPhone_180x150_intrepid_v3_1022091609.gif

Panos Kampanakis · ‎11-17-2009

The DNS server on the ASA. It is the GEt that the ASA should be logging.

PK

scottwilliamson · ‎11-17-2009

Hi Panos,

Sorry, I don't underestand - could you explain this to me.

Thanks

Scott

roderickm · ‎11-19-2009

From the logs posted, it appears the GET is being logged, but not the Host header. The Host header is the part of the request that would tell you which site at the logged IP address was accessed.It comes before the GET.

Name-based virtual hosts (in HTTP 1.1) require a Host header in the HTTP request, because many website domains can share the same IP address.

scottwilliamson · ‎11-20-2009

Hi Roderick,

Thanks for your reply - so is there a way to get the ASA to log the url or is it dependant on how the website is constructed?

Regards

Scott

roderickm · ‎11-20-2009

Scott, I'm not aware of a way to log the Host header of an HTTP request using the ASA. Panos' reply to this thread seems more informative to that end, saying that this enhancement request is CSCdt32288 but is not on the roadmap. I would also use this feature if the ASA were not overly burdened by enabling it.

If you absolutely must log the entire HTTP request, you may need to consider a different solution to meet that need. A sniffer with appropriate filters, an HTTP-aware IDS (snort.org), or a web filtering product could all handle this easily.

roderickm · ‎11-20-2009

Well, I spoke too soon. Here's a method to log the entire request, with Host and URI. I found this on the CCIE_Security mailing list archive. Basically, you set up a regex to match the sites you wish to log. I used a simple dot "." to match anything.

regex matchall "."
!
class-map type regex match-any DomainLogList
 match regex matchall
class-map type inspect http match-all LogDomainsClass
 match request header host regex class DomainLogList
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect http http_inspection_policy
 parameters
 class LogDomainsClass
  log

Then check your logging:

Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.255.19:http://cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.226.26:http://www.cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/common.css
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/main.css

Beware -- this logs every HTTP request that the ASA sees. I have no idea how much load this places on an ASA with significant HTTP traffic. As described in the linked mailing list post, you may create more specific regex lists to match specific Hosts and/or URIs, and may take actions other than logging, including blocking/resetting.

scottwilliamson · ‎11-20-2009

Hi Roderick,

This looks very promising - I'll give it a go on our spare ASA and let you know

hopefully my limited experience on the ASA will still allow me emulate your config

best Regards

Scott