Quick syslog question ASA 5500/8.04

RICH FRUEH · ‎06-02-2009

Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?

frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched.

I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.

I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?

Thanks,

Rich

Kureli Sankar · ‎06-02-2009

The deny usually has a hash value.

To see which ACE that is you need to issue sh access-l blah | i hash

Presently it is not possible to get the appropriate ACE in the syslog deny message only the hash.

RICH FRUEH · ‎06-03-2009

Thank you for this - it didn't work quite correctly - I get a unknown command. If I expand it to incl hash, I get a blank. However, just doing a 'sh access-list ' did give me the identifiers, just not how I expected. The nicer thing is that it gave me the hitcounts per ip address, instead of just per ACE.

Kureli Sankar · ‎06-04-2009

you have to include for the hash value that you see in the syslogs when you issue sh access-list output.

example:

TK00FWSM# show access-list vl998

access-list vl998; 102 elements

access-list vl998 line 1 extended permit tcp any object-group

sisj-cgp-mailfe-svc eq smtp 0xb7e52495

access-list vl998 line 1 extended permit tcp any host

sisj-cgp-mailfe00-svc eq smtp (hitcnt=0) 0x4115ae92

access-list vl998 line 1 extended permit tcp any host

sisj-cgp-mailfe01-svc eq smtp (hitcnt=0) 0x9b15500

sh access-l v1998 | i 0x9b15500

Put the hash that you see in the syslogs in the above command.

RICH FRUEH · ‎06-04-2009

I see. I read the literal 'hash' not the variable hash.

Thank you!

R