Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS and NX-OS Software

ACL Syslog Correlation

Downloads

Table Of Contents

ACL Syslog Correlation

Finding Feature Information

Contents

Prerequisites for ACL Syslog Correlation

Information About ACL Syslog Correlation

ACL Syslog Correlation Tags

ACE Syslog Messages

How to Configure ACL Syslog Correlation

Enabling Hash Value Generation on a Router

Examples

Disabling Hash Value Generation on a Router

Examples

Configuring ACL Syslog Correlation Using a User-Defined Cookie

Restrictions

Examples

Configuring ACL Syslog Correlation Using a Hash Value

Examples

Changing the ACL Syslog Correlation Tag Value

Troubleshooting Tips

Configuration Examples for ACL Syslog Correlation

Configuring ACL Syslog Correlation Using a User-Defined Cookie: Example

Configuring ACL Syslog Correlation using a Hash Value: Example

Changing the ACL Syslog Correlation Tag Value: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for ACL Syslog Correlation


ACL Syslog Correlation

First Published: October 10, 2008
Last Updated: October 10, 2008

The Access Control List (ACL) Syslog Correlation feature appends a tag (either a user-defined cookie or a router-generated MD5 hash value) to access control entry (ACE) syslog entries. This tag uniquely identifies the ACE , within the ACL, that generated the syslog entry.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for ACL Syslog Correlation" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for ACL Syslog Correlation

Information About ACL Syslog Correlation

How to Configure ACL Syslog Correlation

Configuration Examples for ACL Syslog Correlation

Additional References

Feature Information for ACL Syslog Correlation

Prerequisites for ACL Syslog Correlation

Before you configure the ACL Syslog Correlation feature you should understand the concepts in the "IP Access List Overview" module.

The ACL Syslog Correlation feature appends a user-defined cookie or a router-generated hash value to ACE messages in the syslog. These values are only appended to ACE messages when the log option is enabled for the ACE.

Information About ACL Syslog Correlation

You should understand the following concepts before configuring the ACL Syslog Correlation feature:

ACL Syslog Correlation Tags

ACE Syslog Messages

ACL Syslog Correlation Tags

The ACL Syslog Correlation feature appends a tag (either a user-defined cookie or a router-generated MD5 hash value) to ACE syslog entries. This tag uniquely identifies the ACE that generated the syslog entry.

Network management software can use the tag to identify which ACE generated a specific syslog event. For example, network administrators can select an ACE rule in the network management application and can then view the corresponding syslog events for that ACE rule.

To append a tag to the syslog message, the ACE that generates the syslog event must have the log option enabled. The system appends only one type of tag (either a user-defined cookie or a router-generated MD5 hash value) to each message.

To specify a user-defined cookie tag, the user must enter the cookie value when configuring the ACE log option. The cookie must be in alpha-numeric form, it cannot be greater than 64 characters, and it cannot start with hex-decimal notation (such as 0x).

To specify a router-generated MD5 hash value tag, the hash-generation mechanism must be enabled on the router and the user must not enter a cookie value while configuring the ACE log option.

ACE Syslog Messages

When a packet is matched against an ACE in an ACL, the system checks whether the log option is enabled for that event. If the log option is enabled and the ACL Syslog Correlation feature is configured on the router, the system attaches the tag to the syslog message. The tag is displayed at the end of the syslog message, in addition to the standard information.

The following is a sample syslog message showing a user-defined cookie tag: 

Jun 5 12:55:44.359: %SEC-6-IPACCESSLOGP: list logacl permitted tcp 192.168.16.1(38402) -> 
192.168.16.2(23), 1 packet [User_permiited_ACE]

The following is a sample syslog message showing a hash value tag: 

Jun 5 12:55:44.359: %SEC-6-IPACCESSLOGP: list logacl permitted tcp 192.168.16.1(38402) -> 
192.168.16.2(23), 1 packet [0x723E6E12]

How to Configure ACL Syslog Correlation

This section includes the following tasks:

Enabling Hash Value Generation on a Router

Disabling Hash Value Generation on a Router

Configuring ACL Syslog Correlation Using a User-Defined Cookie

Configuring ACL Syslog Correlation Using a Hash Value

Changing the ACL Syslog Correlation Tag Value

Enabling Hash Value Generation on a Router

Perform this task to configure the router to generate an MD5 hash value for each log-enabled ACE in the system that is not configured with a user-defined cookie.

When the hash value generation setting is enabled, the system checks all existing ACEs and generates a hash value for each ACE that requires one. When the hash value generation setting is disabled, all previously generated hash values are removed from the system.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip access-list logging hash-generation

4. end

5. show ip access-list [access-list-number | access-list-name]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip access-list logging hash-generation

Example:

Router(config)# ip access-list logging hash-generation

Enables hash value generation on the router.

If an ACE exists that is log enabled, and requires a hash value, the router automatically generates the value and displays the value on the console.

Step 4 

end

Example:

Router(config)# end

(Optional) Exits global configuration mode and returns to privileged EXEC mode.

Step 5  

show ip access-list access-list-number

or

show ip access-list access-list-name

Example:

Router# show ip access-list 101

or

Example:

Router# show ip access-list acl

(Optional) Displays the contents of the numbered or named IP access list.

Review the output to confirm that the access list for a log-enabled ACE includes the generated hash value.

Examples

The following is sample output from the show ip access-list command when hash generation is enabled for the specified access-list. 

Router# show ip access-list 101


Extended IP access list 101

10 permit tcp any any log (hash = 0x75F078B9)


Router# show ip access-list acl


Extended IP access list acl

10 permit tcp any any log (hash = 0x3027EB26)

Disabling Hash Value Generation on a Router

Perform this task to disable hash value generation on the router. When the hash value generation setting is disabled, all previously generated hash values are removed from the system.

SUMMARY STEPS

1. enable

2. configure terminal

3. no ip access-list logging hash-generation

4. end

5. show ip access-list [access-list-number | access-list-name]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

no ip access-list logging hash-generation

Example:

Router(config)# no ip access-list logging hash-generation

Disables hash value generation on the router.

The system removes any previously created hash values from the system.

Step 4 

end

Example:

Router(config)# end

(Optional) Exits global configuration mode and returns to privileged EXEC mode.

Step 5  

show ip access-list access-list-number

or

show ip access-list access-list-name

Example:

Router# show ip access-list 101

or

Example:

Router# show ip access-list acl

(Optional) Displays the contents of the IP access list.

Review the output to confirm that the access list for a log-enabled ACE does not have a generated hash value.

Examples

The following is sample output from the show ip access-list command when hash generation is disabled and no cookie value has been specified. 

Router# show ip access-list 101


Extended IP access list 101

10 permit tcp any any log


Router# show ip access-list acl


Extended IP access list acl

10 permit tcp any any log

Configuring ACL Syslog Correlation Using a User-Defined Cookie

Perform this task to configure the ACL Syslog Correlation feature on a router for a specific access list, using a user-defined cookie as the syslog message tag.

Note The example in this section shows how to configure the ACL Syslog Correlation feature using a user-defined cookie for a numbered access list. However, you can configure the ACL Syslog Correlation feature using a user-defined cookie for both numbered and named access lists, and for both standard and extended access lists.

Restrictions

The following restrictions apply when choosing the user-defined cookie value:

The maximum number of characters is 64.

The cookie cannot start with hexadecimal notation (such as 0x).

The cookie cannot be the same as, or a subset of, the following keywords: reflect, fragment, time-range. For example, reflect and ref are not valid values. However, the cookie can start with the keywords. For example, reflectedACE and fragment_33 are valid values

The cookie must contains only alphanumeric characters.

SUMMARY STEPS

1. enable

2. configure terminal

3. access-list access-list-number permit protocol source destination log word

4. end

5. show ip access-list access-list-number

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

access-list access-list-number permit protocol source destination log word

Example:

Router(config)# access-list 101 permit tcp host 10.1.1.1 host 10.1.1.2 log UserDefinedValue

Defines an extended IP access list and a user-defined cookie value.

Enter the cookie value as the word argument.

Step 4 

end

Example:

Router(config)# end

(Optional) Exits global configuration mode and returns to privileged EXEC mode.

Step 5 

show ip access-list access-list-number

Example:

Router# show ip access-list 101

(Optional) Displays the contents of the IP access list.

Review the output to confirm that the access list includes the user-defined cookie value.

Examples

The following is sample output from the show ip access-list command for an access list with a user-defined cookie value. 

Router# show ip access-list 101


Extended IP access list 101

30 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = UserDefinedValue)

Configuring ACL Syslog Correlation Using a Hash Value

Perform this task to configure the ACL Syslog Correlation feature on a router for a specific access list, using a router-generated hash value as the syslog message tag.

Note The steps in this section shows how to configure the ACL Syslog Correlation feature using a router-generated hash value for a numbered access list. However, you can configure the ACL Syslog Correlation feature using a router-generated hash value for both numbered and named access lists, and for both standard and extended access lists.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip access-list logging hash-generation

4. access-list access-list-number permit protocol source destination log

5. end

6. show ip access-list access-list-number

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip access-list logging hash-generation

Example:

Router(config)# ip access-list logging hash-generation

Enables hash value generation on the router.

If an ACE exists that is log enabled, and requires a hash value, the router automatically generates the value and displays the value on the console.

Step 4 

access-list access-list-number permit protocol source destination log

Example:

Router(config)# access-list 102 permit tcp host 10.1.1.1 host 10.1.1.2 log

Defines an extended IP access list.

Enable the log option for the access list, but do not specify a cookie value.

The router automatically generates a hash value for the newly defined access list.

Step 5 

end

Example:

Router(config)# end

(Optional) Exits global configuration mode and returns to privileged EXEC mode.

Step 6 

show ip access-list access-list-number

Example:

Router# show ip access-list 102

(Optional) Displays the contents of the IP access list.

Review the output to confirm that the access list includes the router-generated hash value.

Examples

The following is sample output from the show ip access-list command for an access list with a router-generated hash value. 

Router# show ip access-list 102

Extended IP access list 102

10 permit tcp host 10.1.1.1 host 10.1.1.2 log (hash = 0x7F9CF6B9)

Changing the ACL Syslog Correlation Tag Value

Perform this task to change the value of the user-defined cookie or replace a router-generated hash value with a user-defined cookie.

Note The steps in this section shows how to change the ACL Syslog Correlation tag value on a numbered access list. However, you can change the ACL Syslog Correlation tag value for both numbered and named access lists, and for both standard and extended access lists.

SUMMARY STEPS

1. enable

2. show access-list

3. configure terminal

4. access-list access-list-number permit protocol source destination log word

5. end

6. show ip access-list access-list-number

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show access-list

Example:

Router(config)# show access-list

(Optional) Displays the contents of the access list.

Step 3 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 4 

access-list access-list-number permit protocol source destination log word

Example:

Router(config)# access-list 101 permit tcp host 10.1.1.1 host 10.1.1.2 log NewUDV

OR


Router(config)# access-list 101 permit tcp any any log replacehash

Modifies the cookie or changes the hash value to a cookie.

You must enter the entire access list configuration command, replacing the previous tag value with the new tag value.

Step 5 

end

Example:

Router(config)# end

(Optional) Exits global configuration mode and returns to privileged EXEC mode.

Step 6 

show ip access-list access-list-number

Example:

Router# show ip access-list 101

(Optional) Displays the contents of the IP access list.

Review the output to confirm the changes.

Troubleshooting Tips

Use the debug ip access-list hash-generation command to display access list debug information. The following is an example of the debug command output: 

Router# debug ip access-list hash-generation

 Syslog hash code generation debugging is on

Router# show debug

IP ACL:

 Syslog hash code generation debugging is on

Router# no debug ip access-list hash-generation 

 Syslog hash code generation debugging is off

Router# show debug

Router#

Configuration Examples for ACL Syslog Correlation

This section provides the following configuration examples:

Configuring ACL Syslog Correlation Using a User-Defined Cookie: Example

Configuring ACL Syslog Correlation using a Hash Value: Example

Changing the ACL Syslog Correlation Tag Value: Example

Configuring ACL Syslog Correlation Using a User-Defined Cookie: Example

The following example shows how to configure the ACL Syslog Correlation feature on a router using a user-defined cookie. 

Router#

Router# debug ip access-list hash-generation

Syslog MD5 hash code generation debugging is on

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# access-list 33 permit 10.10.10.6 log cook_33_std

Router(config)# do show ip access 33

Standard IP access list 33

10 permit 10.10.10.6 log (tag = cook_33_std)

Router(config)# end

Router#

Configuring ACL Syslog Correlation using a Hash Value: Example

The following examples shows how to configure the ACL Syslog Correlation feature on a router using a router-generated hash value. 

Router# debug ip access-list hash-generation

Syslog MD5 hash code generation debugging is on

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# access-list 33 permit 10.10.10.7 log

Router(config)#

*Nov 7 13:51:23.615: %IPACL-HASHGEN: Hash Input: 33 standard permit 10.10.10.7

Hash Output: 0xCE87F535

Router(config)# do show ip access 33 

Standard IP access list 33

    10 permit 10.10.10.6 log (tag = cook_33_std)

    20 permit 10.10.10.7 log (hash = 0xCE87F535)

Router(config)#

Changing the ACL Syslog Correlation Tag Value: Example

The following example shows how to replace an existing access list user-defined cookie with a new cookie value, and how to replace a router-generated hash value with a user-defined cookie value. 

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# do show ip access-list 101

Extended IP access list 101

    10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = MyCookie)

    20 permit tcp any any log (hash = 0x75F078B9)

Router(config)# access-list 101 permit tcp host 10.1.1.1 host 10.1.1.2 log NewUDV

Router(config)# do show access-list

Extended IP access list 101

    10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = NewUDV)

    20 permit tcp any any log (hash = 0x75F078B9)

Router(config)# access-list 101 permit tcp any any log replacehash

Router(config)# do show access-list

Extended IP access list 101

    10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = NewUDV)

    20 permit tcp any any log (tag = replacehash)

Additional References

The following sections provide references related to the ACL Syslog Correlation feature.

Related Documents

Related Topic
Document Title

Configuring and Creating ACLs

Creating an IP Access List and Applying it to an Interface

ACL commands

Cisco IOS Security Command Reference

Cisco IOS commands

Master Commands List, All Releases


Standards

Standard
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

None


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for ACL Syslog Correlation

Table 1 lists the release history for this feature. For information on a feature in this technology that is not documented here, see the IP Access List Roadmap.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 1 Feature Information for ACL Syslog Correlation 

Feature Name
Releases
Feature Information

ACL Syslog Correlation

12.4(22)T

The following commands were introduced or modified: ip access-list logging hash-generation, debug ip access-list hash-generation, access-list (IP extended), access-list (IP standard), permit, permit (Catalyst 6500 series switches), permit (IP).


CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2008 Cisco Systems, Inc. All rights reserved.