Quick syslog question ASA 5500/8.04

Unanswered Question
Jun 2nd, 2009

Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?

frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched.

I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.

I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?

Thanks,

Rich

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 06/02/2009 - 12:02

Rich-

The syslogs show up kinda-sorta-useful. I wrote a script a while ago that searchs the logs for me (by ID). It should be pretty easy to edit and grep with more detail.

<b><font size="2" color="blue"></p><p>#!/bin/bash</p><p># Create the menu</p><p>clear</p><p></p><p>echo "==============================================================="</p><p>echo "                    PIX SYSLOG PARSER            `date +%m.%d.%y`              "</p><p>echo "---------------------------------------------------------------"</p><p>echo ""</p><p>echo "Your current working directory- `pwd`"</p><p>echo ""</p><p></p><p># Get the file name to search (FILE$)</p><p></p><p>        tput cup 7 9; echo -n "Enter the file you wish to search: " </p><p>        tput cup 8 9; echo "Example: /var/log-pix/pix4/2005-01-31-pix4.log"</p><p>        read FILE </p><p></p><p># Loop the Menu</p><p>        </p><p>loop=y</p><p>while [ "$loop" = y ]</p><p>do</p><p>        </p><p># Menu Listings</p><p> clear</p><p>     tput cup 10 9; echo "A - Alert Level"</p><p>        tput cup 11 9; echo "C - Critical Level"</p><p>        tput cup 12 9; echo "E - Errors"</p><p>        tput cup 13 9; echo "W - Warnings"</p><p>        tput cup 14 9; echo "N - Notifications"</p><p>        tput cup 15 9; echo "I - Informational" </p><p>        tput cup 16 9; echo "D - Debug"</p><p>        tput cup 19 9; echo "Q - Quit "</p><p>        tput cup 20 9; echo "Enter your selection: "</p><p>        tput cup 20 31;</p><p>        read choice || continue</p><p>       </p><p>  case $choice in</p><p></p><p># grep by Error Level</p><p></p><p>  [Aa]) grep -i PIX-1 $FILE | less ;;</p><p>  [Cc]) grep -i PIX-2 $FILE | less ;;</p><p>  [Ee]) grep -i PIX-3 $FILE | less ;;</p><p>  [Ww]) grep -i PIX-4 $FILE | less ;;</p><p>  [Nn]) grep -i PIX-5 $FILE | less ;;</p><p>  [Ii]) grep -i PIX-6 $FILE | less ;;</p><p>  [Dd]) grep -i PIX-7 $FILE | less ;;</p><p>  [Qq]) exit ;;</p><p> *) tput cup 18 9; echo "Invalid Code--I'm quitting" exit  ;;</p><p></p><p>esac</p><p>done</p><p></font></b>

Kureli Sankar Sat, 06/06/2009 - 05:44

To get that particular ACE here is what you need to do.

Example:

%ASA-4-106100:access-list inside_access_in permitted tcp

inside/192.168.2.203(8888) -> inside/192.168.31.10(12296)hit-cnt 1 first hit

[0xa925365e, 0x0]

sh access-l inside_access_in | i 0xa925365e

Actions

This Discussion