topic ASA Logging Host vs ACL Logging in Network Security

ASA Logging Host vs ACL Logging

Logan Kampsnider — Tue, 12 Mar 2019 08:15:36 GMT

Hello,

We currently get all of our logging needs with our ASAs by using "logging host" command to send all firewall traffic to an event collector where we can search and correlate traffic events. I'm working to determine if there's any advantage to using the "log" command on the end of our extended access-lists in addition to this. In Cisco documentation, I'm finding that using it results in ACL hits being grouped into "flows" as opposed to separate log messages for each hit, but not really sure why else it would be used. It mentions it could increase CPU usage enabling this on an ACL, but reduces the volume of logs produced. Any thoughts on why enabling "log" on extended ACLs is useful?

Thanks,

Logging host logs all

Hozaifa Samad — Wed, 14 Sep 2016 04:47:30 GMT

Logging host logs all messages with the default buffered syslog level. This can be changed using logging buffered level command. Log parameter at the end of the access-list will always send a syslog message (permit & deny). Different access-lists have different syslog levels, so if log parameter is not configured, there's no guarantee it'll be sent to the syslog server depending on the level configured.

So to make sure I understand,

Logan Kampsnider — Wed, 14 Sep 2016 13:06:30 GMT

So to make sure I understand, using the global "logging host" command would be the same as having "log" at the end of every ACL, granted that default logging levels are used in either situation?

Not true. If the global log

Hozaifa Samad — Wed, 14 Sep 2016 14:53:53 GMT

Not true. If the global log level is higher than the ACL log level, then yes. If the global log level is lower and the ACL log is not enabled then you won't see it. You'll have to enable the ACL log. Here's a link that shows you all the log levels and their id's:

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html

Thanks Hozaifa. So I'm not

Logan Kampsnider — Wed, 14 Sep 2016 15:05:27 GMT

Thanks Hozaifa. So I'm not sure I conveyed my last question correctly. If default log levels are used for both global and ACL logs, which I believe is log level 6, then is there any point to using ACL logs, other than if you want to add additional logging on a per-ACL level?

Here's a default host logging, with no buffer config changes:

logging enable
logging trap informational
logging host MANAGEMENT 1.1.1.1

Here's a default ACL logging level:

access-list outside-acl permit ip host 1.1.1.1 any log

Hi again. Your ACL entry will

Hozaifa Samad — Wed, 14 Sep 2016 15:26:58 GMT

Hi again. Your ACL entry will generate syslog message 106100 which is disabled by default, so ASA won't log it until it's enabled.