Cisco ASA – How To Trace A Rule Hit In The Logs

For example you may already have your Cisco ASA output in SysLog format and you need to trace hits to a specific rule.  The log output does not contain a simple text based description for the rules, you need to lookup the rule hex ID’s on the Cisco ASA first.

This is just one way to locate which rule you are hitting on a Cisco ASA.

1 – From the ASA right click the rule you want to trace hits on and select “Show Log” as per the image below.

2 – This will then open the “Real Time Log Viewer” and it will show you the rule ID here, as highlighted in red in the image below.

3 – You can now search your log files for a string that matches the above ( example 0xf63ad4a2 )

%ASA-7-106100: access-list acl-Internal permitted udp Internal/172.16.209.51(54891) -> External/8.8.8.8(53) hit-cnt 1 first hit [0xf63ad4a2, 0x0]

ASA-7 – This is the logging level that is been applied on this hit (in this example its level 7 debugging)

106100 – This is the SysLog message – Full list here

0xf63ad4a2 – This is the hex value of the rule that you are hitting (Note: if you do not see this then ensure that you are logging at “Debugging” level.