cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
32245
Views
0
Helpful
31
Replies

ASA url logging

scottwilliamson
Level 2
Level 2

Hi,

I'm attempting to make our ASA log urls and I am getting some success. However, the output presents the IP instead of the actual domain, e.g, when browsing to imdb it is logged as:

Nov 16 2009 14:12:35: %ASA-5-304001: 30.30.30.30 Accessed URL 209.85.229.148:/ad

j/imdb2.consumer.homepage/;tile=2;sz=468x60,728x90,1008x150,9x1;p=t;s=32;;ord=99

73051011677648

rather than imdb.com/....(or whatever it happens to be).

How do I get the ASA to log the domain rather than the corresponding IP address?

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#related

states the ASA has to run vers 8.0.4.24 or later, ours has 8.2(1).

Thanks,

Scott

31 Replies 31

Hi again,

I've configured the regex matchall etc this morning and I'm afraid nothing appears in the logs - I'm starting with an ASA config "out of the box" so maybe I'm missing something, though I have enabled logging .....

logging enable
logging timestamp
logging standby
logging list Weblog message 304001
logging console Weblog
logging buffered debugging
logging history Weblog
logging facility 21

the "Weblog" entries are from the NAC guest server / ASA url stuff mentioned in my original post.

Thanks

Scott

Hi Folks,

Any ideas would be welcome - I feel that with your help this is very close to being resolved.

Many Thanks

Scott

Scott,

I have my ASA sending logs to a syslog server. Here is my ASA logging:

logging enable
logging timestamp
logging trap debugging
logging host inside x.x.x.x

My syslog server is setup to only receive NOTICE events from the ASA. However, I'm now stuck where Scott was in his original post. It's logging the IP and URI, but isn't showing the actual host. I'm running 8.0(4). Here's what I see in my logs:

Dec  9 10:07:27 10.0.0.1 Dec 09 2009 08:07:05: %ASA-5-304001: 10.0.8.108 Accessed URL 208.80.152.3:/wikipedia/en/b/bc/Wiki.png
Dec  9 10:07:27 10.0.0.1 Dec 09 2009 08:07:05: %ASA-5-415008: HTTP - matched Class 30: LogDomainsClass in policy-map http_inspection_policy, header matched from inside:10.0.8.108/1512 to outside: 208.80.152.3/80

Here is a snippet from my running config:

regex matchall "."

class-map type regex match-any DomainLogList
match regex matchall

class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList

class-map inspection_default
match default-inspection-traffic

policy-map type inspect http http_inspection_policy
description http_inspection_policy
parameters
  protocol-violation action drop-connection
match request method connect
  drop-connection log
class LogDomainsClass
  log

policy-map inside-policy
class inside-classAccept
  inspect http http_inspection_policy
class inside-class
  inspect http http_inspection_policy
class inspection_default
  inspect http

Was this a feature added in a later firmware? If so, I'll make the upgrade.

Hi Ronald,

from sh version "System image file is "disk0:/asa821-k8.bin" - is there a feature that is missing from our respective ASAs that the others have?

I doubt it but I cannot see what I've missed from the config.

Scott

claytonchumby
Level 1
Level 1

Any new news on this issue?  I haven't been able to get the ASA (running version 8.2(1)) to log the hostname using any of the techniques above.  However, if you look at this cisco.com page, it indicates indirectly that this is meant to work, simply by adding "inspect http" to class inspection_default.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#asac

The inspect http command is placed under a
      class-map within a policy-map. When enabled with the
      service-policy command, http inspection logs Get
      requests with syslog message 304001. ASA code 8.0.4.24 or later is required for
      syslog message 304001 to show the hostname as part of the URL. 

I'm baffled.  It is hard to believe this should be so difficult.  How else are you supposed to log web usage without 3rd party products or a proxy server?

I have been trying to get URL Logging to work too. I have found that if I browse to one of out internal sites it will log the URL name but if I go to a external site it will log the IP Address .

Has anyone gotten this to work for external sites?

Accessed URL 63.69.72.58:/js/pass.html?cb=23844
Accessed URL 96.17.72.144:/_media/uac/anatp.html?t=160afrf1088k4h&s=99999,
Accessed URL 64.236.79.229:/adcedge/lb?site=695501&betr=tc=1,99999,52588,5
Accessed URL 69.31.116.120:/assets/images/home/icons/video.gif
Accessed URL 216.246.75.227:/rsrc.php/zx/r/DmvbpGB-fMy.swf
Accessed URL 66.220.146.32:/extern/login_status.php?api_key=61b68b0702fb92
Accessed URL 209.234.252.57:/js/api_lib/v0.4/XdCommReceiver.js?v2
Accessed URL www.expresspros.com:/
Accessed URL www.expresspros.com:/shared/style/ie.css
Accessed URL www.expresspros.com:/shared/javascript/swfobject.js
Accessed URL www.expresspros.com:/shared/javascript/thickbox.js
Accessed URL www.expresspros.com:/shared/javascript/jquery-1-2-3-min.js
Accessed URL www.expresspros.com:/shared/images/socialmedia/twitter-sm.gif
Accessed URL 74.125.67.138:/ga.js
Accessed URL www.expresspros.com:/favicon.ico
Accessed URL 199.7.57.72:/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsK8Var42Wv2Ct%2BB

Hi David,

This makes me think it is a DNS issue which I asked about further up the thread, I did get a reply but it wasn't clear.

There must be someone out there who knows the answer to this.

Regards,

Scott

That is what I was thinking, a DNS problem.

I have open a case with Cisco, so let's see what they come back with. I'll let you all know.

Regards

David

After Cisco getting back to me about the logging problem and loading the new code it works.

I was running 8.2(1) had to upgrade to 8.2(3) and now the loging is working.

The 10.10 is an inside test network that I am coming from to http://www.cisco.com

I hope that this helps everyone. Now off to write some code to put this in a database to see where people are going.

Nov 11 2010 19:18:31: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/
Nov 11 2010 19:18:32: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/offers/js/mbox.js
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/hub.swf
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.metrics_ut.js?v=ut2.1.201009
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/j/home.s_code_ut.js?v=ut2.1.2010091
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/hp-fatfooter-menu.png
Nov 11 2010 19:18:34: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 198.133.219.119:http://newsroom.cisco.com/dlls/cdc_news_json_v1.js?cacheRese
Nov 11 2010 19:18:35: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/tsweb/searchplugins/cdc_search.xml
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/co/menu-content.html
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-box-shadow.png
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-corners.png
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-spinner.gif
Nov 11 2010 19:18:36: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/web/fw/i/mm-sprite.png
Nov 11 2010 19:18:39: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/en.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/fr.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/ch.c
Nov 11 2010 19:18:40: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/css/de.c
Nov 11 2010 19:18:41: %ASA-5-304001: 10.10.xxx.xxx Accessed URL 72.163.4.161:http://www.cisco.com/assets/home/spotlight/sp_20101011/swf/chic

Hi David,

Good news, however I have 8.2(3) and I haven't got it to work. It must be down to my config. Would you mind posting your config, please?

Many Thanks

Scott

I've just reread all of the posts in this thread and realised that back at the start the version on our ASA was different; in the meantime one of my colleagues has upgrade the IOS version, and I have not tried url logging since. So, I'll try again and see what the result is.

Fingers crossed.

Scott

This morning I went in and removed all the configuration that I put in for logging URL except for the inspect http.

policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect http
  inspect ip-options

I removed all of this.

regex matchall "."

class-map type regex match-any DomainLogList
match regex matchall

class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList

class-map inspection_default
match default-inspection-traffic

policy-map type inspect http http_inspection_policy
description http_inspection_policy
parameters
  protocol-violation action drop-connection
match request method connect
  drop-connection log
class LogDomainsClass
  log

policy-map inside-policy
class inside-classAccept
  inspect http http_inspection_policy
class inside-class
  inspect http http_inspection_policy
class inspection_default
  inspect http

rizwan.corvit
Level 1
Level 1

Hello Man,

Could anyone please share with me, how to configure ASA for url logging using any syslog server placed in LAN ?

bundle of thanks !!!!!

Rizwan Haider


rizwan.haider@msn.com

Are you running 8.2(3) or newer code?

Cisco Adaptive Security Appliance Software Version 8.0(2)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: