Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
3
Helpful
2
Replies

ACL logging on router to syslog

Go to solution
avilt
Level 3
Level 3

‎10-01-2006 06:48 PM - edited ‎02-20-2020 09:37 PM

ACL logging on router to syslog

I need to monitor the ports on router from one particular host to some destination. I have an ACL as given below

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any

I have setup syslog server, I see the log messages on syslog server but there is no port information.

Log message looks like

"%SEC-6-IPACCESSLOGP:list acl permitted 10.0.0.1(0)-> 192.168.0.10(0), xx packets"

I need to know what ports the host 10.0.0.1 is using to the server 192.168.0.10

Whats the best way to get this information.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to dominic.caron

‎10-02-2006 08:18 AM

Dominic provides a creative solution. And depending on what the requirements are of the original post it might be a very satisfactory solution.

But we can also provide an explanation of the original problem and a solution for it. The original post shows a very simple access list which permits ip traffic between a specific pair of hosts and then permitting all traffic. The access list does not examine any values for protocol ports. And that is the reason that the log messages do not have port information. If the access list does not examine port numbers the log message can not report port numbers. If you want the log message to include port numbers then you must examine port numbers in the access list. This version of the list is slightly more complex but it will provide the port numbers that you want:

permit udp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit tcp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
dominic.caron
Level 5
Level 5

‎10-02-2006 03:52 AM

Use netflow. Send all the flows to a linux server than grep on the source or destination

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to dominic.caron

‎10-02-2006 08:18 AM

Dominic provides a creative solution. And depending on what the requirements are of the original post it might be a very satisfactory solution.

But we can also provide an explanation of the original problem and a solution for it. The original post shows a very simple access list which permits ip traffic between a specific pair of hosts and then permitting all traffic. The access list does not examine any values for protocol ports. And that is the reason that the log messages do not have port information. If the access list does not examine port numbers the log message can not report port numbers. If you want the log message to include port numbers then you must examine port numbers in the access list. This version of the list is slightly more complex but it will provide the port numbers that you want:

permit udp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit tcp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents