https://community.cisco.com/t5/network-security/logging-for-a-specific-acl-line/m-p/2660251#M196895 <P>Hello, I'm currently evaluating rules on ASA.</P><P>There are some rules applied, but some of the traffic does not match those rules. I created a rule allowing everything and I need to see what traffic is hitting this especific rule on line 3.</P><P>Example:<BR />access-list OUTSIDE_IN line 1 extended permit tcp 10.1.16.0 255.255.255.0 10.153.224.0 255.255.240.0 eq 88<BR />access-list OUTSIDE_IN line 2 extended permit udp 10.1.16.0 255.255.255.0 10.153.224.0 255.255.240.0 eq domain<BR />access-list OUTSIDE_IN line 3 extended permit ip 10.1.16.0 255.255.255.0 10.153.224.0 255.255.240.0 log informational</P><P>When I enable log, I see all the traffic, not the only one I wanted. There's a way to see only traffic coming on line 3?</P><P>Regards</P> Tue, 12 Mar 2019 05:32:02 GMT marcos.sousa7 2019-03-12T05:32:02Z https://community.cisco.com/t5/network-security/logging-for-a-specific-acl-line/m-p/2660251#M196895 <P>Hello, I'm currently evaluating rules on ASA.</P><P>There are some rules applied, but some of the traffic does not match those rules. I created a rule allowing everything and I need to see what traffic is hitting this especific rule on line 3.</P><P>Example:<BR />access-list OUTSIDE_IN line 1 extended permit tcp 10.1.16.0 255.255.255.0 10.153.224.0 255.255.240.0 eq 88<BR />access-list OUTSIDE_IN line 2 extended permit udp 10.1.16.0 255.255.255.0 10.153.224.0 255.255.240.0 eq domain<BR />access-list OUTSIDE_IN line 3 extended permit ip 10.1.16.0 255.255.255.0 10.153.224.0 255.255.240.0 log informational</P><P>When I enable log, I see all the traffic, not the only one I wanted. There's a way to see only traffic coming on line 3?</P><P>Regards</P> Tue, 12 Mar 2019 05:32:02 GMT https://community.cisco.com/t5/network-security/logging-for-a-specific-acl-line/m-p/2660251#M196895 marcos.sousa7 2019-03-12T05:32:02Z https://community.cisco.com/t5/network-security/logging-for-a-specific-acl-line/m-p/2660252#M196896 <P>Hi Marcos,</P> <P>You see all traffic because for lines for which no "log" keyword at ACL line end is added, it will still be logged, see:</P> <P><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/a1.html#wp1564948">http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/a1.html#wp1564948</A></P> <P><EM>... If you enter the <B class="cBold">log</B> keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). <U>If you do not enter the <B class="cBold">log</B> keyword</U>, then the default system log message 106023 is generated...</EM></P> <P>So what you can do is instead of "log informatioanl", put "log warnings" to log this ACL line 3 at syslog level 4 (warnings), and in addition to that decrease logging level that is visible for the method how you monitor logs, for example some of following lines (depending whether you monitor logs at syslog server, terminal, or from local buffer (show logg command):</P> <PRE> hostname(config)# <B class="cBold">logging trap warnings</B></PRE> <DIV class="pEx1_Example1"> <PRE> hostname(config)# <B class="cBold">logging enable </B></PRE> </DIV> <DIV class="pEx1_Example1"> <PRE> hostname(config)# <B class="cBold">logging monitor warnings</B></PRE> </DIV> <DIV class="pEx1_Example1"> <PRE> hostname(config)# <B class="cCN_CmdName">terminal monitor </B></PRE> </DIV> <PRE> hostname(config)# <B class="cBold">logging buffered warnings</B></PRE> <P>Also, before any significant changes to ASA configuration, migrations, software upgrades, etc., I always recommend testing the configuration with fw123test:</P> <P><A href="http://www.networksea.com/fw123test/">http://www.networksea.com/fw123test/</A></P> <P>BR,</P> <P>Milan</P> Sun, 22 Feb 2015 18:12:53 GMT https://community.cisco.com/t5/network-security/logging-for-a-specific-acl-line/m-p/2660252#M196896 Milan Mesic 2015-02-22T18:12:53Z