Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACL logging on router to syslog

ACL logging on router to syslog

I need to monitor the ports on router from one particular host to some destination. I have an ACL as given below

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any

I have setup syslog server, I see the log messages on syslog server but there is no port information.

Log message looks like

"%SEC-6-IPACCESSLOGP:list acl permitted 10.0.0.1(0)-> 192.168.0.10(0), xx packets"

I need to know what ports the host 10.0.0.1 is using to the server 192.168.0.10

Whats the best way to get this information.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: ACL logging on router to syslog

Dominic provides a creative solution. And depending on what the requirements are of the original post it might be a very satisfactory solution.

But we can also provide an explanation of the original problem and a solution for it. The original post shows a very simple access list which permits ip traffic between a specific pair of hosts and then permitting all traffic. The access list does not examine any values for protocol ports. And that is the reason that the log messages do not have port information. If the access list does not examine port numbers the log message can not report port numbers. If you want the log message to include port numbers then you must examine port numbers in the access list. This version of the list is slightly more complex but it will provide the port numbers that you want:

permit udp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit tcp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any

HTH

Rick

2 REPLIES

Re: ACL logging on router to syslog

Use netflow. Send all the flows to a linux server than grep on the source or destination

Hall of Fame Super Gold

Re: ACL logging on router to syslog

Dominic provides a creative solution. And depending on what the requirements are of the original post it might be a very satisfactory solution.

But we can also provide an explanation of the original problem and a solution for it. The original post shows a very simple access list which permits ip traffic between a specific pair of hosts and then permitting all traffic. The access list does not examine any values for protocol ports. And that is the reason that the log messages do not have port information. If the access list does not examine port numbers the log message can not report port numbers. If you want the log message to include port numbers then you must examine port numbers in the access list. This version of the list is slightly more complex but it will provide the port numbers that you want:

permit udp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit tcp host 10.0.0.1 host 192.168.0.10 range 0 65535 log

permit ip host 10.0.0.1 host 192.168.0.10 log

permit ip any any

HTH

Rick

134
Views
3
Helpful
2
Replies
CreatePlease to create content