syslog: logging specific traffic only to syslog server

tsrader · ‎03-20-2006

remote site is accessing onsite servers and need to lock them down based on host ip's and ports.

remote site connects to onsite network thru 6509 L3. want to capture remote traffic to syslog server. (only want to capture remote site traffic, no other traffic).

in order to "see" all traffic passing

"ip any any" required to determine what servers / services remote site is accessing for now. will "lock down" acl once all servers / services are identified.

how to direct only the remote site traffic to my syslog server?

acl 130 permit ip 172.16.3.0 range 1 65535 any

thx

konigl · ‎03-20-2006

Assuming your remote site is using IP addresses in the 172.16.3.0 subnet with a 255.255.255.0 subnet mask, and you apply your access-list 130 to inbound traffic on the VLAN interface that services them...

...just add the word "log" at the end of your ACL 130 commands. Also, make sure you have "logging x.x.x.x" in your config, where x.x.x.x is the IP address of your syslog server. It would look like this:

access-list 130 permit tcp 172.16.3.0 0.0.0.255 range 1 65535 any log

access-list 130 permit udp 172.16.3.0 0.0.0.255 range 1 65535 any log

access-list 130 permit icmp 172.16.3.0 0.0.0.255 any log

access-list 130 permit ip 172.16.3.0 0.0.0.255 any log

logging x.x.x.x

interface VLAN 163 (assuming that's your VLAN number)

ip access-group 130 in

Any hits on these lines including port numbers will show up in the syslog. You will probably get a lot of entries at first. You may want to fine-tune the ACL as you identify known services early on, so that access to them is still permitted but you don't necessarily log messages for it.