Access list syslog correlation
By stretch | Monday, June 1, 2009 at 6:25 a.m. UTC
ACL syslog correlation is a Cisco IOS feature which provides the ability to identify which access list entry (ACE) was responsible for a permit or deny action appearing in syslog.
Consider the following access list applied to filter externally-sourced traffic destined for the internal network:
Router# show ip access-lists Extended IP access list EXTERNAL->INTERNAL 10 permit icmp any any echo-reply 20 permit udp any eq domain any 30 permit tcp any any established 40 permit tcp any host 172.16.0.202 eq www 50 deny tcp any any eq 22 log 999 deny ip any any
Lines 10 through 40 allow miscellaneous traffic types in, and line 50 explicitly denies inbound traffic destined to TCP/22 for the purpose of logging. Line 60 defines an explicit "deny any"; this isn't required, but included here for clarity.
When an inbound packet is matched and discard by rule 50, the following syslog message is generated:
%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(57289) -> 10.0.0.1(22), 1 packet
This log message informs the administrator of the action taken and the ACL which matched the packet, but in some cases we may want more detail readily available. This is where ACL hash correlation comes in handy. We can redefine the ACL rule to include an arbitrary keyword, up to 64 characters in length:
Router(config)# ip access-list ext EXTERNAL->INTERNAL Router(config-ext-nacl)# 50 deny tcp any any eq 22 log Deny_SSH Router(config-ext-nacl)# ^Z Router# show ip access-lists Extended IP access list EXTERNAL->INTERNAL 10 permit icmp any any echo-reply 20 permit udp any eq domain any 30 permit tcp any any established 40 permit tcp any host 172.16.0.202 eq www 50 deny tcp any any eq 22 log (tag = Deny_SSH) 999 deny ip any any
Now when that rule discards a packet, its log message includes our tag:
%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(54843) -> 10.0.0.1(22), 1 packet [Deny_SSH]
These tags can be reused by multiple ACEs. Continuing our example, say we also want to deny traffic to SSH servers running on an alternate port, TCP/2222:
Router(config)# ip access-list ext EXTERNAL->INTERNAL Router(config-ext-nacl)# 60 deny tcp any any eq 2222 log Deny_SSH Router(config-ext-nacl)# ^Z Router# show ip access-lists Extended IP access list EXTERNAL->INTERNAL 10 permit icmp any any echo-reply 20 permit udp any eq domain any 30 permit tcp any any established 40 permit tcp any host 172.16.0.202 eq www 50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH) 60 deny tcp any any eq 2222 log (tag = Deny_SSH) 999 deny ip any any
ACL logging tags are great for readily identifying ACE matches, particularly when you expect certain matches to occur, but manually defining a tag for each ACE isn't always practical. This is especially true when you want to maintain syslog correlation among hundreds or thousands of individual ACL rules. In such cases, automatically generated hashes would be the preferred option. Automatic hashing is enabled globally, and applied to any ACE with the log keyword with no argument following it.
Here we enable hash generation and add a few more ACEs to our ACL:
Router(config)# ip access-list logging hash-generation Router(config)# ip access-list extended EXTERNAL->INTERNAL Router(config-ext-nacl)# 70 deny tcp any any eq 1000 log Router(config-ext-nacl)# 80 deny tcp any any eq 2000 log Router(config-ext-nacl)# 90 deny tcp any any eq 3000 log Router(config-ext-nacl)# ^Z Router# show ip access-lists Extended IP access list EXTERNAL->INTERNAL 10 permit icmp any any echo-reply 20 permit udp any eq domain any 30 permit tcp any any established 40 permit tcp any host 172.16.0.202 eq www 50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH) 60 deny tcp any any eq 2222 log (tag = Deny_SSH) 70 deny tcp any any eq 1000 log (hash = 0x594F8697) 80 deny tcp any any eq 2000 log (hash = 0xE471528C) 90 deny tcp any any eq 3000 log (hash = 0x34CC0DD6) 999 deny ip any any
As expected, a trigger by any of the ACEs with a hash appended works just as it does with tags:
%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(21196) -> 10.0.0.1(1000), 1 packet [0x594F8697]
While not immediately useful, a hash can be used to filter an ACL configuration and quickly identify the ACE responsible for an action:
Router# show ip access-lists EXTERNAL->INTERNAL | include 594F8697 70 deny tcp any any eq 1000 log (1 match) (hash = 0x594F8697)
Posted in Security
Comments
June 1, 2009 at 2:24 p.m. UTC
That is way cool and quite useful when you have a large number of ACE's in an ACL.
June 1, 2009 at 3:27 p.m. UTC
Another great post, Stretch.
I had seen the tag directive in the past but mostly just ignored it. I can see where it will be useful, though. I've also seen the hash in logs but had no clue what I was looking at. Thanks for clearing that up for me.
June 1, 2009 at 7:35 p.m. UTC
Very slick trick. I did a post some time back, in fact it was probably my second host ever, that talked about ACLs and using input-interface and so on for tweaking ACLs. I think tips like this are very cool and often overlooked.
June 3, 2009 at 4:11 p.m. UTC
Thanks, this looks really useful. I'll definitely start using this next time I need to modify my ACLs.
June 3, 2009 at 11:03 p.m. UTC
The automatic hash-generation is very interesting. If the hash is based solely upon the access list entry, that would make it easy to have a script on a central syslog server parse the syslog for the same event occuring on multiple routers.
June 5, 2009 at 1:24 p.m. UTC
hast algorithm is really a nice trick.
regards shivlu jain
June 8, 2009 at 11:22 p.m. UTC
I was really hoping this was a feature supported by 3750 switches - all the vlan ACL's I have to monitor would have been a nice touch
June 11, 2009 at 6:30 a.m. UTC
Any commands to change the behavior of that one line with log subcommmand, saying that even with that log subcommad I do not want that to be logged on the syslog (to appear on sh log)? The situation requires that because I add the log subcommand on the acl so that the packets that belongs to that interface is handled by software to avoid an IOS bug that I found.
June 20, 2009 at 3:09 a.m. UTC
Out of curiosity anyone know if this supported on ASA's Commands are not obvious if it is. Great post!
February 4, 2015 at 8:14 p.m. UTC
I've just finished writing the skeleton code in Python that performs ASA ACE to syslog correlation where the hash/cookie option has not been configured on the ASA. The historic syslogs available do not have any cookie/hash values present since the ACL's have not been configured using the "log" keyword. Is there any other way of performing log analysis and syslog to ACE correlation (where cookie/hash values have not been employed)?