Access-list logs on 5500 ASA?

Element926Element926 Member Posts: 36 ■■□□□□□□□□
Hello,

I have an ASA 5500 and I'm searching for a command like:

ip accounting access-violations

That will show me match statements for those who are being denied by an access list so I can find their source IP address.

Does anyone know a command for this?

Thank you.

Comments

  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    Just add the 'log' keyword to the end of the ACL statement (for statements that are already in place just enter the full statement again with the log keyword, the ASA will find the old line and replace append it). I often find it handy to use different syslog levels for each ACE depending on how I want to differntiate them, e.g. for something I never want to see (like common malware addresses) I use 'log critical', then I can easily search within my viewer for matches on that ACL name at that level.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Element926Element926 Member Posts: 36 ■■□□□□□□□□
    Right, I have the log at the end of the ACL. However I don't know where to view the log messages. They don't come up in the console and "show logging" displays nothing. No syslog server is available so I need to view it on the device.
  • chrisonechrisone Senior Member Member Posts: 2,230 ■■■■■■■■■□
    You can also view these logs live in ASDM. I find it very easy to view things with ASDM.
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    EnCase Courses: DF120 (complete), DF210 (in progress), DF310
    Certs: AZ-500, SC-200 (passed), SC-300 (next), EnCE, Splunk Core Power User (passed), Splunk Enterprise Sys Admin
  • Element926Element926 Member Posts: 36 ■■□□□□□□□□
    Using ASDM I actually went into it and I saw notifications for a few ACLs being blocked. However I was unable to see the one I actually wanted. Any way to view a specific ACL log?
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    You can create a filter view in the ASDM. Alternatively set logging buffered xxxxx, if you are getting a lot of hits at the a low level loggingl then set your ACL statement to something like emergency, set logging buffered to emergency and you should have very little besides your desired ACL hits. Setting the levels on your different ACE log statements will help you create a filter mechanism in your viewer (whether asdm, show log or external app).
    But seriously get a Syslog app. Kiwi (free) at the very least or better still Splunk (which is also free to a point). There's no excuse not to and it is the bare essential of logging you need to be doing.

    Edit just reread: You say you put the log statement at the end of the ACL, that will only catch what you missed above. You need to create a statement for the specific traffic you want to see, whether permit or deny, then add the words 'log xxxxxxx' to the end of it. E.g.


    access-list SUPER-SCAREY-INTERNET permit tcp host 2.2.2.2 1.1.1.0 255.255.255.0 log warnings
    access-list SUPER-SCAREY-INTERNET deny tcp host 3.3.3.3 1.1.1.0 255.255.255.0 eq 666 log critical
    access-list SUPER-SCAREY-INTERNET permit tcp any 1.1.1.0 255.255.255.0 eq 666
    access-list SUPER-SCAREY-INTERNET deny tcp any any log informational.

    Any traffic from 2.2.2.2 is allowed to 1.1.1.0/24 but it is logged at Warning level.
    3.3.3.3 to 1.1.1.0/24 is denied and logged at critical level.
    Anything else to 1.1.1.0/24 is allowed and not logged
    Any other traffic is denied and logged as informational.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Element926Element926 Member Posts: 36 ■■□□□□□□□□
    Currently its set to logging informational...I guess I just need to set it so I can view it.
Sign In or Register to comment.