For the best results with Cisco ASA logging, the device should be configured to send 106100 messages and the legacy messages 302013 and 302015 should be disabled.
ASA devices have a global level and a rule level logging option, the rule level logging is enabled by adding the "log" keyword to the end of each ACL.
Global logging are the legacy messages 302013 and 302015. These are built up connection messages for TCP and UDP connections respectively.
The legacy messages (302013/302015) are UDP and TCP only. As such usage for other protocols like ICMP will not be matched.
Rule level logging (106100) is matched using the hex ID for each ACL and message.
2021-06-16 03:15:57,583 [0x7fd9237fe700] DEBUG SyslogUdpServer - [40VH9C] Received message [m-3-001k] from [10.250.0.190]: [<166>%ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(41022) -> ext-net/192.168.0.11(80) hit-cnt 1 first hit [0x1c834070, 0xd759e618]\n]
access-list inside_access_in line 2 extended permit ip 10.250.0.0 255.255.255.0 object-group server_group log informational interval 300 0x1c834070
access-list inside_access_in line 2 extended permit ip 10.250.0.0 255.255.255.0 host 192.168.0.10 log informational interval 300 (hitcnt=5) 0x17220ecd
access-list inside_access_in line 2 extended permit ip 10.250.0.0 255.255.255.0 host 192.168.0.11 log informational interval 300 (hitcnt=35) 0xd759e618
access-list inside_access_in line 2 extended permit ip 10.250.0.0 255.255.255.0 host 192.168.0.12 log informational interval 300 (hitcnt=25) 0x8bcaa964
Legacy messages require more processing to match as they have no unique identifiers.
To avoid both 106100 and legacy messages being counted twice for each rule hit, you should disable the legacy ones with these commands
no logging message 302013
no logging message 302015
Other message types should also be disabled to reduce the load on the DC, as those messages will be discarded.
Traffic Flow Analysis (TFA) requires syslog, it will not work with hit counters.
Hit counters uses the hitcnt number from the "show access-list" command.
access-list ext-net_access_in line 3 extended permit ip any any log informational interval 300 (hitcnt=0) 0x3b105d4e
This does not provide any detail into the actual traffic passed by the rule.
If objects on the ASA are configured using the "names" method, then you must run "no names".
If names is enabled, then the ASA sends those in the usage message and then it can not be matched. As a result, the TFA data will not be complete and report 0.0.0.0 rather than the actual flow data.
Comments
1 comment
This is an *excellent* article and bit of knowledge!
Please sign in to leave a comment.