{"id":998,"date":"2022-07-02T14:28:08","date_gmt":"2022-07-02T13:28:08","guid":{"rendered":"https:\/\/www.labtinker.net\/?p=998"},"modified":"2022-07-02T14:28:08","modified_gmt":"2022-07-02T13:28:08","slug":"as-easy-as-falling-of-a-log","status":"publish","type":"post","link":"http:\/\/18.135.13.153\/?p=998","title":{"rendered":"As Easy as Falling of a Log"},"content":{"rendered":"\n

I encountered one of those smallish problems where I needed to do something slightly out of the ordinary and felt the need to share it here to spare someone a precious few moments re-inventing… not so much the wheel… as the perhaps the furry dice. <\/p>\n\n\n\n

And so to the problem: I have\/had an overly permissive rule on an ASA and after putting more granular rules above this I wanted a way of logging only what was still hitting the permissive rule. Lucky the ASA in question did\/does not have syslog so the lab was to stand up a syslog server and configure an ASA to only log to the syslog server on a selected rule. (We’re not cracking the Enigma code here)<\/p>\n\n\n\n

Back with GNS3 (I’m avoiding AWS for now after accidentally leaving a Cisco FMC and FTD turned on over the bank holiday weekend… that’s $150 I’ll never see again.)<\/p>\n\n\n\n

So this is the set up:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I downloaded Kiwi Syslog server (https:\/\/www.solarwinds.com\/kiwi)<\/a> and installed it on a Windows 2012 server VM. I initially got very frustrated in this lab because I couldn’t see any logs on my syslog console (despite checking I was listening on udp 514 and Wireshark traces confirming syslog was arriving). The next paragraph is a mild rant which you may want to skip.<\/p>\n\n\n\n

This is what got me:<\/p>\n\n\n\n

In Kiwi’s Setup menu, there is this ‘Inputs’ section<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

To me this menu looks like a title ‘Inputs’ and some options beneat, but the actually the ‘title’ itself is an option… that you need to click on – and it’s therein that you define the allowed hosts. (which is 10.10.10.99: the ASA’s inside interface)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I scoured all the options several times before this occurred to me.<\/p>\n\n\n\n

Rant over. And Kiwi \/ Solarwinds do provide the software free of charge… so beggars shouldn’t be critics (I paraphrase)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

My approach was as follows. I have two rules – shown above. The first allows traffic from the Windows server to the ip address 8.8.8.8 (Google’s DNS) the second allows access to anywhere. I am logging on the first rule at ‘alert’ level and the second at ‘default’ level.<\/p>\n\n\n\n

First rule logging details:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Second rule logging details:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I have reduced the logging interval down from its default value of 300 seconds to 10 seconds for the purposes of the lab.<\/p>\n\n\n\n

The above looks like this from the CLI.<\/p>\n\n\n\n

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.10.10.0 255.255.255.0 object 8.8.8.8 log alerts interval 10
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.10.10.0 255.255.255.0 any<\/em><\/p>\n\n\n\n

And this is the relevant bit of the ASA logging config…<\/p>\n\n\n\n

ASA1# show run log
logging enable
logging timestamp
logging trap alerts <<< <\/em>send ‘alert’ level logs to syslog
logging asdm informational
logging queue 8192
logging host inside 10.10.10.12<\/em> <<< Specify the address of the syslog server (The Windows 2012 server)<\/p>\n\n\n\n

So from the Windows server if we ping 1.1.1.1 we should see nothing and yet when we ping 8.8.8.8 we should get logs.<\/p>\n\n\n\n

Pinging 1.1.1.1 (notice the cmd box artfully placed over the syslog server display)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Not a scooby. And let’s try the same pinging 8.8.8.8<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The syslog server logs this traffic these because the ASA logs these at ‘alert’ level which is the level of logs which it’s configured to send to the syslog server.<\/p>\n","protected":false},"excerpt":{"rendered":"

I encountered one of those smallish problems where I needed to do something slightly out of the ordinary and felt the need to share it here to spare someone a precious few moments re-inventing… not so much the wheel… as the perhaps the furry dice. And so to the problem: I have\/had an overly permissive […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-998","post","type-post","status-publish","format-standard","hentry","category-firewalls"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/posts\/998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=998"}],"version-history":[{"count":0,"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/posts\/998\/revisions"}],"wp:attachment":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=998"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}