Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3S
ACL Syslog Correlation
Downloads: This chapterpdf (PDF - 1.36MB) The complete bookPDF (PDF - 3.52MB) | The complete bookePub (ePub - 469.0KB) | Feedback

ACL Syslog Correlation

Contents

ACL Syslog Correlation

The Access Control List (ACL) Syslog Correlation feature appends a tag (either a user-defined cookie or a device-generated MD5 hash value) to access control entry (ACE) syslog entries. This tag uniquely identifies the ACE , within the ACL, that generated the syslog entry.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for ACL Syslog Correlation

Before you configure the ACL Syslog Correlation feature, you must understand the concepts in the "IP Access List Overview" module.

The ACL Syslog Correlation feature appends a user-defined cookie or a device-generated hash value to ACE messages in the syslog. These values are only appended to ACE messages when the log option is enabled for the ACE.

Information About ACL Syslog Correlation

ACL Syslog Correlation Tags

The ACL Syslog Correlation feature appends a tag (either a user-defined cookie or a device-generated MD5 hash value) to access control entry (ACE) syslog entries. This tag uniquely identifies an ACE that generated the syslog entry.

Network management software can use the tag to identify which ACE generated a specific syslog event. For example, network administrators can select an ACE rule in the network management application and can then view the corresponding syslog events for that ACE rule.

To append a tag to the syslog message, the ACE that generates the syslog event must have the log option enabled. The system appends only one type of tag (either a user-defined cookie or a device-generated MD5 hash value) to each message.

To specify a user-defined cookie tag, the user must enter the cookie value when configuring the ACE log option. The cookie must be in alpha-numeric form, it cannot be greater than 64 characters, and it cannot start with hex-decimal notation (such as 0x).

To specify a device-generated MD5 hash value tag, the hash-generation mechanism must be enabled on the device and the user must not enter a cookie value while configuring the ACE log option.

ACE Syslog Messages

When a packet is matched against an access control entry (ACE) in an ACL, the system checks whether the log option is enabled for that event. If the log option is enabled and the ACL Syslog Correlation feature is configured on the device, the system attaches the tag to the syslog message. The tag is displayed at the end of the syslog message, in addition to the standard information.

The following is a sample syslog message showing a user-defined cookie tag:

Jun 5 12:55:44.359: %SEC-6-IPACCESSLOGP: list logacl permitted tcp 192.168.16.1(38402) -> 192.168.16.2(23), 1 packet [User_permiited_ACE]

The following is a sample syslog message showing a hash value tag:

Jun 5 12:55:44.359: %SEC-6-IPACCESSLOGP: list logacl permitted tcp 192.168.16.1(38402) -> 192.168.16.2(23), 1 packet [0x723E6E12]

How to Configure ACL Syslog Correlation

Enabling Hash Value Generation on a Device

Perform this task to configure the device to generate an MD5 hash value for each log-enabled access control entry (ACE) in the system that is not configured with a user-defined cookie.

When the hash value generation setting is enabled, the system checks all existing ACEs and generates a hash value for each ACE that requires one. When the hash value generation setting is disabled, all previously generated hash values are removed from the system.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip access-list logging hash-generation

    4.    end

    5.    Do one of the following:

    • show ip access-list access-list-number
    • show ip access-list access-list-name


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ip access-list logging hash-generation


    Example:
    Device(config)# ip access-list logging hash-generation
     

    Enables hash value generation on the device.

    • If an ACE exists that is log enabled, and requires a hash value, the device automatically generates the value and displays the value on the console.
     
    Step 4 end


    Example:
    Device(config)# end
     

    (Optional) Exits global configuration mode and returns to privileged EXEC mode.

     
    Step 5Do one of the following:
    • show ip access-list access-list-number
    • show ip access-list access-list-name


    Example:
    Device# show ip access-list 101


    Example:
    Device# show ip access-list acl
     

    (Optional) Displays the contents of the numbered or named IP access list.

    • Review the output to confirm that the access list for a log-enabled ACE includes the generated hash value.
     

    Disabling Hash Value Generation on a Device

    Perform this task to disable hash value generation on the device. When the hash value generation setting is disabled, all previously generated hash values are removed from the system.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    no ip access-list logging hash-generation

      4.    end

      5.    Do one of the following:

      • show ip access-list access-list-number
      • show ip access-list access-list-name


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 no ip access-list logging hash-generation


      Example:
      Device(config)# no ip access-list logging hash-generation
       

      Disables hash value generation on the device.

      • The system removes any previously created hash values from the system.
       
      Step 4 end


      Example:
      Device(config)# end
       

      (Optional) Exits global configuration mode and returns to privileged EXEC mode.

       
      Step 5Do one of the following:
      • show ip access-list access-list-number
      • show ip access-list access-list-name


      Example:
      Device# show ip access-list 101


      Example:
      Device# show ip access-list acl
       

      (Optional) Displays the contents of the IP access list.

      • Review the output to confirm that the access list for a log-enabled ACE does not have a generated hash value.
       

      Configuring ACL Syslog Correlation Using a User-Defined Cookie

      Perform this task to configure the ACL Syslog Correlation feature on a device for a specific access list, using a user-defined cookie as the syslog message tag.

      The example in this section shows how to configure the ACL Syslog Correlation feature using a user-defined cookie for a numbered access list. However, you can configure the ACL Syslog Correlation feature using a user-defined cookie for both numbered and named access lists, and for both standard and extended access lists.


      Note


      The following restrictions apply when choosing the user-defined cookie value:

      • The maximum number of characters is 64.
      • The cookie cannot start with hexadecimal notation (such as 0x).
      • The cookie cannot be the same as, or a subset of, the following keywords: reflect, fragment, time-range. For example, reflect and ref are not valid values. However, the cookie can start with the keywords. For example, reflectedACE and fragment_33 are valid values
      • The cookie must contains only alphanumeric characters.
      >
      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    access-list access-list-number permit protocol source destination log word

        4.    end

        5.    show ip access-list access-list-number


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 access-list access-list-number permit protocol source destination log word


        Example:
        Device(config)# access-list 101 permit tcp host 10.1.1.1 host 10.1.1.2 log UserDefinedValue
         

        Defines an extended IP access list and a user-defined cookie value.

        • Enter the cookie value as the wordargument.
         
        Step 4 end


        Example:
        Device(config)# end
         

        (Optional) Exits global configuration mode and returns to privileged EXEC mode.

         
        Step 5 show ip access-list access-list-number


        Example:
        Device# show ip access-list 101
         

        (Optional) Displays the contents of the IP access list.

        • Review the output to confirm that the access list includes the user-defined cookie value.
         

        Examples

        The following is sample output from the show ip access-list command for an access list with a user-defined cookie value.

        Device# show ip access-list 
        101
        Extended IP access list 101
        30 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = UserDefinedValue)

        Configuring ACL Syslog Correlation Using a Hash Value

        Perform this task to configure the ACL Syslog Correlation feature on a device for a specific access list, using a device-generated hash value as the syslog message tag.

        The steps in this section shows how to configure the ACL Syslog Correlation feature using a device-generated hash value for a numbered access list. However, you can configure the ACL Syslog Correlation feature using a device-generated hash value for both numbered and named access lists, and for both standard and extended access lists.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    ip access-list logging hash-generation

          4.    access-list access-list-number permit protocol source destination log

          5.    end

          6.    show ip access-list access-list-number


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 ip access-list logging hash-generation


          Example:
          Device(config)# ip access-list logging hash-generation
           

          Enables hash value generation on the device.

          • If an ACE exists that is log enabled, and requires a hash value, the device automatically generates the value and displays the value on the console.
           
          Step 4 access-list access-list-number permit protocol source destination log

          Example:
          Device(config)# access-list 102 permit tcp host 10.1.1.1 host 10.1.1.2 log 
           

          Defines an extended IP access list.

          • Enable the log option for the access list, but do not specify a cookie value.
          • The device automatically generates a hash value for the newly defined access list.
           
          Step 5 end


          Example:
          Device(config)# end
           

          (Optional) Exits global configuration mode and returns to privileged EXEC mode.

           
          Step 6 show ip access-list access-list-number


          Example:
          Device# show ip access-list 102
           

          (Optional) Displays the contents of the IP access list.

          • Review the output to confirm that the access list includes the router-generated hash value.
           

          Examples

          The following is sample output from the show ip access-list command for an access list with a device-generated hash value.

          Device# show ip access-list 
          102
          Extended IP access list 102
          10 permit tcp host 10.1.1.1 host 10.1.1.2 log (hash = 0x7F9CF6B9)

          Changing the ACL Syslog Correlation Tag Value

          Perform this task to change the value of the user-defined cookie or replace a device-generated hash value with a user-defined cookie.

          The steps in this section shows how to change the ACL Syslog Correlation tag value on a numbered access list. However, you can change the ACL Syslog Correlation tag value for both numbered and named access lists, and for both standard and extended access lists.

          SUMMARY STEPS

            1.    enable

            2.    show access-list

            3.    configure terminal

            4.    access-list access-list-number permit protocol source destination log word

            5.    end

            6.    show ip access-list access-list-number


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Device> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.
             
            Step 2 show access-list

            Example:
            Device(config)# show access-list
             

            (Optional) Displays the contents of the access list.

             
            Step 3 configure terminal


            Example:
            Device# configure terminal
             

            Enters global configuration mode.

             
            Step 4 access-list access-list-number permit protocol source destination log word

            Example:
            Device(config)# access-list 101 permit tcp host 10.1.1.1 host 10.1.1.2 log NewUDV 


            Example:
            OR


            Example:
            
            
                    


            Example:
            Device(config)# access-list 101 permit tcp any any log replacehash
             

            Modifies the cookie or changes the hash value to a cookie.

            • You must enter the entire access list configuration command, replacing the previous tag value with the new tag value.
             
            Step 5 end


            Example:
            Device(config)# end
             

            (Optional) Exits global configuration mode and returns to privileged EXEC mode.

             
            Step 6 show ip access-list access-list-number


            Example:
            Device# show ip access-list 101
             

            (Optional) Displays the contents of the IP access list.

            • Review the output to confirm the changes.
             

            Troubleshooting Tips

            Use the debug ip access-list hash-generation command to display access list debug information. The following is an example of the debug command output:

            Device# debug ip access-list hash-generation
             Syslog hash code generation debugging is on
            Device# show debug
            IP ACL:
             Syslog hash code generation debugging is on
            Device# no debug ip access-list hash-generation
             
             Syslog hash code generation debugging is off
            Device# show debug
            Device#

            Configuration Examples for ACL Syslog Correlation

            Example: Configuring ACL Syslog Correlation Using a User-Defined Cookie

            The following example shows how to configure the ACL Syslog Correlation feature on a device using a user-defined cookie.

            Device#
            Device# debug ip access-list hash-generation
            Syslog MD5 hash code generation debugging is on
            Device# configure terminal
            Enter configuration commands, one per line. End with CNTL/Z.
            Device(config)# access-list 33 permit 10.10.10.6 log cook_33_std
            Device(config)# do show ip access 33
            Standard IP access list 33
            10 permit 10.10.10.6 log (tag = cook_33_std)
            Device(config)# end
            

            Example: Configuring ACL Syslog Correlation using a Hash Value

            The following examples shows how to configure the ACL Syslog Correlation feature on a device using a device-generated hash value.

            Device# debug ip access-list hash-generation
            Syslog MD5 hash code generation debugging is on
            Device# configure terminal
            Enter configuration commands, one per line. End with CNTL/Z.
            Device(config)# access-list 33 permit 10.10.10.7 log
            Device(config)#
            *Nov 7 13:51:23.615: %IPACL-HASHGEN: Hash Input: 33 standard permit 10.10.10.7
            Hash Output: 0xCE87F535
            Device(config)# 
            do show ip access 33
             
            Standard IP access list 33
                10 permit 10.10.10.6 log (tag = cook_33_std)
                20 permit 10.10.10.7 log (hash = 0xCE87F535)
            

            Example: Changing the ACL Syslog Correlation Tag Value

            The following example shows how to replace an existing access list user-defined cookie with a new cookie value, and how to replace a device-generated hash value with a user-defined cookie value.

            Device# configure terminal
            Enter configuration commands, one per line. End with CNTL/Z.
            Device(config)# do show ip access-list 101
            Extended IP access list 101
                10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = MyCookie)
                20 permit tcp any any log (hash = 0x75F078B9)
            Device(config)# access-list 101 permit tcp host 10.1.1.1 host 10.1.1.2 log NewUDV
            Device(config)# do show access-list
            Extended IP access list 101
                10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = NewUDV)
                20 permit tcp any any log (hash = 0x75F078B9)
            Device(config)# access-list 101 permit tcp any any log replacehash
            Device(config)# do show access-list
            Extended IP access list 101
                10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = NewUDV)
                20 permit tcp any any log (tag = replacehash)

            Additional References for IPv6 IOS Firewall

            Standards and RFCs

            Standard/RFC

            Title

            RFCs for IPv6

            IPv6 RFCs

            Technical Assistance

            Description

            Link

            The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

            http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

            Feature Information for ACL Syslog Correlation

            The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

            Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

            Table 1 Feature Information for ACL Syslog Correlation

            Feature Name

            Releases

            Feature Information

            ACL Syslog Correlation

            Cisco IOS XE Release 3.6S

            The ACL Syslog Correlation feature appends a tag (either a user-defined cookie or a router-generated MD5 hash value) to ACE syslog entries. This tag uniquely identifies the ACE , within the ACL, that generated the syslog entry.