Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Quick syslog question ASA 5500/8.04

Is there a way to get, from the syslog messages, which ACE of an ACL triggered a deny?

frex, I have an object, Blocked_addresses, which contains 30 addresses. This is used in a deny in an ACL. This element of the ACL shows a bunch of hits, but no details as to which element was matched.

I don't want to search the log repository for the whole list of IPs to see which one hit, I'd like to search the syslog for the specific ACE, so I can quickly isolate those messages.

I know each ACE has it's own identifier, but do they show up in the syslog in a usable format?

Thanks,

Rich

2 REPLIES

Re: Quick syslog question ASA 5500/8.04

Rich-

The syslogs show up kinda-sorta-useful. I wrote a script a while ago that searchs the logs for me (by ID). It should be pretty easy to edit and grep with more detail.

#!/bin/bash

# Create the menu

clear

echo "==============================================================="

echo " PIX SYSLOG PARSER `date +%m.%d.%y` "

echo "---------------------------------------------------------------"

echo ""

echo "Your current working directory- `pwd`"

echo ""

# Get the file name to search (FILE$)

tput cup 7 9; echo -n "Enter the file you wish to search: "

tput cup 8 9; echo "Example: /var/log-pix/pix4/2005-01-31-pix4.log"

read FILE

# Loop the Menu

loop=y

while [ "$loop" = y ]

do

# Menu Listings

clear

tput cup 10 9; echo "A - Alert Level"

tput cup 11 9; echo "C - Critical Level"

tput cup 12 9; echo "E - Errors"

tput cup 13 9; echo "W - Warnings"

tput cup 14 9; echo "N - Notifications"

tput cup 15 9; echo "I - Informational"

tput cup 16 9; echo "D - Debug"

tput cup 19 9; echo "Q - Quit "

tput cup 20 9; echo "Enter your selection: "

tput cup 20 31;

read choice || continue

case $choice in

# grep by Error Level

[Aa]) grep -i PIX-1 $FILE | less ;;

[Cc]) grep -i PIX-2 $FILE | less ;;

[Ee]) grep -i PIX-3 $FILE | less ;;

[Ww]) grep -i PIX-4 $FILE | less ;;

[Nn]) grep -i PIX-5 $FILE | less ;;

[Ii]) grep -i PIX-6 $FILE | less ;;

[Dd]) grep -i PIX-7 $FILE | less ;;

[Qq]) exit ;;

*) tput cup 18 9; echo "Invalid Code--I'm quitting" exit ;;

esac

done

Cisco Employee

Re: Quick syslog question ASA 5500/8.04

To get that particular ACE here is what you need to do.

Example:

%ASA-4-106100:access-list inside_access_in permitted tcp

inside/192.168.2.203(8888) -> inside/192.168.31.10(12296)hit-cnt 1 first hit

[0xa925365e, 0x0]

sh access-l inside_access_in | i 0xa925365e

311
Views
0
Helpful
2
Replies