- Read Me First
- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Configuring an FQDN ACL
- Refining an IP Access List
- IP Named Access Control Lists
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- ACL IP Options Selective Drop
- Displaying and Clearing IP Access List Data Using ACL Manageability
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 ACL Undetermined-Transport Support
- Configuring Template ACLs
- IPv6 Template ACL
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
- Security (ACL) Enhancements
ACL Syslog Correlation
The Access Control List (ACL) Syslog Correlation feature appends a tag (either a user-defined cookie or a device-generated MD5 hash value) to access control entry (ACE) syslog entries. This tag uniquely identifies the ACE , within the ACL, that generated the syslog entry.
- Finding Feature Information
- Prerequisites for ACL Syslog Correlation
- Information About ACL Syslog Correlation
- How to Configure ACL Syslog Correlation
- Configuration Examples for ACL Syslog Correlation
- Additional References for IPv6 IOS Firewall
- Feature Information for ACL Syslog Correlation
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for ACL Syslog Correlation
Before you configure the ACL Syslog Correlation feature, you must understand the concepts in the "IP Access List Overview" module.
The ACL Syslog Correlation feature appends a user-defined cookie or a device-generated hash value to ACE messages in the syslog. These values are only appended to ACE messages when the log option is enabled for the ACE.
Information About ACL Syslog Correlation
ACL Syslog Correlation Tags
The ACL Syslog Correlation feature appends a tag (either a user-defined cookie or a device-generated MD5 hash value) to access control entry (ACE) syslog entries. This tag uniquely identifies an ACE that generated the syslog entry.
Network management software can use the tag to identify which ACE generated a specific syslog event. For example, network administrators can select an ACE rule in the network management application and can then view the corresponding syslog events for that ACE rule.
To append a tag to the syslog message, the ACE that generates the syslog event must have the log option enabled. The system appends only one type of tag (either a user-defined cookie or a device-generated MD5 hash value) to each message.
To specify a user-defined cookie tag, the user must enter the cookie value when configuring the ACE log option. The cookie must be in alpha-numeric form, it cannot be greater than 64 characters, and it cannot start with hex-decimal notation (such as 0x).
To specify a device-generated MD5 hash value tag, the hash-generation mechanism must be enabled on the device and the user must not enter a cookie value while configuring the ACE log option.
ACE Syslog Messages
When a packet is matched against an access control entry (ACE) in an ACL, the system checks whether the log option is enabled for that event. If the log option is enabled and the ACL Syslog Correlation feature is configured on the device, the system attaches the tag to the syslog message. The tag is displayed at the end of the syslog message, in addition to the standard information.
The following is a sample syslog message showing a user-defined cookie tag:
Jun 5 12:55:44.359: %SEC-6-IPACCESSLOGP: list logacl permitted tcp 192.168.16.1(38402) -> 192.168.16.2(23), 1 packet [User_permiited_ACE]
The following is a sample syslog message showing a hash value tag:
Jun 5 12:55:44.359: %SEC-6-IPACCESSLOGP: list logacl permitted tcp 192.168.16.1(38402) -> 192.168.16.2(23), 1 packet [0x723E6E12]
How to Configure ACL Syslog Correlation
- Enabling Hash Value Generation on a Device
- Disabling Hash Value Generation on a Device
- Configuring ACL Syslog Correlation Using a User-Defined Cookie
- Configuring ACL Syslog Correlation Using a Hash Value
- Changing the ACL Syslog Correlation Tag Value
Enabling Hash Value Generation on a Device
Perform this task to configure the device to generate an MD5 hash value for each log-enabled access control entry (ACE) in the system that is not configured with a user-defined cookie.
When the hash value generation setting is enabled, the system checks all existing ACEs and generates a hash value for each ACE that requires one. When the hash value generation setting is disabled, all previously generated hash values are removed from the system.
1.
enable
2.
configure
terminal
3.
ip
access-list
logging
hash-generation
4.
end
DETAILED STEPS
Disabling Hash Value Generation on a Device
Perform this task to disable hash value generation on the device. When the hash value generation setting is disabled, all previously generated hash values are removed from the system.
1.
enable
2.
configure
terminal
3.
no
ip
access-list
logging
hash-generation
4.
end
DETAILED STEPS
Configuring ACL Syslog Correlation Using a User-Defined Cookie
Perform this task to configure the ACL Syslog Correlation feature on a device for a specific access list, using a user-defined cookie as the syslog message tag.
The example in this section shows how to configure the ACL Syslog Correlation feature using a user-defined cookie for a numbered access list. However, you can configure the ACL Syslog Correlation feature using a user-defined cookie for both numbered and named access lists, and for both standard and extended access lists.
1.
enable
2.
configure
terminal
3.
access-list
access-list-number
permit
protocol
source
destination
log
word
4.
end
5.
show
ip
access-list
access-list-number
DETAILED STEPS
Examples
The following is sample output from the show ip access-list command for an access list with a user-defined cookie value.
Device# show ip access-list 101 Extended IP access list 101 30 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = UserDefinedValue)
Configuring ACL Syslog Correlation Using a Hash Value
Perform this task to configure the ACL Syslog Correlation feature on a device for a specific access list, using a device-generated hash value as the syslog message tag.
The steps in this section shows how to configure the ACL Syslog Correlation feature using a device-generated hash value for a numbered access list. However, you can configure the ACL Syslog Correlation feature using a device-generated hash value for both numbered and named access lists, and for both standard and extended access lists.
1.
enable
2.
configure
terminal
3.
ip
access-list
logging
hash-generation
4. access-list access-list-number permit protocol source destination log
5.
end
6.
show
ip
access-list
access-list-number
DETAILED STEPS
Examples
The following is sample output from the show ip access-list command for an access list with a device-generated hash value.
Device# show ip access-list 102 Extended IP access list 102 10 permit tcp host 10.1.1.1 host 10.1.1.2 log (hash = 0x7F9CF6B9)
Changing the ACL Syslog Correlation Tag Value
Perform this task to change the value of the user-defined cookie or replace a device-generated hash value with a user-defined cookie.
The steps in this section shows how to change the ACL Syslog Correlation tag value on a numbered access list. However, you can change the ACL Syslog Correlation tag value for both numbered and named access lists, and for both standard and extended access lists.
1.
enable
2. show access-list
3.
configure
terminal
4. access-list access-list-number permit protocol source destination log word
5.
end
6.
show
ip
access-list
access-list-number
DETAILED STEPS
Troubleshooting Tips
Use the debug ip access-list hash-generation command to display access list debug information. The following is an example of the debug command output:
Device# debug ip access-list hash-generation Syslog hash code generation debugging is on Device# show debug IP ACL: Syslog hash code generation debugging is on Device# no debug ip access-list hash-generation Syslog hash code generation debugging is off Device# show debug Device#
Configuration Examples for ACL Syslog Correlation
- Example: Configuring ACL Syslog Correlation Using a User-Defined Cookie
- Example: Configuring ACL Syslog Correlation using a Hash Value
- Example: Changing the ACL Syslog Correlation Tag Value
Example: Configuring ACL Syslog Correlation Using a User-Defined Cookie
The following example shows how to configure the ACL Syslog Correlation feature on a device using a user-defined cookie.
Device# Device# debug ip access-list hash-generation Syslog MD5 hash code generation debugging is on Device# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Device(config)# access-list 33 permit 10.10.10.6 log cook_33_std Device(config)# do show ip access 33 Standard IP access list 33 10 permit 10.10.10.6 log (tag = cook_33_std) Device(config)# end
Example: Configuring ACL Syslog Correlation using a Hash Value
The following examples shows how to configure the ACL Syslog Correlation feature on a device using a device-generated hash value.
Device# debug ip access-list hash-generation Syslog MD5 hash code generation debugging is on Device# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Device(config)# access-list 33 permit 10.10.10.7 log Device(config)# *Nov 7 13:51:23.615: %IPACL-HASHGEN: Hash Input: 33 standard permit 10.10.10.7 Hash Output: 0xCE87F535 Device(config)# do show ip access 33 Standard IP access list 33 10 permit 10.10.10.6 log (tag = cook_33_std) 20 permit 10.10.10.7 log (hash = 0xCE87F535)
Example: Changing the ACL Syslog Correlation Tag Value
The following example shows how to replace an existing access list user-defined cookie with a new cookie value, and how to replace a device-generated hash value with a user-defined cookie value.
Device# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Device(config)# do show ip access-list 101 Extended IP access list 101 10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = MyCookie) 20 permit tcp any any log (hash = 0x75F078B9) Device(config)# access-list 101 permit tcp host 10.1.1.1 host 10.1.1.2 log NewUDV Device(config)# do show access-list Extended IP access list 101 10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = NewUDV) 20 permit tcp any any log (hash = 0x75F078B9) Device(config)# access-list 101 permit tcp any any log replacehash Device(config)# do show access-list Extended IP access list 101 10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = NewUDV) 20 permit tcp any any log (tag = replacehash)
Additional References for IPv6 IOS Firewall
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
IPv6 commands |
|
IPv6 addressing and connectivity |
IPv6 Configuration Guide |
Cisco IOS IPv6 features |
Standards and RFCs
Standard/RFC |
Title |
---|---|
RFCs for IPv6 |
IPv6 RFCs |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for ACL Syslog Correlation
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
---|---|---|
ACL Syslog Correlation |
Cisco IOS XE Release 3.6S |
The ACL Syslog Correlation feature appends a tag (either a user-defined cookie or a router-generated MD5 hash value) to ACE syslog entries. This tag uniquely identifies the ACE , within the ACL, that generated the syslog entry. |