ACL logging on router to syslog

Answered Question
Oct 1st, 2006
User Badges:

ACL logging on router to syslog


I need to monitor the ports on router from one particular host to some destination. I have an ACL as given below


permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any


I have setup syslog server, I see the log messages on syslog server but there is no port information.

Log message looks like


"%SEC-6-IPACCESSLOGP:list acl permitted 10.0.0.1(0)-> 192.168.0.10(0), xx packets"


I need to know what ports the host 10.0.0.1 is using to the server 192.168.0.10

Whats the best way to get this information.


Thanks

Correct Answer by Richard Burts about 10 years 10 months ago

Dominic provides a creative solution. And depending on what the requirements are of the original post it might be a very satisfactory solution.


But we can also provide an explanation of the original problem and a solution for it. The original post shows a very simple access list which permits ip traffic between a specific pair of hosts and then permitting all traffic. The access list does not examine any values for protocol ports. And that is the reason that the log messages do not have port information. If the access list does not examine port numbers the log message can not report port numbers. If you want the log message to include port numbers then you must examine port numbers in the access list. This version of the list is slightly more complex but it will provide the port numbers that you want:

permit udp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit tcp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
dominic.caron Mon, 10/02/2006 - 03:52
User Badges:
  • Silver, 250 points or more

Use netflow. Send all the flows to a linux server than grep on the source or destination

Correct Answer
Richard Burts Mon, 10/02/2006 - 08:18
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dominic provides a creative solution. And depending on what the requirements are of the original post it might be a very satisfactory solution.


But we can also provide an explanation of the original problem and a solution for it. The original post shows a very simple access list which permits ip traffic between a specific pair of hosts and then permitting all traffic. The access list does not examine any values for protocol ports. And that is the reason that the log messages do not have port information. If the access list does not examine port numbers the log message can not report port numbers. If you want the log message to include port numbers then you must examine port numbers in the access list. This version of the list is slightly more complex but it will provide the port numbers that you want:

permit udp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit tcp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any


HTH


Rick

Actions

This Discussion