https://community.cisco.com/t5/network-security/access-list-logging-on-firewall/m-p/1867600#M460142 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Would you be looking at the logs through the ASDM Monitoring or reading them from a separate server?</P><P></P><P>Your basic ASA logging configuration could look something like this</P><P></P><P></P><P>logging on</P><P>logging timestamp</P><P>logging buffer-size <VALUE></VALUE></P><P>logging device-id hostname</P><P>logging buffered notifications</P><P>logging trap informational</P><P>logging asdm informational</P><P>logging host <NAMEIF> <IP address="" of="" server=""></IP></NAMEIF></P><P></P><P>"logging&nbsp; trap informational" would mean that your ASA would send a log message of every connection and NAT translation made through the ASA. It would also log messages when those connections and NATs are tore down. (When the connections in question are finished)</P><P></P><P>"logging asdm informational" should do the same as above but this would only apply when you have opened the Monitor/logging window in through the ASDM.</P><P></P><P>These to my knowledge dont require any separate command on the actual access-list.</P><P></P><P>I haven't used the "log" parameters in my ASA configurations but If I understood correctly this parameter would make it so that you will also see permitted connections in the ASA logs while without the "log" parameter you would only see a message when the access-list blocked some connection based on some access-list rule.</P><P></P><P>The Command Reference states the following:</P><P></P><P>(Optional) Sets logging options when a ACE matches a packet for network</P><P>access (an access list applied with the access-group command). If you enter</P><P>the log keyword without any arguments, you enable system log message</P><P>106100 at the default level (6) and for the default interval (300 seconds). If</P><P>you do not enter the log keyword, then the default system log message</P><P>106023 is generated.</P><P></P><P>Heres link to the syslog IDs mentioned above (Software 8.2)</P><P></P><P>106100: </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769049">http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769049</A></P><P></P><P>106023:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769021">http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769021</A></P><P></P><P></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 03 Feb 2012 13:53:31 GMT Jouni Forss 2012-02-03T13:53:31Z https://community.cisco.com/t5/network-security/access-list-logging-on-firewall/m-p/1867599#M460140 <P>Hi</P><P></P><P>If I permit all traffic on my firewall, will I see on the logs all this traffic going through, or would I need to add the log keyword on the end of the permit statement ?</P><P></P><P>cheers</P><P></P><P>Carl</P> Mon, 11 Mar 2019 22:23:38 GMT https://community.cisco.com/t5/network-security/access-list-logging-on-firewall/m-p/1867599#M460140 carl_townshend 2019-03-11T22:23:38Z https://community.cisco.com/t5/network-security/access-list-logging-on-firewall/m-p/1867600#M460142 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Would you be looking at the logs through the ASDM Monitoring or reading them from a separate server?</P><P></P><P>Your basic ASA logging configuration could look something like this</P><P></P><P></P><P>logging on</P><P>logging timestamp</P><P>logging buffer-size <VALUE></VALUE></P><P>logging device-id hostname</P><P>logging buffered notifications</P><P>logging trap informational</P><P>logging asdm informational</P><P>logging host <NAMEIF> <IP address="" of="" server=""></IP></NAMEIF></P><P></P><P>"logging&nbsp; trap informational" would mean that your ASA would send a log message of every connection and NAT translation made through the ASA. It would also log messages when those connections and NATs are tore down. (When the connections in question are finished)</P><P></P><P>"logging asdm informational" should do the same as above but this would only apply when you have opened the Monitor/logging window in through the ASDM.</P><P></P><P>These to my knowledge dont require any separate command on the actual access-list.</P><P></P><P>I haven't used the "log" parameters in my ASA configurations but If I understood correctly this parameter would make it so that you will also see permitted connections in the ASA logs while without the "log" parameter you would only see a message when the access-list blocked some connection based on some access-list rule.</P><P></P><P>The Command Reference states the following:</P><P></P><P>(Optional) Sets logging options when a ACE matches a packet for network</P><P>access (an access list applied with the access-group command). If you enter</P><P>the log keyword without any arguments, you enable system log message</P><P>106100 at the default level (6) and for the default interval (300 seconds). If</P><P>you do not enter the log keyword, then the default system log message</P><P>106023 is generated.</P><P></P><P>Heres link to the syslog IDs mentioned above (Software 8.2)</P><P></P><P>106100: </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769049">http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769049</A></P><P></P><P>106023:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769021">http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769021</A></P><P></P><P></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 03 Feb 2012 13:53:31 GMT https://community.cisco.com/t5/network-security/access-list-logging-on-firewall/m-p/1867600#M460142 Jouni Forss 2012-02-03T13:53:31Z