ASA url logging

Answered Question
Nov 16th, 2009

Hi,

I'm attempting to make our ASA log urls and I am getting some success. However, the output presents the IP instead of the actual domain, e.g, when browsing to imdb it is logged as:

Nov 16 2009 14:12:35: %ASA-5-304001: 30.30.30.30 Accessed URL 209.85.229.148:/ad

j/imdb2.consumer.homepage/;tile=2;sz=468x60,728x90,1008x150,9x1;p=t;s=32;;ord=99

73051011677648

rather than imdb.com/....(or whatever it happens to be).

How do I get the ASA to log the domain rather than the corresponding IP address?

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#related

states the ASA has to run vers 8.0.4.24 or later, ours has 8.2(1).

Thanks,

Scott

I have this problem too.
0 votes
Correct Answer by dedmundson about 3 years 5 months ago

After Cisco getting back to me about the logging problem and loading the new code it works.

I was running 8.2(1) had to upgrade to 8.2(3) and now the loging is working.

The 10.10 is an inside test network that I am coming from to http://www.cisco.com

I hope that this helps everyone. Now off to write some code to put this in a database to see where people are going.

Nov 11 2010 19:18:31: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/
Nov 11 2010 19:18:32: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/offers/js/mbox.js
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/hub.swf
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.metrics_ut.js?v=ut2.1.201009
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.s_code_ut.js?v=ut2.1.2010091
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/hp-fatfooter-menu.png
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 198.133.219.119:http://newsroom.cisco.com/dlls/cdc_news_json_v1.js?cacheRese
Nov 11 2010 19:18:35: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/tsweb/searchplugins/cdc_search.xml
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/co/menu-content.html
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-box-shadow.png
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-corners.png
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-spinner.gif
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-sprite.png
Nov 11 2010 19:18:39: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/en.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/fr.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/ch.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/de.c
Nov 11 2010 19:18:41: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/swf/chic

Correct Answer by roderickm about 4 years 4 months ago

Well, I spoke too soon. Here's a method to log the entire request, with Host and URI. I found this on the CCIE_Security mailing list archive. Basically, you set up a regex to match the sites you wish to log. I used a simple dot "." to match anything.

regex matchall "."
!
class-map type regex match-any DomainLogList
match regex matchall
class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect http http_inspection_policy
parameters
class LogDomainsClass
  log

Then check your logging:

Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.255.19:http://cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.226.26:http://www.cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/common.css
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/main.css

Beware -- this logs every HTTP request that the ASA sees. I have no idea how much load this places on an ASA with significant HTTP traffic. As described in the linked mailing list post, you may create more specific regex lists to match specific Hosts and/or URIs, and may take actions other than logging, including blocking/resetting.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (2 ratings)
pkampana Mon, 11/16/2009 - 10:43

Scott,

The ASA will not log the url. There is an enhancement request for the syslog 304001 to log the url but it hasn't been fixed and I don't have an ETA for it as it is not in roadmap.

FYI, the enhancement request is CSCdt32288.

I hope it makes it clear.

PK

pkampana Mon, 11/16/2009 - 10:52

Testing it here locally it seems there are changes that have been implemented.

When going to microsoft.com I saw log

%ASA-5-304001: 192.168.1.2 Accessed URL 207.46.19.190:http://www.microsoft.com/

I was doing just http inspection.

policy-map global_policy

class inspection_default

...

inspect http

running ASA 8.2.1.

PK

scottwilliamson Tue, 11/17/2009 - 01:10

Thanks Panos,

So would the best summary of the situation be to say that the ASA does log the full url in a proportion of cases, dependant on how the website's url is put together, perhaps?

Regards,

Scott

scottwilliamson Tue, 11/17/2009 - 01:21

Hi,

I've tried browsing to www.microsoft.com and although I get different IP addresses (possibly as I'm in the UK) it doesn't resolve the url. Can you specify a dns server in the ASA somehow?

thanks

Scott

pkampana Tue, 11/17/2009 - 07:26

Hi Scott,

That is correct. Note that even in your log you have "/adj/imdb2.consumer.homepage/" which is probably the uri of the GET request. So the URL in the get is logged.I believe you would have a log for the initial GET to imdb.com.

How about if you try microsoft as I did? You should see the same initial log there an then a bunch of other logs for the subsequent GETs done to complete the page.

PK

scottwilliamson Tue, 11/17/2009 - 08:19

Hi Panos,

here is what I get when I browse to http://www.microsoft.com - no sign of www.microsoft.com here, I'm afraid.

Scott

ciscoasa# Nov 17 2009 16:16:23: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.1

9.190:/

Nov 17 2009 16:16:24: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/en/

shared/core/2/js/js.ashx?s=Csp;shared

Nov 17 2009 16:16:24: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/en/

shared/core/2/css/css.ashx?sc=/en/us/site.config&pc=/En/us/PageConfig/win7/Direc

tInstall.config.xml&m=cspMscomHomePageBase&ie=true

Nov 17 2009 16:16:25: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/en/

shared/core/2/css/css.ashx?sc=/en/us/site.config&pc=/En/us/PageConfig/win7/Direc

tInstall.config.xml&c=cspMscomHeader&ie=true

Nov 17 2009 16:16:26: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.48:/lib

rary/svy/broker.js

Nov 17 2009 16:16:27: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/glo

bal/en/us/RenderingAssets/win7/TakeOverScript.js

Nov 17 2009 16:16:28: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.48:/glo

bal/En/PublishingImages/m.ms1.png

Nov 17 2009 16:16:28: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.48:/glo

bal/en/publishingimages/sitebrand/microsoft.gif

Nov 17 2009 16:16:28: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.19.190:/glo

bal/En/us/RenderingAssets/SLWindowPane/WindowPane_eventHandlers_111609.js

Nov 17 2009 16:16:29: %ASA-5-304001: 30.30.30.30 Accessed URL 213.199.141.139:/A

DSAdClient31.dll?GetSAd=&DPJS=4&PG=CMSNGN&AP=1087

Nov 17 2009 16:16:30: %ASA-5-304001: 30.30.30.30 Accessed URL 207.46.148.31:/MRT

/iview/173914879/direct/01?click=

Nov 17 2009 16:16:31: %ASA-5-304001: 30.30.30.30 Accessed URL 92.122.189.35:/lib

rary/svy/broker-config.js?1258474626906

Nov 17 2009 16:16:31: %ASA-5-304001: 30.30.30.30 Accessed URL 213.199.149.93:/b/

NMMRTSHARPCU/FY10_WinPhone_180x150_intrepid_v3_1022091609.gif

pkampana Tue, 11/17/2009 - 07:28

The DNS server on the ASA. It is the GEt that the ASA should be logging.

PK

roderickm Thu, 11/19/2009 - 18:16

From the logs posted, it appears the GET is being logged, but not the Host header. The Host header is the part of the request that would tell you which site at the logged IP address was accessed.It comes before the GET.

Name-based virtual hosts (in HTTP 1.1) require a Host header in the HTTP request, because many website domains can share the same IP address.

scottwilliamson Fri, 11/20/2009 - 01:54

Hi Roderick,

Thanks for your reply - so is there a way to get the ASA to log the url or is it dependant on how the website is constructed?

Regards

Scott

roderickm Fri, 11/20/2009 - 05:54

Scott, I'm not aware of a way to log the Host header of an HTTP request using the ASA. Panos' reply to this thread seems more informative to that end, saying that this enhancement request is CSCdt32288 but is not on the roadmap. I would also use this feature if the ASA were not overly burdened by enabling it.

If you absolutely must log the entire HTTP request, you may need to consider a different solution to meet that need. A sniffer with appropriate filters, an HTTP-aware IDS (snort.org), or a web filtering product could all handle this easily.

Correct Answer
roderickm Fri, 11/20/2009 - 07:36

Well, I spoke too soon. Here's a method to log the entire request, with Host and URI. I found this on the CCIE_Security mailing list archive. Basically, you set up a regex to match the sites you wish to log. I used a simple dot "." to match anything.

regex matchall "."
!
class-map type regex match-any DomainLogList
match regex matchall
class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect http http_inspection_policy
parameters
class LogDomainsClass
  log

Then check your logging:

Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.255.19:http://cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 157.166.226.26:http://www.cnn.com/
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/common.css
Nov 20 09:27:08 10.19.30.10 asa %ASA-5-304001: 192.168.200.2 Accessed URL 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/main.css

Beware -- this logs every HTTP request that the ASA sees. I have no idea how much load this places on an ASA with significant HTTP traffic. As described in the linked mailing list post, you may create more specific regex lists to match specific Hosts and/or URIs, and may take actions other than logging, including blocking/resetting.

scottwilliamson Fri, 11/20/2009 - 07:47

Hi Roderick,

This looks very promising - I'll give it a go on our spare ASA and let you know

hopefully my limited experience on the ASA will still allow me emulate your config

best Regards

Scott

scottwilliamson Mon, 11/23/2009 - 03:36

Hi again,

I've configured the regex matchall etc this morning and I'm afraid nothing appears in the logs - I'm starting with an ASA config "out of the box" so maybe I'm missing something, though I have enabled logging .....

logging enable
logging timestamp
logging standby
logging list Weblog message 304001
logging console Weblog
logging buffered debugging
logging history Weblog
logging facility 21

the "Weblog" entries are from the NAC guest server / ASA url stuff mentioned in my original post.

Thanks

Scott

scottwilliamson Fri, 11/27/2009 - 03:32

Hi Folks,

Any ideas would be welcome - I feel that with your help this is very close to being resolved.

Many Thanks

Scott

ronniekendrick Wed, 12/09/2009 - 08:05

Scott,

I have my ASA sending logs to a syslog server. Here is my ASA logging:

logging enable
logging timestamp
logging trap debugging
logging host inside x.x.x.x

My syslog server is setup to only receive NOTICE events from the ASA. However, I'm now stuck where Scott was in his original post. It's logging the IP and URI, but isn't showing the actual host. I'm running 8.0(4). Here's what I see in my logs:

Dec  9 10:07:27 10.0.0.1 Dec 09 2009 08:07:05: %ASA-5-304001: 10.0.8.108 Accessed URL 208.80.152.3:/wikipedia/en/b/bc/Wiki.png
Dec  9 10:07:27 10.0.0.1 Dec 09 2009 08:07:05: %ASA-5-415008: HTTP - matched Class 30: LogDomainsClass in policy-map http_inspection_policy, header matched from inside:10.0.8.108/1512 to outside: 208.80.152.3/80

Here is a snippet from my running config:

regex matchall "."

class-map type regex match-any DomainLogList
match regex matchall

class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList

class-map inspection_default
match default-inspection-traffic

policy-map type inspect http http_inspection_policy
description http_inspection_policy
parameters
  protocol-violation action drop-connection
match request method connect
  drop-connection log
class LogDomainsClass
  log

policy-map inside-policy
class inside-classAccept
  inspect http http_inspection_policy
class inside-class
  inspect http http_inspection_policy
class inspection_default
  inspect http

Was this a feature added in a later firmware? If so, I'll make the upgrade.

scottwilliamson Mon, 12/14/2009 - 07:17

Hi Ronald,

from sh version "System image file is "disk0:/asa821-k8.bin" - is there a feature that is missing from our respective ASAs that the others have?

I doubt it but I cannot see what I've missed from the config.

Scott

claytonchumby Mon, 02/22/2010 - 10:48

Any new news on this issue?  I haven't been able to get the ASA (running version 8.2(1)) to log the hostname using any of the techniques above.  However, if you look at this cisco.com page, it indicates indirectly that this is meant to work, simply by adding "inspect http" to class inspection_default.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#asac

The inspect http command is placed under a
      class-map within a policy-map. When enabled with the
      service-policy command, http inspection logs Get
      requests with syslog message 304001. ASA code 8.0.4.24 or later is required for
      syslog message 304001 to show the hostname as part of the URL. 

I'm baffled.  It is hard to believe this should be so difficult.  How else are you supposed to log web usage without 3rd party products or a proxy server?

dedmundson Sun, 11/07/2010 - 05:19

I have been trying to get URL Logging to work too. I have found that if I browse to one of out internal sites it will log the URL name but if I go to a external site it will log the IP Address .

Has anyone gotten this to work for external sites?

Accessed URL 63.69.72.58:/js/pass.html?cb=23844
Accessed URL 96.17.72.144:/_media/uac/anatp.html?t=160afrf1088k4h&s=99999,
Accessed URL 64.236.79.229:/adcedge/lb?site=695501&betr=tc=1,99999,52588,5
Accessed URL 69.31.116.120:/assets/images/home/icons/video.gif
Accessed URL 216.246.75.227:/rsrc.php/zx/r/DmvbpGB-fMy.swf
Accessed URL 66.220.146.32:/extern/login_status.php?api_key=61b68b0702fb92
Accessed URL 209.234.252.57:/js/api_lib/v0.4/XdCommReceiver.js?v2
Accessed URL www.expresspros.com:/
Accessed URL www.expresspros.com:/shared/style/ie.css
Accessed URL www.expresspros.com:/shared/javascript/swfobject.js
Accessed URL www.expresspros.com:/shared/javascript/thickbox.js
Accessed URL www.expresspros.com:/shared/javascript/jquery-1-2-3-min.js
Accessed URL www.expresspros.com:/shared/images/socialmedia/twitter-sm.gif
Accessed URL 74.125.67.138:/ga.js
Accessed URL www.expresspros.com:/favicon.ico
Accessed URL 199.7.57.72:/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsK8Var42Wv2Ct%2BB

scottwilliamson Mon, 11/08/2010 - 07:22

Hi David,

This makes me think it is a DNS issue which I asked about further up the thread, I did get a reply but it wasn't clear.

There must be someone out there who knows the answer to this.

Regards,

Scott

dedmundson Mon, 11/08/2010 - 08:01

That is what I was thinking, a DNS problem.

I have open a case with Cisco, so let's see what they come back with. I'll let you all know.

Regards

David

Correct Answer
dedmundson Thu, 11/11/2010 - 17:57

After Cisco getting back to me about the logging problem and loading the new code it works.

I was running 8.2(1) had to upgrade to 8.2(3) and now the loging is working.

The 10.10 is an inside test network that I am coming from to http://www.cisco.com

I hope that this helps everyone. Now off to write some code to put this in a database to see where people are going.

Nov 11 2010 19:18:31: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/
Nov 11 2010 19:18:32: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/offers/js/mbox.js
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/hub.swf
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.metrics_ut.js?v=ut2.1.201009
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.s_code_ut.js?v=ut2.1.2010091
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/hp-fatfooter-menu.png
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 198.133.219.119:http://newsroom.cisco.com/dlls/cdc_news_json_v1.js?cacheRese
Nov 11 2010 19:18:35: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/tsweb/searchplugins/cdc_search.xml
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/co/menu-content.html
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-box-shadow.png
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-corners.png
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-spinner.gif
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-sprite.png
Nov 11 2010 19:18:39: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/en.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/fr.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/ch.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/de.c
Nov 11 2010 19:18:41: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/swf/chic

scottwilliamson Fri, 11/12/2010 - 01:07

Hi David,

Good news, however I have 8.2(3) and I haven't got it to work. It must be down to my config. Would you mind posting your config, please?

Many Thanks

Scott

scottwilliamson Fri, 11/12/2010 - 02:00

I've just reread all of the posts in this thread and realised that back at the start the version on our ASA was different; in the meantime one of my colleagues has upgrade the IOS version, and I have not tried url logging since. So, I'll try again and see what the result is.

Fingers crossed.

Scott

dedmundson Fri, 11/12/2010 - 06:05

This morning I went in and removed all the configuration that I put in for logging URL except for the inspect http.

policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect http
  inspect ip-options

I removed all of this.

regex matchall "."

class-map type regex match-any DomainLogList
match regex matchall

class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList

class-map inspection_default
match default-inspection-traffic

policy-map type inspect http http_inspection_policy
description http_inspection_policy
parameters
  protocol-violation action drop-connection
match request method connect
  drop-connection log
class LogDomainsClass
  log

policy-map inside-policy
class inside-classAccept
  inspect http http_inspection_policy
class inside-class
  inspect http http_inspection_policy
class inspection_default
  inspect http

scottwilliamson Thu, 03/22/2012 - 09:24

Hi All,

I finally got around to trying this again and I can confirm that with v8.2(3) and using the regex config from Roderick above my ASA is now logging what appears to be the full urls of sites. I didn't have to do anything with DNS either.

Thanks for everyone's input.

Regards,

Scott

Actions

Login or Register to take actions

This Discussion

Posted November 16, 2009 at 6:57 AM
Stats:
Replies:30 Avg. Rating:
Views:12891 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard