cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3005
Views
15
Helpful
8
Replies

Enable Denied ACL Logging (106023)

CiscoPurpleBelt
Level 6
Level 6

I know it can generate a ton of logs but is it best to enable or disable this syslog?

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

logging message 106023  - enable

no logging message 106023 - disable 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi sorry I may have not been clear about what I am asking. Basically, is it a good idea to enable to log blocked ACL events? I mean there would be a ton thus using processing memory correct?

Hi,

Yes it's a good idea to log denied traffic, assuming you are going to look at the logs. You should send the logs to an external syslog server, as if logs are stored locally they are lost upon a reboot and less ASA resources consumed.

 

HTH

Will constant denied traffic logs slow the CPU down?

Logging locally would consume memory, it's recommended to send to a syslog server so it doesn't slow down the FW. Ultimately it would depend on your hardware and how many events are being logged.

 

Reference here, under High Memory Utilisation section.

 

HTH

Yes so Syslog server is utilized, however what about all the logs that show up locally?

The original poster asks whether generating the log messages about traffic denied by ACL would impact CPU usage. And the answer clearly is that generating those log messages does require some CPU. And that transmitting those log records to an external server would consume some CPU and some bandwidth. Whether the impact of that CPU use is significant is hard to say.

 

The original question was whether it is better to enable the logging of the denied traffic or better to disable the logging and reduce resource use on the ASA. @Rob Ingram made a very significant point: it depends on how you would use them. If your organization is quite security conscious and if someone will be monitoring these logs, and checking them for significant events, and if someone would take action to address those significant events then certainly it is better to enable the logging. I have worked with customers who rarely check their logs. For them certainly it would be better to disable this logging. 

 

So my response to the original poster is where the scale is your organization? Do you regularly check logs and take action based on what you observe? Or do you let things run and check the logs only when someone reports a potential problem? Or do you fall somewhere in the middle?

 

HTH

 

Rick

HTH

Rick

Enable logging to give you the ability to diagnosis the problem which was blocking, so you can analyze the information to resolve any other issues around.

 

But ASA logs stored and buffer and they will be removed eventually once the buffer is full.

 

Suggest to send external Syslog server always if you looking to archive and read for further use.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: