cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


577
Views
15
Helpful
8
Replies
Contributor

Enable Denied ACL Logging (106023)

I know it can generate a ton of logs but is it best to enable or disable this syslog?

8 REPLIES 8
VIP Advisor

Re: Enable Denied ACL Logging (106023)

logging message 106023  - enable

no logging message 106023 - disable 

BB
*** Rate All Helpful Responses ***
Contributor

Re: Enable Denied ACL Logging (106023)

Hi sorry I may have not been clear about what I am asking. Basically, is it a good idea to enable to log blocked ACL events? I mean there would be a ton thus using processing memory correct?
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Enable Denied ACL Logging (106023)

Hi,

Yes it's a good idea to log denied traffic, assuming you are going to look at the logs. You should send the logs to an external syslog server, as if logs are stored locally they are lost upon a reboot and less ASA resources consumed.

 

HTH

Contributor

Re: Enable Denied ACL Logging (106023)

Will constant denied traffic logs slow the CPU down?
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Enable Denied ACL Logging (106023)

Logging locally would consume memory, it's recommended to send to a syslog server so it doesn't slow down the FW. Ultimately it would depend on your hardware and how many events are being logged.

 

Reference here, under High Memory Utilisation section.

 

HTH

Highlighted
Contributor

Re: Enable Denied ACL Logging (106023)

Yes so Syslog server is utilized, however what about all the logs that show up locally?
Hall of Fame Master

Re: Enable Denied ACL Logging (106023)

The original poster asks whether generating the log messages about traffic denied by ACL would impact CPU usage. And the answer clearly is that generating those log messages does require some CPU. And that transmitting those log records to an external server would consume some CPU and some bandwidth. Whether the impact of that CPU use is significant is hard to say.

 

The original question was whether it is better to enable the logging of the denied traffic or better to disable the logging and reduce resource use on the ASA. @RJI made a very significant point: it depends on how you would use them. If your organization is quite security conscious and if someone will be monitoring these logs, and checking them for significant events, and if someone would take action to address those significant events then certainly it is better to enable the logging. I have worked with customers who rarely check their logs. For them certainly it would be better to disable this logging. 

 

So my response to the original poster is where the scale is your organization? Do you regularly check logs and take action based on what you observe? Or do you let things run and check the logs only when someone reports a potential problem? Or do you fall somewhere in the middle?

 

HTH

 

Rick

VIP Advisor

Re: Enable Denied ACL Logging (106023)

Enable logging to give you the ability to diagnosis the problem which was blocking, so you can analyze the information to resolve any other issues around.

 

But ASA logs stored and buffer and they will be removed eventually once the buffer is full.

 

Suggest to send external Syslog server always if you looking to archive and read for further use.

 

BB
*** Rate All Helpful Responses ***