Quick syslog question ASA 5500/8.04

Unanswered Question
Jun 2nd, 2009
User Badges:

Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?


frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched.


I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.


I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?


Thanks,

Rich

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
Loading.
Kureli Sankar Tue, 06/02/2009 - 18:42
User Badges:
  • Cisco Employee,

The deny usually has a hash value.


To see which ACE that is you need to issue sh access-l blah | i hash


Presently it is not possible to get the appropriate ACE in the syslog deny message only the hash.



RICH FRUEH Wed, 06/03/2009 - 07:17
User Badges:

Thank you for this - it didn't work quite correctly - I get a unknown command. If I expand it to incl hash, I get a blank. However, just doing a 'sh access-list ' did give me the identifiers, just not how I expected. The nicer thing is that it gave me the hitcounts per ip address, instead of just per ACE.



Kureli Sankar Thu, 06/04/2009 - 12:26
User Badges:
  • Cisco Employee,

you have to include for the hash value that you see in the syslogs when you issue sh access-list output.


example:

TK00FWSM# show access-list vl998

access-list vl998; 102 elements

access-list vl998 line 1 extended permit tcp any object-group

sisj-cgp-mailfe-svc eq smtp 0xb7e52495

access-list vl998 line 1 extended permit tcp any host

sisj-cgp-mailfe00-svc eq smtp (hitcnt=0) 0x4115ae92

access-list vl998 line 1 extended permit tcp any host

sisj-cgp-mailfe01-svc eq smtp (hitcnt=0) 0x9b15500



sh access-l v1998 | i 0x9b15500


Put the hash that you see in the syslogs in the above command.

RICH FRUEH Thu, 06/04/2009 - 12:43
User Badges:



I see. I read the literal 'hash' not the variable hash.


Thank you!

R

Actions

This Discussion