04-15-2019 05:57 AM - edited 02-21-2020 09:02 AM
Regarding Cisco ASA:
My aim is to include tags in rule names to filter the logs before they are indexed into a SIEM
Solved! Go to Solution.
04-15-2019 07:12 AM
Hi there,
Each syslog entry relating to an ACL will include its name at the end of the string, eg
... by access-group <YOUR_ACL_NAME>
The naming limitations are those defined by ACLs in general [a-zA-Z0-9] and a limited subet of special characters.
There should be enough information in a message for filtering. Exactly what are you trying to achieve?
cheers,
Seb.
04-15-2019 06:35 AM - edited 04-15-2019 06:35 AM
I think that it is not possible. Log entry is used to show information of layer 3 and 4 like port, protocol, ip and something like it. But you can input name for rules, but you cant shown these names on logs table.
04-15-2019 07:12 AM
Hi there,
Each syslog entry relating to an ACL will include its name at the end of the string, eg
... by access-group <YOUR_ACL_NAME>
The naming limitations are those defined by ACLs in general [a-zA-Z0-9] and a limited subet of special characters.
There should be enough information in a message for filtering. Exactly what are you trying to achieve?
cheers,
Seb.
04-15-2019 10:25 AM
It looks like it is only true for DENY, cf here. Do you confirm ?
04-15-2019 02:47 PM
Hi there,
If you do not have the log option at the end of an ACE, then in the event of it being a deny ACE it will generate a code 106023 message, the format of this message contains the string by access-group:
Apr 15 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_6482625
If you specify the log option at the end of a permit or deny ACE it will log a code 106100 message, the format of which is slightly different, the ACL name is specified after the string access-list:
Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769049
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide