cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
499
Views
3
Helpful
2
Replies

ACL logging on router to syslog

avilt
Level 3
Level 3

ACL logging on router to syslog

I need to monitor the ports on router from one particular host to some destination. I have an ACL as given below

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any

I have setup syslog server, I see the log messages on syslog server but there is no port information.

Log message looks like

"%SEC-6-IPACCESSLOGP:list acl permitted 10.0.0.1(0)-> 192.168.0.10(0), xx packets"

I need to know what ports the host 10.0.0.1 is using to the server 192.168.0.10

Whats the best way to get this information.

Thanks

1 Accepted Solution

Accepted Solutions

Dominic provides a creative solution. And depending on what the requirements are of the original post it might be a very satisfactory solution.

But we can also provide an explanation of the original problem and a solution for it. The original post shows a very simple access list which permits ip traffic between a specific pair of hosts and then permitting all traffic. The access list does not examine any values for protocol ports. And that is the reason that the log messages do not have port information. If the access list does not examine port numbers the log message can not report port numbers. If you want the log message to include port numbers then you must examine port numbers in the access list. This version of the list is slightly more complex but it will provide the port numbers that you want:

permit udp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit tcp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any

HTH

Rick

HTH

Rick

View solution in original post

2 Replies 2

dominic.caron
Level 5
Level 5

Use netflow. Send all the flows to a linux server than grep on the source or destination

Dominic provides a creative solution. And depending on what the requirements are of the original post it might be a very satisfactory solution.

But we can also provide an explanation of the original problem and a solution for it. The original post shows a very simple access list which permits ip traffic between a specific pair of hosts and then permitting all traffic. The access list does not examine any values for protocol ports. And that is the reason that the log messages do not have port information. If the access list does not examine port numbers the log message can not report port numbers. If you want the log message to include port numbers then you must examine port numbers in the access list. This version of the list is slightly more complex but it will provide the port numbers that you want:

permit udp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit tcp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: