05-23-2012 09:27 AM - edited 03-11-2019 04:10 PM
Hi
What is the use of adding keywork log disable at the end of ACL in Cisco ASA. It doesn't stop producing log. So putting log disable at the end of ACL and not putting anything is the same thing. Can anyone tell me for what reason it is there?
05-23-2012 09:43 AM
Hi Samarjit,
When you enable the log option after an ACL, it would generate logs for all the traffic which is being processed by that particular ACL, so you would know what IP's are hitting that ACL.
Try this:
put the log enable option after an ACL in your config, example:
access-list outside_access_in permit ip any host 1.1.1.1 log interva 1
and then go to the ASDM:
Right click on the access-list, select show logg option, ASDM real-time window would appear, you would see the logs in that window.
Hope this was useful
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 10:40 AM
Hi Varun
Thanks for your reply. I am not looking for log enable option, rather I am looking for log disable option. I want to stop some informational log to be sent to syslog. At the end of the ACL i included log disable option but it doesn't stop the log to be generating. I don't know what is the purpose of log disable option. Please share if u have some good findings from this option.
05-23-2012 10:46 AM
Hi samarjit,
One idea that you can try, every log has a syslog ID associated with it, lets say you see a lot of logs with ID 106023 and don't want them, then on the ASA, suppress this log by:
no logging message 106023
The ASA will not generate this log
Or increase your logging level from informational to something higher like warning.
This would help you;
https://supportforums.cisco.com/docs/DOC-18813
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 09:25 PM
Hi Varun
Blocking particular syslog id doesn't serve my issue. What I am trying to do is, I want to block log message from A zone to B zone whereas looking forward to see log from B zone to A zone.
Thanks,
Samar
05-23-2012 11:34 PM
Hello,
It should stop sending the log notifications for that particular ACE.....
Can you share the running configuration, what version are you running and the log you are getting.
Regards,
Rate all the helpful posts
07-17-2012 04:28 PM
Hello,
Same problem here: I simply disabled logging for some rules on ASDM and this had no effect at all on syslog messages. Then I tried in CLI by adding "log disable" at the end of somme "access-list" lines, didn't work either.
Problem occurs on:
- ASA5520 active/passive cluster
- ASA5550 active/active multicontext cluster
ASA 8.0(4) / ASDM 6.1(3) for both clusters
Can't share the whole running config here, please let me know if you need more information to solve this issue...
Regards,
Vincent
07-22-2012 01:37 AM
Hi Bro
I tried this in my lab earlier, and I really don't see the problem at all. My Cisco ASA FW is running on v8.0.2 and I've no problems with "log disable". It works like a charm for me :-)
ROBMYHQINT-FW01# show run access-list inside
access-list inside extended permit icmp any any log disable
access-list inside extended deny ip any any
Perhaps, it's either your software code has a bug or you're doing this test wrongly. Could you kindly paste your latest show run access-list here? If you think your configuration is good, try upgrading to a higher version.
08-02-2013 03:46 PM
I have been having this problem and have been trying different combinations to try to trace the problem.
"log disable" just did not stop log sending to my syslog server.
The change was done on ASDM. But i checked that "log disable" was there in the config file that I downloaded.
Any idea!
Thanks
Sent from Cisco Technical Support iPhone App
08-02-2013 03:52 PM
Hi,
To my understanding if you have "permit" rules then these wont generate any log by default. Normally the ASA generates logs about connections that are denied by an ACL.
Are we talking about a "deny" or a "permit" rule?
- Jouni
08-02-2013 04:19 PM
Based on what i have seen so far, ASA/PIX sends log based on the severity level. For example, if you set logging trap informational, you will ser both deny and permit traffic event messages.
Sent from Cisco Technical Support iPhone App
08-02-2013 07:09 PM
Hi,
This must be something related to the software since from what I can tell the 8.x series softwares only send log messages of Denied connections hitting interface ACL (or connection blocked by other reasons).
Setting the logging level to Notifications is enough to view these log messages.
Changing the logging level to Informational should not make the ASA send message regarding permitted ACL hits.It would however still send the Denied connections that hit ACL rules.
It should start logging connection Build and Teardown messages, not ACL messages. It will also start logging Build and Teardown messages for NAT.
I would be interested on seeing an example ACL line of which is set disabled in your configuration and a corresponding log message you see generated that isnt supposed to be generated.
It is naturally possible that its also some software bug that you are facing.
- Jouni
08-06-2013 07:18 AM
Thanks for your reply Jouni. I will need to do more testings to get a better understanding on the ACE log and the default log behavior.
thanks
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide