Access list syslog correlation

By stretch | Monday, June 1, 2009 at 6:25 a.m. UTC

ACL syslog correlation is a Cisco IOS feature which provides the ability to identify which access list entry (ACE) was responsible for a permit or deny action appearing in syslog.

Consider the following access list applied to filter externally-sourced traffic destined for the internal network:

Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
 10 permit icmp any any echo-reply
 20 permit udp any eq domain any
 30 permit tcp any any established
 40 permit tcp any host 172.16.0.202 eq www
 50 deny tcp any any eq 22 log
 999 deny ip any any

Lines 10 through 40 allow miscellaneous traffic types in, and line 50 explicitly denies inbound traffic destined to TCP/22 for the purpose of logging. Line 60 defines an explicit "deny any"; this isn't required, but included here for clarity.

When an inbound packet is matched and discard by rule 50, the following syslog message is generated:

%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(57289) ->
 10.0.0.1(22), 1 packet  

This log message informs the administrator of the action taken and the ACL which matched the packet, but in some cases we may want more detail readily available. This is where ACL hash correlation comes in handy. We can redefine the ACL rule to include an arbitrary keyword, up to 64 characters in length:

Router(config)# ip access-list ext EXTERNAL->INTERNAL
Router(config-ext-nacl)# 50 deny tcp any any eq 22 log Deny_SSH
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
 10 permit icmp any any echo-reply
 20 permit udp any eq domain any
 30 permit tcp any any established
 40 permit tcp any host 172.16.0.202 eq www
 50 deny tcp any any eq 22 log (tag = Deny_SSH)
 999 deny ip any any

Now when that rule discards a packet, its log message includes our tag:

%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(54843) ->
 10.0.0.1(22), 1 packet  [Deny_SSH]

These tags can be reused by multiple ACEs. Continuing our example, say we also want to deny traffic to SSH servers running on an alternate port, TCP/2222:

Router(config)# ip access-list ext EXTERNAL->INTERNAL
Router(config-ext-nacl)# 60 deny tcp any any eq 2222 log Deny_SSH
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
 10 permit icmp any any echo-reply
 20 permit udp any eq domain any
 30 permit tcp any any established
 40 permit tcp any host 172.16.0.202 eq www
 50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH)
 60 deny tcp any any eq 2222 log (tag = Deny_SSH)
 999 deny ip any any

ACL logging tags are great for readily identifying ACE matches, particularly when you expect certain matches to occur, but manually defining a tag for each ACE isn't always practical. This is especially true when you want to maintain syslog correlation among hundreds or thousands of individual ACL rules. In such cases, automatically generated hashes would be the preferred option. Automatic hashing is enabled globally, and applied to any ACE with the log keyword with no argument following it.

Here we enable hash generation and add a few more ACEs to our ACL:

Router(config)# ip access-list logging hash-generation
Router(config)# ip access-list extended EXTERNAL->INTERNAL
Router(config-ext-nacl)# 70 deny tcp any any eq 1000 log
Router(config-ext-nacl)# 80 deny tcp any any eq 2000 log
Router(config-ext-nacl)# 90 deny tcp any any eq 3000 log
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
 10 permit icmp any any echo-reply
 20 permit udp any eq domain any
 30 permit tcp any any established
 40 permit tcp any host 172.16.0.202 eq www
 50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH)
 60 deny tcp any any eq 2222 log (tag = Deny_SSH)
 70 deny tcp any any eq 1000 log (hash = 0x594F8697)
 80 deny tcp any any eq 2000 log (hash = 0xE471528C)
 90 deny tcp any any eq 3000 log (hash = 0x34CC0DD6)
 999 deny ip any any

As expected, a trigger by any of the ACEs with a hash appended works just as it does with tags:

%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(21196) ->
 10.0.0.1(1000), 1 packet  [0x594F8697]

While not immediately useful, a hash can be used to filter an ACL configuration and quickly identify the ACE responsible for an action:

Router# show ip access-lists EXTERNAL->INTERNAL | include 594F8697
 70 deny tcp any any eq 1000 log (1 match) (hash = 0x594F8697)

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Security

Comments


Paul Stewart (guest)
June 1, 2009 at 2:24 p.m. UTC

That is way cool and quite useful when you have a large number of ACE's in an ACL.


Aaron Conaway (guest)
June 1, 2009 at 3:27 p.m. UTC

Another great post, Stretch.

I had seen the tag directive in the past but mostly just ignored it. I can see where it will be useful, though. I've also seen the hash in logs but had no clue what I was looking at. Thanks for clearing that up for me.


Brandon Carroll (guest)
June 1, 2009 at 7:35 p.m. UTC

Very slick trick. I did a post some time back, in fact it was probably my second host ever, that talked about ACLs and using input-interface and so on for tweaking ACLs. I think tips like this are very cool and often overlooked.


Tyler Swanson (guest)
June 3, 2009 at 4:11 p.m. UTC

Thanks, this looks really useful. I'll definitely start using this next time I need to modify my ACLs.


pallen (guest)
June 3, 2009 at 11:03 p.m. UTC

The automatic hash-generation is very interesting. If the hash is based solely upon the access list entry, that would make it easy to have a script on a central syslog server parse the syslog for the same event occuring on multiple routers.


shivlu jain (guest)
June 5, 2009 at 1:24 p.m. UTC

hast algorithm is really a nice trick.

regards shivlu jain


AH (guest)
June 8, 2009 at 11:22 p.m. UTC

I was really hoping this was a feature supported by 3750 switches - all the vlan ACL's I have to monitor would have been a nice touch


Mark (guest)
June 11, 2009 at 6:30 a.m. UTC

Any commands to change the behavior of that one line with log subcommmand, saying that even with that log subcommad I do not want that to be logged on the syslog (to appear on sh log)? The situation requires that because I add the log subcommand on the acl so that the packets that belongs to that interface is handled by software to avoid an IOS bug that I found.


Bugbear (guest)
June 20, 2009 at 3:09 a.m. UTC

Out of curiosity anyone know if this supported on ASA's Commands are not obvious if it is. Great post!


Jahed (guest)
February 4, 2015 at 8:14 p.m. UTC

I've just finished writing the skeleton code in Python that performs ASA ACE to syslog correlation where the hash/cookie option has not been configured on the ASA. The historic syslogs available do not have any cookie/hash values present since the ACL's have not been configured using the "log" keyword. Is there any other way of performing log analysis and syslog to ACE correlation (where cookie/hash values have not been employed)?

Comments have closed for this article due to its age.