cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1014
Views
10
Helpful
4
Replies
Highlighted
Beginner

Firewall rule name in logs

Regarding Cisco ASA:

 

  • Can I configure the ASA to include the firewall rule name in each log entry ?
  • Can I put any name in the rule, is there some character restrictions (as comma) ?

My aim is to include tags in rule names to filter the logs before they are indexed into a SIEM

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Hi there,

Each syslog entry relating to an ACL will include its name at the end of the string, eg 

... by access-group <YOUR_ACL_NAME>

The naming limitations are those defined by ACLs in general [a-zA-Z0-9] and a limited subet of special characters.

There should be enough information in a message for filtering. Exactly what are you trying to achieve?

 

cheers,

Seb.

 

View solution in original post

4 REPLIES 4
Highlighted
VIP Collaborator

I think that it is not possible. Log entry is used to show information of layer 3 and 4 like port, protocol, ip and something like it. But you can input name for rules, but you cant shown these names on logs table.

Jaderson Pessoa
*** Rate All Helpful Responses ***
Highlighted
VIP Advisor

Hi there,

Each syslog entry relating to an ACL will include its name at the end of the string, eg 

... by access-group <YOUR_ACL_NAME>

The naming limitations are those defined by ACLs in general [a-zA-Z0-9] and a limited subet of special characters.

There should be enough information in a message for filtering. Exactly what are you trying to achieve?

 

cheers,

Seb.

 

View solution in original post

Highlighted

It looks like it is only true for DENY, cf here. Do you confirm ?

Highlighted

Hi there,

If you do not have the log option at the end of an ACE, then in the event of it being a deny ACE it will generate a code 106023 message, the format of this message contains the string by access-group:

 

Apr 15 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]

 

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_6482625

 

If you specify the log option at the end of a permit or deny ACE it will log a code 106100 message, the format of which is slightly different, the ACL name is specified after the string access-list:

Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769049

 

cheers,

Seb.

Content for Community-Ad