Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
1
Replies

Is it possible to direct 'input-log' for specific ACL to a syslog server?

Go to solution
news2010a
Level 3
Level 3

‎12-15-2009 07:11 PM - edited ‎02-21-2020 03:49 AM


R1(10.177.142.1)----------------f1/0 R2 f1/1 -----------------(192.168.1.3)R3

I want to apply a benign access-list on R2 in order only to log
entries and let me assess and learn how many users using
protocols TELNET, www and 3389 (RDP thing)
coming from R1 are accessing R3. I can't block any traffic yet.

So my log on R2 works accordingly to log entries for TELNET, www and RDP - OK.

Question:
Imagine I want to capture such logs for about 2 weeks and then analyze output such as
source IP's which generated such entries Can you please tell me what is the
best and easiest way to capture this in the log to allow later analysis? Can I set a syslog
server IP that will be used only by this specific WATCH_PROTOCOL ACL?

R2#show access-list
Extended IP access list WATCH_PROTOCOL
    permit tcp any any eq 3389 log-input (2 matches)
    permit tcp any any eq telnet log-input (36 matches)
    permit tcp any any eq www log-input
    permit ip any any (226 matches)
R2#
R2#show run | inc access-group
ip access-group WATCH_PROTOCOL in
R2#
R2#
00:14:38: %SEC-6-IPACCESSLOGP: list WATCH_PROTOCOL permitted tcp 10.177.142.1(11
008) (FastEthernet1/0 ca01.0e80.001c) -> 192.168.1.3(23), 1 packet


R1#telnet 192.168.1.3 80
Trying 192.168.1.3, 80 ...
% Connection refused by remote host


R2#
00:14:38: %SEC-6-IPACCESSLOGP: list WATCH_PROTOCOL permitted tcp 10.177.142.1(11
008) (FastEthernet1/0 ca01.0e80.001c) -> 192.168.1.3(23), 1 packet
R2#
R2#
R2#show access-list
Extended IP access list WATCH_PROTOCOL
    permit tcp any any eq 3389 log-input (2 matches)
    permit tcp any any eq telnet log-input (36 matches)
    permit ip any any (67 matches)
R2#show run | inc access-group
ip access-group WATCH_PROTOCOL in
R2#

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jjunginger
Level 1
Level 1

‎12-16-2009 05:15 AM

This looks like a job for Netflow.  I have provided links to documentation below:

Configuring Netflow (12.2 Mainline):
http://www.cisco.com/en/US/docs/ios/12_2/switch/configuration/guide/xcfnfc.html


flow-tools (to analyze netflow data):
ftp://ftp.eng.oar.net/pub/flow-tools/flow-tools-0.66.tar.gz

Powerpoint tying the two together:
http://ws.edu.isoc.org/workshops/2008/apricot2008/netmanage/presos/netflow/apricot-flow-tools-slides.pptLet me know if this helps,

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jjunginger
Level 1
Level 1

‎12-16-2009 05:15 AM

This looks like a job for Netflow.  I have provided links to documentation below:

Configuring Netflow (12.2 Mainline):
http://www.cisco.com/en/US/docs/ios/12_2/switch/configuration/guide/xcfnfc.html


flow-tools (to analyze netflow data):
ftp://ftp.eng.oar.net/pub/flow-tools/flow-tools-0.66.tar.gz

Powerpoint tying the two together:
http://ws.edu.isoc.org/workshops/2008/apricot2008/netmanage/presos/netflow/apricot-flow-tools-slides.pptLet me know if this helps,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card