topic Re: Interface not displaying logs in Network Security

Interface not displaying logs

sgalloway — Mon, 11 Mar 2019 19:45:41 GMT

Hi,

I have a deny acl configured on my Inside Interface with Debug logging enabled and when l view the logging console within the ASDM set to debugging l do not see any entries for this acl ??

It is recieving hits on the acl but does not show any entries in the log ??

Interface Inside

ACL

172.16.4.189 any http deny debugging

Device is a Cisco ASA 5520 , ASDM 6.2(1) and ASA Version 8.2(1)

Any assistance would be greatly appreciated

Re: Interface not displaying logs

Jennifer Halim — Mon, 07 Feb 2011 06:58:26 GMT

You should be able to see syslog# 106100 in the logs and it has logging level 6 (informational):

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769049

However, even without the "log" keyword on access-list entry, it will be logged under syslog# 106023:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769021

What logging level have you configured for ASDM logs? as you can configure different logging level for different logs, it might be the ASDM logs are not configured at logging level 6.

Also, did you modify the logging level on the actual access-list? By default, if you only have the "log" keyword at the end of the access-list, it is set to logging level 6 (information). However, if you set the value to debugging (level 7), then you would also need to enable logging level 7 for ASDM logs.

Re: Interface not displaying logs

Jennifer Halim — Mon, 07 Feb 2011 07:02:14 GMT

Oh, and also for syslog# 106100, if you don't specify the interval to generate the syslog message, by default it is every 300 seconds, so it is a possibility that you might have missed the first one.

Here is more information on the access-list with log and the interval for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1559450

Re: Interface not displaying logs

sgalloway — Mon, 07 Feb 2011 07:06:48 GMT

I have modified the logging level on the ASDM and the acl to information and

no entries are displaying ?? Only hits against the acl !!

Not to sure if its something to do with the interface itself ??

The information logs are only showing accessed url and built session logs and only this concurrent deny message of :

Deny inbound protocol 89 on the management interface to 224.0.0.5 ??

There is no other deny entries at all ??

Re: Interface not displaying logs

Jennifer Halim — Mon, 07 Feb 2011 07:10:39 GMT

Ahhh... so those are multicast deny. Are you actually running multicast routing protocol? because passing through multicast in routed mode is not supported unless the ASA is in transparent mode.

Re: Interface not displaying logs

sgalloway — Mon, 07 Feb 2011 07:21:51 GMT

yeah those multicast messages are fine.. But l just

dont know why other deny messages from within our internal network are not displaying in the logs ??

Messages that should be generated off the "inside" interface are not showing !!!

I modified the specific deny acl to a time range of 1 second but this did not generate anything ??

Re: Interface not displaying logs

Jennifer Halim — Mon, 07 Feb 2011 07:24:07 GMT

Can you please share the actual configuration line of access-list, as well as the output of "show run log". Thanks.

Re: Interface not displaying logs

sgalloway — Mon, 07 Feb 2011 07:30:40 GMT

screen shots attached !!

Even right clicking on the acl and going to "show log" does not display anything ??

Re: Interface not displaying logs

Jennifer Halim — Mon, 07 Feb 2011 07:33:38 GMT

Can you please share the CLI output as advised earlier, ie: both the ACL line as well as the output of "sh run log". Thanks.

Screenshot unfortunately does not show us the complete config.

Re: Interface not displaying logs

Jennifer Halim — Mon, 07 Feb 2011 07:34:49 GMT

And are you also continually sending HTTP traffic from 172.16.4.189 to different destinations?

Re: Interface not displaying logs

sgalloway — Mon, 07 Feb 2011 07:46:54 GMT

Hi Jennifer just left work will get this to you same time tommorrow !! Thanks for your assistance

Simon Galloway

Systems Administrator

ICT Dept , ACMI , Fedsquare

LAN - 0386632308

MOB - 0412233109

Re: Interface not displaying logs

PAUL GILBERT ARIAS — Mon, 07 Feb 2011 14:14:08 GMT

Your interface ACL should look like this:

access-l ANY deny icmp any any log informational

That example shows the sintax with the log option.

Make sure you have that at the end of the ACL and like Jennifer said it would be good to see the sh run logg and your ACLs.

Re: Interface not displaying logs

sgalloway — Mon, 07 Feb 2011 23:22:36 GMT

Here is the acl for this specific traffic that l am trying to test with

the deny rule and also below is the "sh run log" output .. Hopefully you can suggest something that will help me start viewing inside interface log messages

access-list inbound_inside line 7 extended deny tcp host 172.16.4.189 any eq www log informational interval 1

attached is the full Inside Interface ACL List with the above acl on Line 7

firewall# sh run log
logging enable
logging timestamp
logging buffered errors
logging trap warnings
logging history errors
logging asdm warnings
logging mail alerts
logging from-address firewall@acmi.net.au
logging recipient-address simon.galloway@acmi.net.au level errors
logging host inside 172.16.28.32
logging debug-trace
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020

Re: Interface not displaying logs

sgalloway — Mon, 07 Feb 2011 23:24:29 GMT

Also a note on my previous post the Sh run log output in the ASDM currently says warnings but l have been testing my modifying this to informational with no luck !!!

Re: Interface not displaying logs

Jennifer Halim — Mon, 07 Feb 2011 23:29:04 GMT

Thanks for the output, that explains why it is not showing you.

You have the following command to disable syslog# 106100 which is what you are after:

no logging message 106100

To reenable logging of syslog# 106100:

logging message 106100

Secondly, your ASDM is only configured with "warnings" (level 4) syslog, while your access-list log is logged under "informational" (level 6), that's why it's not showing up as well. Please modify the logging level for your ASDM to level 6 (informational) as follows:

logging asdm informational

Hope that helps.

Re: Interface not displaying logs

sgalloway — Mon, 07 Feb 2011 23:31:02 GMT

Hi,

I think l have resolved this by the output of the sh run log which was displaying what logs were disabled !! I will enabled the ones you requested and let you know if this has resolved it !!