Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7551
Views
5
Helpful
5
Replies

ASA Logging Host vs ACL Logging

Go to solution
Logan Kampsnider
Level 1
Level 1

‎09-12-2016 09:20 AM - edited ‎03-12-2019 01:15 AM

Hello,

We currently get all of our logging needs with our ASAs by using "logging host" command to send all firewall traffic to an event collector where we can search and correlate traffic events. I'm working to determine if there's any advantage to using the "log" command on the end of our extended access-lists in addition to this. In Cisco documentation, I'm finding  that using it results in ACL hits being grouped into "flows" as opposed to separate log messages for each hit, but not really sure why else it would be used. It mentions it could increase CPU usage enabling this on an ACL, but reduces the volume of logs produced. Any thoughts on why enabling "log" on extended ACLs is useful?

Thanks,

LK

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Hozaifa Samad
Level 1
Level 1
In response to Logan Kampsnider

‎09-14-2016 08:26 AM

Hi again. Your ACL entry will generate syslog message 106100 which is disabled by default, so ASA won't log it until it's enabled.

View solution in original post

5 Replies 5

Go to solution
Hozaifa Samad
Level 1
Level 1

‎09-13-2016 09:47 PM

Logging host logs all messages with the default buffered syslog level. This can be changed using logging buffered level command. Log parameter at the end of the access-list will always send a syslog message (permit & deny). Different access-lists have different syslog levels, so if log parameter is not configured, there's no guarantee it'll be sent to the syslog server depending on the level configured. 

0 Helpful

Go to solution
Logan Kampsnider
Level 1
Level 1
In response to Hozaifa Samad

‎09-14-2016 06:06 AM

So to make sure I understand, using the global "logging host" command would be the same as having "log" at the end of every ACL, granted that default logging levels are used in either situation?
0 Helpful

Go to solution
Hozaifa Samad
Level 1
Level 1
In response to Logan Kampsnider

‎09-14-2016 07:53 AM

Not true. If the global log level is higher than the ACL log level, then yes. If the global log level is lower and the ACL log is not enabled then you won't see it. You'll have to enable the ACL log. Here's a link that shows you all the log levels and their id's:

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html

0 Helpful

Go to solution
Logan Kampsnider
Level 1
Level 1
In response to Hozaifa Samad

‎09-14-2016 08:05 AM

Thanks Hozaifa. So I'm not sure I conveyed my last question correctly. If default log levels are used for both global and ACL logs, which I believe is log level 6, then is there any point to using ACL logs, other than if you want to add additional logging on a per-ACL level?

Here's a default host logging, with no buffer config changes:

logging enable
logging trap informational
logging host MANAGEMENT 1.1.1.1

Here's a default ACL logging level: 

access-list outside-acl permit ip host 1.1.1.1 any log
0 Helpful

Go to solution
Hozaifa Samad
Level 1
Level 1
In response to Logan Kampsnider

‎09-14-2016 08:26 AM

Hi again. Your ACL entry will generate syslog message 106100 which is disabled by default, so ASA won't log it until it's enabled.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card