topic Changing syslog message 106100 severity level in Network Security

Changing syslog message 106100 severity level

karlchatterton — Mon, 11 Mar 2019 22:38:35 GMT

Hi,

I'm fine tuning some of our ASA logging config, and am having an issue with one particular syslog ID.

The message is:

syslog 106100: default-level informational (enabled)

and the log settings are:

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: level errors, 2389314 messages logged

Monitor logging: disabled

Buffer logging: level notifications, 100889 messages logged

Trap logging: level informational, facility 20, 1080679 messages logged

Logging to 10.1.1.1 errors: 1 dropped: 2

History logging: level warnings, 83057 messages logged

Device ID: disabled

Mail logging: disabled

ASDM logging: level informational, 2571771 messages logged

This ACE log entry is generated by explicit deny any any statements at the end of all the ACLs, e.g.

access-list inside_access_in extended deny ip any any log interval 600

Based on the config, I would expect to see this being logged to the syslog server, but not to the local buffer, but am still seeing them locally in the buffer:

Feb 22 2012 10:58:20: %ASA-4-106100: access-list inside_access_in denied udp INSIDE/HOSTABC(52629) -> OUTSIDE/HOSTXXX(162) hit-cnt 5 300-second interval [0x3baecf1e, 0x0]

It also still shows these as level "warning", %ASA-4-106100, instead of the default %ASA-6-106100

I've tried removing and re-applying the config at different levels but it still reports in the buffer log as level "warning", %ASA-4-106100

This also doesnt affect every 106100 log that is generated. Most messages are generated at the correct level 6 severity but some seem to randomly log at level 4. There doesn't seem to be any pattern to this. The same access-list line can produce severity level 4 and 6 106100 messages.

Any ideas?

Thanks

Karl

Re: Changing syslog message 106100 severity level

begomez — Thu, 11 Oct 2012 03:10:22 GMT

Hey Karl,

Came across your post, when looking up my own ACL specific logging wasn't working at all. Found out I was hitting a bug - CSCsz73284. Upgraded any I got many, many 106100 logs at the "error" level.

Not sure if this is still relevant for you, or if you have found your answer yet, but it could be that you've got some particular access-list entry in the config that is getting hit, where the "log warnings" is configured at the end like this:

access-list extended deny log warnings

The log level for 106100 can differ depending on the log level of a particular access-list entry, and it cannot be changed globally. e.g.

ASA(config)# logging message 106100 level errors

INFO: Please use the access-list command to change the severity level of this syslog

ASA(config)#

Regards,

Ben

Changing syslog message 106100 severity level

nkarthikeyan — Thu, 11 Oct 2012 07:51:30 GMT

Hi Karl,

I do see a small difference in those 2 different level of errors %ASA-4-106100 & %ASA-6-106100. In this level 4 is generated by ASA and Level 6 is triggered for Syslogging.

So which ever ACL you have pointed with log is triggered with level 6 & wherevr you have the plain deny rule will have the logs triggered with level 4.

For %ASA-6-106100

================

http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279924

%ASA-4-106100

=============

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4769049

Please do rate if the given information helps.

Karthik