10-12-2020 10:25 PM
Solved! Go to Solution.
10-16-2020 01:00 AM
Although I agree with Mohammed that you should be careful when enabling logging on so many rules, especially on the ASA, you could add the log keyword using a simple python script. First pull the ACL configuration from the ASA and save it in a file. Then run the following script to add the log keyword at the end of each entry. Be sure to change the path to where the files are located to match the actual location you have saved them to:
#Read the original ACL file and add the entries into a list
def read_file():
with open('D:\\Python\\Network Programability\\Files\\ASA_ACL.txt', 'r') as file_object:
file_info_list = []
for line in file_object:
file_info_list.append(line.strip())
return file_info_list
#Loop through the newly created list adding the log keyword at the end of the ACL and write to a new file
with open('D:\\Python\\Network Programability\\Files\\ASA_ACL_new.txt', 'w') as write_file:
file_object = read_file()
for line in file_object:
write_file.write(f"{line} log\n")
You can obviously script the process of adding the lines back to the ASA. However, I prefer to do that part as a manual job as I can then react to any errors or issues that might pop up while adding them.
10-13-2020 12:07 AM
The second option is reasonable. if you can do some automation that will do the job. do this task offline and publish online to device using script.
10-15-2020 08:48 PM
Hi Balaji,
Thank you.
I am very new to automation, could you please suggest to me any document or example article.
10-13-2020 01:00 AM
10-15-2020 08:56 PM
Hi Baqari,
Thank you.
is your advice is to create a new ACL to only math the specific traffic, rather than logging all?
For CPU we have 64 core CPU firepower appliance in place and the current load is about 5% max, logging all ACL is a requirement for firewall rule analysis tool (AlgoSec), So I have to log all ACL, so unused or less used can be revealed or caught.
10-16-2020 01:00 AM
Although I agree with Mohammed that you should be careful when enabling logging on so many rules, especially on the ASA, you could add the log keyword using a simple python script. First pull the ACL configuration from the ASA and save it in a file. Then run the following script to add the log keyword at the end of each entry. Be sure to change the path to where the files are located to match the actual location you have saved them to:
#Read the original ACL file and add the entries into a list
def read_file():
with open('D:\\Python\\Network Programability\\Files\\ASA_ACL.txt', 'r') as file_object:
file_info_list = []
for line in file_object:
file_info_list.append(line.strip())
return file_info_list
#Loop through the newly created list adding the log keyword at the end of the ACL and write to a new file
with open('D:\\Python\\Network Programability\\Files\\ASA_ACL_new.txt', 'w') as write_file:
file_object = read_file()
for line in file_object:
write_file.write(f"{line} log\n")
You can obviously script the process of adding the lines back to the ASA. However, I prefer to do that part as a manual job as I can then react to any errors or issues that might pop up while adding them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide