topic Hi , use command "logging in Network Security

ASA 106100 Not Logging ACL activity

aaron lyon — Fri, 21 Feb 2020 13:14:14 GMT

I am attempting to forward logs from my ASA estate to a Skybox server to monitor the useage of the ACL. I have followed all of the relevent steps as defined below but there is no sign of 106100 messages in the either the sent syslog messages, ASDM log or the buffer log.

Enabled syslog;

logging enable

Defined the logging levels;

logging buffered informational
logging trap informational
logging asdm informational

Checked that the message I expect to see is classified as informational and enabled;

syslog 106100: default-level informational (enabled)

Checked that the ACL's are being hit by resetting the counters and then checking then are no longer 0

The ACL's have logging enabled with the below at the end of each ACL entry;

log informational interval 300

The logging rule for the syslog server does report errors\drops which I am not sure why when the other syslog servers don't register issues. The server is pingable from the firewall so it isn't a case of it being unreachable;

Logging to INSIDE x.x.x.x errors: 34 dropped: 232

Show logging output;

Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level informational, 124277 messages logged
    Trap logging: level informational, facility 20, 124277 messages logged
        Logging to INSIDE x.x.x.x
        Logging to INSIDE x.x.x.x errors: 37 dropped: 252
    Permit-hostdown logging: enabled
    History logging: disabled
    Mail logging: disabled
    ASDM logging: level informational, 124277 messages logged

This is a common problem across three sets of ASA firewalls running different version so it must be something that I am missing.

Any help would be gratefully received.

Hi , use command "logging

SANTHOSHKUMAR SARAVANAN — Thu, 10 Jul 2014 10:55:19 GMT

Hi ,

use command "logging message 106100"

In this case, issue the logging message 106100 command to enable the message 106100.

HTH

Sandy

Thank you for the response. I

aaron lyon — Thu, 10 Jul 2014 11:05:21 GMT

Thank you for the response. I had checked the show logging message all command and this is already enabled;

syslog 106100: default-level informational (enabled)

I ran the command anyway and it has made no difference and the traffic information is not visible in any of the logs.

Hi , Have enabled log on your

SANTHOSHKUMAR SARAVANAN — Thu, 10 Jul 2014 11:36:21 GMT

Hi ,

Have enabled log on your ACL command

If you enter the log option without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). See the following options:

•level—A severity level between 0 and 7. The default is 6.

•interval secs—The time interval in seconds between system messages, from 1 to 600. The default is 300. This value is also used as the timeout value for deleting an inactive flow.

•disable—Disables all access list logging.

•default—Enables logging to message 106023. This setting is the same as having no log option.

HTH

Sandy

Below is a snapshot of one of

aaron lyon — Thu, 10 Jul 2014 12:27:28 GMT

Below is a snapshot of one of the access-list lines, so logging is set and was added at the end of each ACL line without any further arguements;

access-list outside_cryptomap_81 line 8 extended permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.254.0 log informational interval 300 (hitcnt=408)

Can you share me logging

SANTHOSHKUMAR SARAVANAN — Thu, 10 Jul 2014 13:06:52 GMT

Can you share me logging configuration of your ASA .

HTH

Sandy

Please see below;logging

aaron lyon — Thu, 10 Jul 2014 13:46:37 GMT

Please see below;

logging enable
logging timestamp
logging buffer-size 64000
logging buffered informational
logging trap notifications
logging asdm informational
logging queue 8192
logging device-id hostname
logging host inside x.x.x.x
logging permit-hostdown
logging rate-limit 30 60 level 7

Re: Please see below;logging

arnert — Thu, 24 Aug 2017 15:21:10 GMT

I currently have the problem that message(s) 106100 can be sysloged to a server on management interface of a ASA 5525-x. Just stopped working months ago TAC can not figure it out.

Re: Please see below;logging

cshannahan — Wed, 28 Nov 2018 01:52:25 GMT

Did you ever figure this out? I'm trying to get all of my acls to log permits using 106100 but I cannot get it to work. I guess I could redo all the acls to include "log 6" or something but I would rather not.