I'm trying to setup log filtering when I only select the traffic coming from ACL match logs and firewall session to be only send to a syslog server but not anything else. So I don't want these messages showing in the buffer or console or monitor. I also don't want other messages to be send to that syslog server just %SEC and %FW.
So far this is what I did:
I created as Tcl script that will block any messages from %SEC and %FW facility and applied that script as a filter for monitor, console and buffer. That works for blocking the display of these messages, but the syslog server is still getting all of the other messages, which i would like to avoid.
For the last few day's i've been looking at Tcl and ESM, feel like i'm really close.
I figured it out. What I did was used a Tcl script that changed the stream id of messages that matched facility %SEC and %FW. Then I had a syslog server that only accepted message from stream id that was specified in the Tcl script.
So it turns out that when a logging module is specified to be filtered.. any messages are sent to the filter (which is the tcl script) with standard stream id of 2. The filter changes it to stream id that was specified in the "logging host x.x.x.x filtered stream y" only those messages are forwarded there. The messages that don't match the filter don't have their stream id changed and the go to the rest of the modules that use the filter.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...