Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
0
Helpful
2
Replies

Quick syslog question ASA 5500/8.04

RICH FRUEH
Level 1
Level 1

‎06-02-2009 08:33 AM - edited ‎03-11-2019 08:38 AM

Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?

frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched.

I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.

I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?

Thanks,

Rich

Labels:
0 Helpful
2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

‎06-02-2009 12:02 PM

Rich-

The syslogs show up kinda-sorta-useful. I wrote a script a while ago that searchs the logs for me (by ID). It should be pretty easy to edit and grep with more detail.

#!/bin/bash

# Create the menu

clear

echo "==============================================================="

echo " PIX SYSLOG PARSER `date +%m.%d.%y` "

echo "---------------------------------------------------------------"

echo ""

echo "Your current working directory- `pwd`"

echo ""

# Get the file name to search (FILE$)

tput cup 7 9; echo -n "Enter the file you wish to search: "

tput cup 8 9; echo "Example: /var/log-pix/pix4/2005-01-31-pix4.log"

read FILE

# Loop the Menu

loop=y

while [ "$loop" = y ]

do

# Menu Listings

clear

tput cup 10 9; echo "A - Alert Level"

tput cup 11 9; echo "C - Critical Level"

tput cup 12 9; echo "E - Errors"

tput cup 13 9; echo "W - Warnings"

tput cup 14 9; echo "N - Notifications"

tput cup 15 9; echo "I - Informational"

tput cup 16 9; echo "D - Debug"

tput cup 19 9; echo "Q - Quit "

tput cup 20 9; echo "Enter your selection: "

tput cup 20 31;

read choice || continue

case $choice in

# grep by Error Level

[Aa]) grep -i PIX-1 $FILE | less ;;

[Cc]) grep -i PIX-2 $FILE | less ;;

[Ee]) grep -i PIX-3 $FILE | less ;;

[Ww]) grep -i PIX-4 $FILE | less ;;

[Nn]) grep -i PIX-5 $FILE | less ;;

[Ii]) grep -i PIX-6 $FILE | less ;;

[Dd]) grep -i PIX-7 $FILE | less ;;

[Qq]) exit ;;

*) tput cup 18 9; echo "Invalid Code--I'm quitting" exit ;;

esac

done

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee

‎06-06-2009 05:44 AM

To get that particular ACE here is what you need to do.

Example:

%ASA-4-106100:access-list inside_access_in permitted tcp

inside/192.168.2.203(8888) -> inside/192.168.31.10(12296)hit-cnt 1 first hit

[0xa925365e, 0x0]

sh access-l inside_access_in | i 0xa925365e

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card