02-07-2012 12:52 AM - edited 03-11-2019 03:25 PM
Hi CSC,
Is there a way to extract which traffic is hitting which rule from syslog? Thanks.
Rgrds,
Benson
02-07-2012 06:50 AM
Hello,
You can assing the keyword log at the end of the ACL and that will generate a syslog per rule match that it has this keyword at the end.
Mike
02-08-2012 02:42 AM
Hi Mike,
What you proposed is for cisco routers, I am referring to ASA. The syslog entries have the following fields, but it does not show which rule it hits.
Jan 24 00:00:52 172.16.132.21 :Jan 23 23:49:07 SGT: %ASA-session-6-302013: Built inbound TCP connection 1158354 for CITRIX:x.x.x.x/60659 (x.x.x.x/60659) to Inside:x.x.x.x/445 (x.x.x.x/445)
02-08-2012 07:26 AM
Extract from CISCO ASA COMMAND REFERENCE 8.2
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1559450
Extract from Cisco ASA 5500 Series System Log Messages, 8.2
Log message: 106100
Error Message %ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) - interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval}) hash codes
When an access-list line has the log argument, it is expected that this syslog ID might be triggered because of a non-synchronized packet reaching the adaptive security appliance and being evaluated by the access-list. For example, if an ACK packet is received on the adaptive security appliance (for which no TCP connection exists in the connection table), the device might generate syslog 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.
If you are in doubts, please ask first.
Mike
02-08-2012 10:45 PM
Hi Mike,
Thanks, it does help to solve part1. Now I am stuck with another issue, the moment the log keyword is entered for 1 ACE, no more syslog is being generated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide