Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Quick syslog question ASA 5500/8.04

Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?

frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched.

I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.

I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?

Thanks,

Rich

4 REPLIES
Cisco Employee

Re: Quick syslog question ASA 5500/8.04

The deny usually has a hash value.

To see which ACE that is you need to issue sh access-l blah | i hash

Presently it is not possible to get the appropriate ACE in the syslog deny message only the hash.

Highlighted
New Member

Re: Quick syslog question ASA 5500/8.04

Thank you for this - it didn't work quite correctly - I get a unknown command. If I expand it to incl hash, I get a blank. However, just doing a 'sh access-list ' did give me the identifiers, just not how I expected. The nicer thing is that it gave me the hitcounts per ip address, instead of just per ACE.

Cisco Employee

Re: Quick syslog question ASA 5500/8.04

you have to include for the hash value that you see in the syslogs when you issue sh access-list output.

example:

TK00FWSM# show access-list vl998

access-list vl998; 102 elements

access-list vl998 line 1 extended permit tcp any object-group

sisj-cgp-mailfe-svc eq smtp 0xb7e52495

access-list vl998 line 1 extended permit tcp any host

sisj-cgp-mailfe00-svc eq smtp (hitcnt=0) 0x4115ae92

access-list vl998 line 1 extended permit tcp any host

sisj-cgp-mailfe01-svc eq smtp (hitcnt=0) 0x9b15500

sh access-l v1998 | i 0x9b15500

Put the hash that you see in the syslogs in the above command.

New Member

Re: Quick syslog question ASA 5500/8.04

I see. I read the literal 'hash' not the variable hash.

Thank you!

R

117
Views
14
Helpful
4
Replies
CreatePlease login to create content