Hi, imagine I just want to find out which IP addresses are using trying to hit my server network on port 80.
If my syslog server is limited in storage, I am wondering whether I could just log the first packet from a given source and target IP address. Then once I learn what IP address that is, there is no need for me to log that event again showing the same IP.
Is that action possible?
I attempted to use the command in red below, but I read the document and tested and that is not what I am looking for.
ip access-list extended WATCH_PROTOCOL
permit tcp any any eq www log
permit ip any any
ip access-list log-update threshold 10
logging history size 500
line con 0
line aux 0
line vty 0 4
*Dec 16 04:52:22.923 UTC: %SEC-6-IPACCESSLOGP: list WATCH_PROTOCOL permitted tcp
192.168.1.1(11019) -> 192.168.1.2(80), 1 packet
*Dec 16 04:52:27.047 UTC: %SEC-6-IPACCESSLOGP: list WATCH_PROTOCOL permitted tcp
192.168.1.1(11020) -> 192.168.1.2(80), 1 packet