cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2966
Views
10
Helpful
4
Replies

Firewall rule name in logs

alsii
Level 1
Level 1

Regarding Cisco ASA:

 

  • Can I configure the ASA to include the firewall rule name in each log entry ?
  • Can I put any name in the rule, is there some character restrictions (as comma) ?

My aim is to include tags in rule names to filter the logs before they are indexed into a SIEM

1 Accepted Solution

Accepted Solutions

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Each syslog entry relating to an ACL will include its name at the end of the string, eg 

... by access-group <YOUR_ACL_NAME>

The naming limitations are those defined by ACLs in general [a-zA-Z0-9] and a limited subet of special characters.

There should be enough information in a message for filtering. Exactly what are you trying to achieve?

 

cheers,

Seb.

 

View solution in original post

4 Replies 4

Jaderson Pessoa
VIP Alumni
VIP Alumni

I think that it is not possible. Log entry is used to show information of layer 3 and 4 like port, protocol, ip and something like it. But you can input name for rules, but you cant shown these names on logs table.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Each syslog entry relating to an ACL will include its name at the end of the string, eg 

... by access-group <YOUR_ACL_NAME>

The naming limitations are those defined by ACLs in general [a-zA-Z0-9] and a limited subet of special characters.

There should be enough information in a message for filtering. Exactly what are you trying to achieve?

 

cheers,

Seb.

 

It looks like it is only true for DENY, cf here. Do you confirm ?

Hi there,

If you do not have the log option at the end of an ACE, then in the event of it being a deny ACE it will generate a code 106023 message, the format of this message contains the string by access-group:

 

Apr 15 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]

 

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_6482625

 

If you specify the log option at the end of a permit or deny ACE it will log a code 106100 message, the format of which is slightly different, the ACL name is specified after the string access-list:

Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769049

 

cheers,

Seb.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: