06-02-2009 08:21 AM - edited 03-11-2019 08:38 AM
Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?
frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched.
I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.
I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?
Thanks,
Rich
06-02-2009 06:42 PM
The deny usually has a hash value.
To see which ACE that is you need to issue sh access-l blah | i hash
Presently it is not possible to get the appropriate ACE in the syslog deny message only the hash.
06-03-2009 07:17 AM
Thank you for this - it didn't work quite correctly - I get a unknown command. If I expand it to incl hash, I get a blank. However, just doing a 'sh access-list
06-04-2009 12:26 PM
you have to include for the hash value that you see in the syslogs when you issue sh access-list output.
example:
TK00FWSM# show access-list vl998
access-list vl998; 102 elements
access-list vl998 line 1 extended permit tcp any object-group
sisj-cgp-mailfe-svc eq smtp 0xb7e52495
access-list vl998 line 1 extended permit tcp any host
sisj-cgp-mailfe00-svc eq smtp (hitcnt=0) 0x4115ae92
access-list vl998 line 1 extended permit tcp any host
sisj-cgp-mailfe01-svc eq smtp (hitcnt=0) 0x9b15500
sh access-l v1998 | i 0x9b15500
Put the hash that you see in the syslogs in the above command.
06-04-2009 12:43 PM
I see. I read the literal 'hash' not the variable hash.
Thank you!
R
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: