在哪里可以找到 Cisco ASA syslog 格式描述?日志示例:
Dec 11 08:01:24 <IP> %ASA-6-302015: Built outbound UDP connection 447235 for outside:NTP_Server_2/<port> (NTP_Server_2/<port>) to identity:<IP>/<port> (<IP>/<port>)
Dec 11 08:01:24 <IP> %ASA-6-302015: Built outbound UDP connection 447235 for outside:NTP_Server_2/<port> (NTP_Server_2/<port>) to identity:<IP>/<port> (<IP>/<port>)
Dec 11 08:01:24 <IP> %ASA-4-106023: Deny udp src dmz:OCSP_Server/<port> dst outside:DNS_Server_DO/<port> by access-group "dmz" [0x123a465e, 0x4c7bf613]
Dec 11 08:01:24 <IP> %ASA-4-106023: Deny udp src dmz:OCSP_Server/<port> dst outside:DNS_Server_DO/<port> by access-group "dmz" [0x123a465e, 0x4c7bf613]
Dec 11 08:01:31 <IP> %ASA-6-302013: Built outbound TCP connection 447236 for outside:KAV_Update_Server/<port> (KAV_Update_Server/<port>) to dmz:OCSP_Server/<port> (OCSP_Server/<port>)
Dec 11 08:01:31 <IP> %ASA-6-302013: Built outbound TCP connection 447236 for outside:KAV_Update_Server/<port> (KAV_Update_Server/<port>) to dmz:OCSP_Server/<port> (OCSP_Server/<port>)
Dec 11 08:01:31 <IP> %ASA-6-302014: Teardown TCP connection 447236 for outside:KAV_Update_Server/<port> to dmz:OCSP_Server/<port> duration 0:00:00 bytes 14804 TCP FINs
Dec 11 08:01:38 <IP> %ASA-6-302014: Teardown TCP connection 447234 for outside:KAV_Update_Server/<port> to dmz:TSP_Server/<port> duration 0:01:08 bytes 134781 TCP FINs
Dec 11 08:01:38 <IP> %ASA-6-302014: Teardown TCP connection 447234 for outside:KAV_Update_Server/<port> to dmz:TSP_Server/<port> duration 0:01:08 bytes 134781 TCP FINs
Dec 11 08:01:38 <IP> %ASA-6-106015: Deny TCP (no connection) from KAV_Update_Server/<port> to TSP_Server/<port> flags RST on interface outside
Dec 11 08:01:38 <IP> %ASA-6-106015: Deny TCP (no connection) from KAV_Update_Server/<port> to TSP_Server/<port> flags RST on interface outside
Dec 11 08:01:39 <IP> %ASA-4-106023: Deny udp src dmz:TSP_Server/<port> dst outside:DNS_Server_DO/<port> by access-group "dmz" [0x123a465e, 0x8c20f21]
Dec 11 08:01:53 %ASA-4-106023: last message repeated 9 times
Dec 11 08:01:53 <IP> %ASA-6-302013: Built outbound TCP connection 447237 for outside:KAV_Update_Server/<port> (KAV_Update_Server/<port>) to dmz:TSP_Server/<port> (TSP_Server/<port>)
Dec 11 08:01:53 <IP> %ASA-6-302013: Built outbound TCP connection 447237 for outside:KAV_Update_Server/<port> (KAV_Update_Server/<port>) to dmz:TSP_Server/<port> (TSP_Server/<port>)
Dec 11 08:01:53 <IP> %ASA-6-302014: Teardown TCP connection 447237 for outside:KAV_Update_Server/<port> to dmz:TSP_Server/<port> duration 0:00:00 bytes 11420 TCP FINs
我只找到了这个文档来自思科,其中没有关于“Message_text”字段的解释。
答案1
看一下这个,例如使用 %ASA-4-106023 作为索引: http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html
错误消息 %PIX|ASA-4-106023:拒绝协议 src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
解释:ACL 拒绝了一个真实的 IP 数据包。即使您没有为 ACL 启用日志选项,也会显示此消息。
建议的操作:如果消息持续来自同一源地址,则消息可能表明存在足迹或端口扫描尝试。请联系远程主机管理员。
答案2
如果你问助记符是什么,这里有一个解释这里。