ASA syslog parsing…

The ASA syslog format can be a bit of a pain to parse, especially when you want a concise list of the access a host has been granted or denied via the firewall. The original log format looks like this:

00:00:00 local4.info %ASA-6-106100: access-list inside permitted tcp Inside/10.1.1.1(1024) -> Outside/10.2.2.42(80) hit-cnt 1 first hit [0x62c4905, 0x0]

Lets clean this up a bit with the following command, for this example we only care about the permitted access across the inside interface

$grep access-list\ inside\ permitted <SYSLOG FILE>.log | sed -e 's/\// /g' | sed -e 's/(.*>//' | awk '{print $7,$8,$9,$10,$11}'

This will result in the following:

tcp Inside 10.1.1.1 Outside 10.2.2.42(80)

Obviously you would be left with a few thousand entries like the one above, now you can add a unique sort to the mix and clean things up, the whole thing will look like this:

$ grep access-list\ inside\ permitted <SYSLOG FILE>.log | sed -e 's/\// /g' | sed -e 's/(.*>//' | awk '{print $7,$8,$9,$10,$11}' | sort | uniq -c | sort -nr

Leave a Reply

Your email address will not be published. Required fields are marked *