cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7004
Views
1
Helpful
12
Replies

Adding keywork log disable at the end of ACL doesn't have any real meaning

samarjit.das
Level 1
Level 1

Hi

What is the use of adding keywork log disable at the end of ACL in Cisco ASA. It doesn't stop producing log. So putting log disable at the end of ACL and not putting anything is the same thing. Can anyone tell me for what reason it is there?

12 Replies 12

varrao
Level 10
Level 10

Hi Samarjit,

When you enable the log option after an ACL, it would generate logs for all the traffic which is being processed by that particular ACL, so you would know what IP's are hitting that ACL.

Try this:

put the log enable option after an ACL in your config, example:

access-list outside_access_in permit ip any host 1.1.1.1 log interva 1

and then go to the ASDM:

Right click on the access-list, select show logg option, ASDM real-time window would appear, you would see the logs in that window.

Hope this was useful

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi Varun

Thanks for your reply. I am not looking for log enable option, rather I am looking for log disable option. I want to stop some informational log to be sent to syslog. At the end of the ACL i included log disable option but it doesn't stop the log to be generating. I don't know what is the purpose of log disable option. Please share if u have some good findings from this option.

Hi samarjit,

One idea that you can try, every log has a syslog ID associated with it, lets say you see a lot of logs with ID 106023 and don't want them, then on the ASA, suppress this log by:

no logging message 106023

The ASA will not generate this log

Or increase your logging level from informational to something higher like warning.

This would help you;

https://supportforums.cisco.com/docs/DOC-18813

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi Varun

Blocking particular syslog id doesn't serve my issue. What I am trying to do is, I want to block log message from A zone to B zone whereas looking forward to see log from B zone to A zone.

Thanks,

Samar

Hello,

It should stop sending the log notifications for that particular ACE.....

Can you share the running configuration, what version are you running and the log you are getting.

Regards,

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

Same problem here: I simply disabled logging for some rules on ASDM and this had no effect at all on syslog messages. Then I tried in CLI by adding "log disable" at the end of somme "access-list" lines, didn't work either.

Problem occurs on:

- ASA5520 active/passive cluster

- ASA5550 active/active multicontext cluster

ASA 8.0(4) / ASDM 6.1(3) for both clusters

Can't share the whole running config here, please let me know if you need more information to solve this issue...

Regards,

Vincent

Hi Bro

I tried this in my lab earlier, and I really don't see the problem at all. My Cisco ASA FW is running on v8.0.2 and I've no problems with "log disable". It works like a charm for me :-)

ROBMYHQINT-FW01# show run access-list inside

access-list inside extended permit icmp any any log disable
access-list inside extended deny ip any any

Perhaps, it's either your software code has a bug or you're doing this test wrongly. Could you kindly paste your latest show run access-list here? If you think your configuration is good, try upgrading to a higher version.

Warm regards,
Ramraj Sivagnanam Sivajanam

Kng Kng
Level 1
Level 1

I have been having this problem and have been trying different combinations to try to trace the problem.

"log disable" just did not stop log sending to my syslog server.

The change was done on ASDM. But i checked that "log disable" was there in the config file that I downloaded.

Any idea!

Thanks



Sent from Cisco Technical Support iPhone App

Hi,

To my understanding if you have "permit" rules then these wont generate any log by default. Normally the ASA generates logs about connections that are denied by an ACL.

Are we talking about a "deny" or a "permit" rule?

- Jouni

Kng Kng
Level 1
Level 1

Based on what i have seen so far, ASA/PIX sends log based on the severity level. For example, if you set logging trap informational, you will ser both deny and permit traffic event messages.



Sent from Cisco Technical Support iPhone App

Hi,

This must be something related to the software since from what I can tell the 8.x series softwares only send log messages of Denied connections hitting interface ACL (or connection blocked by other reasons).

Setting the logging level to Notifications is enough to view these log messages.

Changing the logging level to Informational should not make the ASA send message regarding permitted ACL hits.It would however still send the Denied connections that hit ACL rules.

It should start logging connection Build and Teardown messages, not ACL messages. It will also start logging Build and Teardown messages for NAT.

I would be interested on seeing an example ACL line of which is set disabled in your configuration and a corresponding log message you see generated that isnt supposed to be generated.

It is naturally possible that its also some software bug that you are facing.

- Jouni

Kng Kng
Level 1
Level 1

Thanks for your reply Jouni. I will need to do more testings to get a better understanding on the ACE log and the default log behavior.

thanks

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: