ASA logging to syslog

Unanswered Question
Mar 12th, 2009
User Badges:

Is there any way to log my ASA syslog traffic to a syslog server and not have the "names" in the logs? I know that doesn't make much sense, so here is an example:


2009 09:42:18 BHG-FW : %ASA-4-106100: access-list BPWLAN_access_in permitted tcp BPWLAN/10.200.112.64(1253) -> inside/OBJECT-GC80NETDC(139) hit-cnt 1 first hit [0x458bc6c4, 0x2531a850]


I would like to not have the "OBJECT-GC80NETDC" to be displayed, instead I would like to have the IP address.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aghaznavi Wed, 03/18/2009 - 09:19
User Badges:
  • Silver, 250 points or more

The error message states the If you configured the log option for the access-list command, the packets matched an ACL statement. The message level depends on the level set in the access-list command (by default, the level is 6). The message indicates either the initial occurrance or the total number of occurrances during an interval. This message provides more information than message 106023, which only logs denied packets, and does not include the hit count or a configurable level.


When an access-list line has the log argument, it is expected that this syslog ID might be triggered because of a non-synchronized packet reaching the security appliance and being evaluated by the access-list. For example, if an ACK packet is received on the security appliance (for which no TCP connection exists in the connection table), the device might generate syslog 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml


campbech1 Wed, 03/18/2009 - 10:39
User Badges:

Understand that. I think you misunderstod the question or I wasn't clear enough.


Instead of seeing the message in our syslog like:


2009 09:42:18 BHG-FW : %ASA-4-106100: access-list BPWLAN_access_in permitted tcp BPWLAN/10.200.112.64(1253) -> inside/OBJECT-GC80NETDC(139) hit-cnt 1 first hit [0x458bc6c4, 0x2531a850]


I would like to see:


2009 09:42:18 BHG-FW : %ASA-4-106100: access-list BPWLAN_access_in permitted tcp BPWLAN/10.200.112.64(1253) -> inside/10.200.80.5(139) hit-cnt 1 first hit [0x458bc6c4, 0x2531a850]


So when our network team is performing searches, they don't need to be worried about what I've called the name in the firewall.

Actions

This Discussion