Log Access List - External syslog

Answered Question
Feb 25th, 2009

Hi All,


Has anyone ever setup their ASA to log to an external server what traffic is going flowing thorough access-lists?


I dont want to have to analyse the traffic with capture as i would prefer to let the logs build up over a couple of weeks.


I want to harden rule base as IP is allowed between various networks. To achieve this succesfully I want to log the access-lists externally so I dont miss any tcp/udp ports etc


Thanks

Correct Answer by vikram_anumukonda about 7 years 12 months ago

the "test" is like a filter for what messages one wants to see on the syslog server.


the below link should help you understand better


http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1279924


darkbeatz,


you can add the keyword "log" to any number of ACE's in your ACL and analyze it on the syslog.



HTH

Vikram

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
vikram_anumukonda Wed, 02/25/2009 - 04:37

do these steps


1) logging on

2) logging list test message 106100

3) logging trap test

4) logging host <> x.x.x.x


106100 - gives you ports and protocols for the permitted traffic , I have tried this config by having an " access-list inside permit ip any any log " to analyze what kind of traffic is traversing the firewall.


you can find the complete list of syslog message numbers here


http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/syslog.html


HTH


Vikram

darkbeatzz Wed, 02/25/2009 - 04:54

Thanks Vikram.


Does test in this command refer to an access-list called test?

darkbeatzz Wed, 02/25/2009 - 06:34

let me be more clear.


Does the logging analyse all access-lists on the firewall or can I specifically monitor each acl


thanks

Actions

This Discussion