Solved: Re: Taking out Any Any hitting loggs

Lahiruk · ‎02-22-2019

Hi All,

I have deployed Cisco 2100 series ASA with multi context mode and it contains any any rule in some contexts. So I need to take out all the traffic loggs which hitting any any rule.

Any idea of taking loggs for each any any rule. ? I need to remove this rule before it goes live.

-Dil

balaji.bandi · ‎02-25-2019

As for as i know that log do current until buffer over flow, that not cover history of the logs.

As per your orginal post you like to log them and analyse them for later use (correct me if my understanding was wrong) ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎02-22-2019

Have you configured external log server to log these ? if not you will not able to get that information.

if you like to have all the logs, configure syslog server and route the logs to log server.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Lahiruk · ‎02-22-2019

Hi BB,

I have not configured external server yet , and hope to configure.

I just need to taking out traffic loggs which hitting only any any ACLs.

Regards,

Dilk

balaji.bandi · ‎02-22-2019

Sure you configure only those to logs to export to syslog server.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Lahiruk · ‎02-22-2019

Hi

My rule number is 56 for Any Any ACL, how can i create a event for getting logs related to this rule only. please send me how it configure.

I need to capture source and destination with ports which hitting to rule number 56 only.

configured a syslog server also

regards,

Dilk

balaji.bandi · ‎02-23-2019

logging enable
logging timestamp
logging message 106100
logging trap informational or debug ( depends on your requirememt)
logging host MANAGEMENT 10.10.10.10
!
access-list 56 XXXXXXX  any any log

checking logs
show logging message 106100

here is teh guide

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc27

make sure you have syslog server running and you have ACL setup on ASA for that syslog host port 514.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marius Gunnerud · ‎02-23-2019

Disable logging on all access control entries except the permit ip any any ACL. This can be done in ASDM by unchecking the logging enable check box in each ACL or adding the keywords "logging disable" at the end of each access control entry in the CLI.

--
Please remember to select a correct answer and rate helpful posts

Lahiruk · ‎02-24-2019

Thanks All,

I found a way to collect it from the ASDM itself.

1. Enable debugging in particular ACL
2. Go to Confiuration ⇒ Device Management ⇒ Logging ⇒ Logging filters ⇒Select the logging destination as ASDM and change the serevivity level into debugging
3. Go back to again ACL ⇒ Write click ⇒ and select show log

Regards,
Dilk

balaji.bandi · ‎02-25-2019

As for as i know that log do current until buffer over flow, that not cover history of the logs.

As per your orginal post you like to log them and analyse them for later use (correct me if my understanding was wrong) ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Lahiruk · ‎02-25-2019

Thanks BB for your response and for the time being I had to analyze real time traffic. Later I will configure for old traffic using a syslog server.

Thanks for your answers

Regards,
Dilk