06-02-2009 08:33 AM - edited 03-11-2019 08:38 AM
Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?
frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched.
I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.
I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?
Thanks,
Rich
06-02-2009 12:02 PM
Rich-
The syslogs show up kinda-sorta-useful. I wrote a script a while ago that searchs the logs for me (by ID). It should be pretty easy to edit and grep with more detail.
#!/bin/bash
# Create the menu
clear
echo "==============================================================="
echo " PIX SYSLOG PARSER `date +%m.%d.%y` "
echo "---------------------------------------------------------------"
echo ""
echo "Your current working directory- `pwd`"
echo ""
# Get the file name to search (FILE$)
tput cup 7 9; echo -n "Enter the file you wish to search: "
tput cup 8 9; echo "Example: /var/log-pix/pix4/2005-01-31-pix4.log"
read FILE
# Loop the Menu
loop=y
while [ "$loop" = y ]
do
# Menu Listings
clear
tput cup 10 9; echo "A - Alert Level"
tput cup 11 9; echo "C - Critical Level"
tput cup 12 9; echo "E - Errors"
tput cup 13 9; echo "W - Warnings"
tput cup 14 9; echo "N - Notifications"
tput cup 15 9; echo "I - Informational"
tput cup 16 9; echo "D - Debug"
tput cup 19 9; echo "Q - Quit "
tput cup 20 9; echo "Enter your selection: "
tput cup 20 31;
read choice || continue
case $choice in
# grep by Error Level
[Aa]) grep -i PIX-1 $FILE | less ;;
[Cc]) grep -i PIX-2 $FILE | less ;;
[Ee]) grep -i PIX-3 $FILE | less ;;
[Ww]) grep -i PIX-4 $FILE | less ;;
[Nn]) grep -i PIX-5 $FILE | less ;;
[Ii]) grep -i PIX-6 $FILE | less ;;
[Dd]) grep -i PIX-7 $FILE | less ;;
[Qq]) exit ;;
*) tput cup 18 9; echo "Invalid Code--I'm quitting" exit ;;
esac
done
06-06-2009 05:44 AM
To get that particular ACE here is what you need to do.
Example:
%ASA-4-106100:access-list inside_access_in permitted tcp
inside/192.168.2.203(8888) -> inside/192.168.31.10(12296)hit-cnt 1 first hit
[0xa925365e, 0x0]
sh access-l inside_access_in | i 0xa925365e
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: