syslog from ASA-5520 (specific interface)

Unanswered Question
Dec 4th, 2008


I have a customer who has a guest-VLAN on his ASA-5520. He wants to log all traffic entering and leaving this interface, but not the other interfaces - how can this be accomplished.

any help is greatly appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Thu, 12/04/2008 - 10:18

I don't see a way of doing this. The only options that you have are inside,outside, and management interfaces for the "logging host" command. This tells the ASA what interface to send the traffic out of when logging to a syslog server. Is this what you're wanting to log to?



rasmusan1 Thu, 12/04/2008 - 10:25

No I wanted to log all traffic entering and leaving a specific interface on the ASA.

could this be done on an IOS router ?

John Blakley Thu, 12/04/2008 - 10:28

You can log everything by an acl applied to an interface, and you can do that on an ASA as well. You append the log keyword at the end of the ACE. The problem is that if you aren't logging the traffic somewhere, then the buffer in the router/ASA will fill up and eventually overwrite. You'll have no way of going back once that happens.



rasmusan1 Thu, 12/04/2008 - 10:34

ahh ok - but how do I get only the traffic from the ACL and not a bunch of other traffic ??

John Blakley Thu, 12/04/2008 - 11:50

If you are logging to a syslog server, you won't be able to selectively choose what messages are logged unless you filter (all messages are logged by default per severity level and down), and your ACL traffic will be logged as well. This is where a good management system comes in to be able to search your logs. If they just want traffic on this interface, maybe you should look into Websense (quite expensive), or place some sort of IDS to just log traffic in and out of that interface. Either way, they'll still need to have something to be able to search what data they're looking for.



ronshuster Thu, 12/04/2008 - 12:48

What I do is the following:

I send all syslog messages to a syslog-ng server (running on linux)and then parse based on the traffic of interest.


This Discussion