ASA log not showing rule hits

irbk · ‎03-10-2023

Hopefully I'm in the right place. Here are the basics.
ASA 5525 in HA pair. ASA 9.14(3), ASDM 7.17(1)152.
Show run logging gives me this
logging enable
logging timestamp
no logging hide username
logging standby
logging buffered debugging
logging trap informational
logging asdm informational
logging host lc-corp 10.81.10.31
logging class auth trap informational
logging class config trap informational
logging class vpn trap informational
logging class vpnc trap debugging
logging class webvpn trap informational
logging class svc trap informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020

So logging 106100 is enabled, logging buffered is debugging, logging asdm is informational. For my rules in question, logging is enabled and set at debugging. I think that covers all the basic questions that are asked.

The issue, there are several "any IP" rules that I want to get rid of. Just focusing on 1 specific rule

"access-list lc-tst-env_access_in line 26 extended permit ip object lc-tst-env-10.81.20.0 object-group LC-JC-Subnets log 7 interval 300"

In the ASDM, I right click on the rule, I click "show log" and nothing hits the log. I see the hits on the rule increasing but nothing ever shows in the log. I've done this same thing on other rules and I've got information back as to what traffic was using the rule. This particular rule wants to be a pain though and not show me traffic that's being permitted. Suggestions?

MHM Cisco World · ‎03-10-2023

(Optional) Sets logging options when an ACE matches a packet for network access (an ACL applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). If you do not enter the log keyword, then the default system log message 106023 is generated for denied packets. Log options are:

level —A severity level between 0 and 7. The default is 6 (informational). If you change this level for an active ACE, the new level applies to new connections; existing connections continue to be logged at the previous level.
interval secs —The time interval in seconds between syslog messages, from 1 to 600. The default is 300. This value is also used as the timeout value for deleting an inactive flow from the cache used to collect drop statistics.

if ASA send Log in time 0 for hit ACL , then from time 0-300 sec there is no log even if traffic hit the ACL, after that ASA send Log again

irbk · ‎03-10-2023

Sorry, I'm not following. What are you suggesting I do? I already have logging turned on for the specific rule.

MHM Cisco World · ‎03-10-2023

reduce interval and check log

irbk · ‎03-10-2023

I've sat on the log viewer for over an hour and watched the hit counter increase by over 3600 hits, nothing in the log.

MHM Cisco World · ‎03-10-2023

change the log to be 6 for ACL.

irbk · ‎03-10-2023

Just to eliminate any doubt, I reduced the logging to 60
"access-list lc-tst-env_access_in line 26 extended permit ip object lc-tst-env-10.81.20.0 object-group LC-JC-Subnets log 7 interval 60"
I've sat and watched the log for 15 min and did see the hit counter go up by 70 hits but the realtime log viewer is still not showing any traffic.

irbk · ‎03-10-2023

Also, just to verify logging was working in general, I turned logging on for another rule and got all kinds of traffic in the real-time log viewer within just a few seconds.

MHM Cisco World · ‎03-10-2023

access-list lc-tst-env_access_in line 26 extended permit ip object lc-tst-env-10.81.20.0 object-group LC-JC-Subnets log 6 interval 300

irbk · ‎03-10-2023

log 7 is going to include everything from 0 to 7, so I'm not really sure why the level would make any difference? However, I made that change.

"access-list lc-tst-env_access_in line 26 extended permit ip object lc-tst-env-10.81.20.0 object-group LC-JC-Subnets log 6 interval 60"

Still no difference so far

irbk · ‎03-10-2023

Now this is interesting. When I right click on the rule and say "show log" I'm not seeing traffic hitting the rule. However I can see in the syslog messages that are scrolling by, items are hitting the log. I'm not sure if it's always been doing that but I noticed it was doing it. So I close the log that was opened by doing a right click - "show log" and just go into monitoring - Real-Time Log viewer - View, then I put in a "FILTER:sysID=106100;" and click "filter" I can see the rules hitting the log. Why the heck would I not see them when doing a right click "show log" but I do see them when just doing a filter on 106100?

irbk · ‎03-10-2023

I realize that the last message may be kind of confusing. I'll try and rephrase. In the ASDM, if I right click on the rule in question and select "show log" there is nothing showing up in that log. However, I had the "Home" page of the ASDM open behind the "show log" window. I noticed on the home page, in the "ASDM Syslog Messages" section, traffic that was hitting the access rule, however this was not showing up in the "show log" window I had open. At that point I closed the "show log" window I had open. I then went into monitoring - Real-Time Log viewer - View and then I put in a "FILTER:sysID=106100;" and click "filter". When I view the logs this way, I'm seeing the traffic that is hitting the rule. When I right click on the rule and select "show log" I'm not seeing the traffic that's hitting the rule. Why would that be?

MHM Cisco World · ‎03-11-2023

I will update you soon

Georg Pauwen · ‎03-12-2023

Hello,

I have not followed the entire thread, but you could try the values below (temporarily assign really high values to the buffer sizes, explicitly configure debug logging for that message, and disable all rate limiting):

logging buffer-size 1000000
logging asdm-buffer-size 500
logging message 106100 level debugging
no logging rate-limit

I am not sure what the defaults are, but these values are near the top of what is configurable...

irbk · ‎03-13-2023

Hello Georg,

I found a "workaround" without needing to mess with buffer sizes. In the ASDM, if I right click on the rule in question and select "show log" there is nothing showing up in that log. However, I had the "Home" page of the ASDM open behind the "show log" window. I noticed on the home page, in the "ASDM Syslog Messages" section, traffic that was hitting the access rule, however this was not showing up in the "show log" window I had open. At that point I closed the "show log" window I had open. I then went into monitoring - Real-Time Log viewer - View and then I put in a "FILTER:sysID=106100;" and click "filter". When I view the logs this way, I'm seeing the traffic that is hitting the rule. When I right click on the rule and select "show log" I'm not seeing the traffic that's hitting the rule.