Solved: Logging uses CPU and memory.

dalem00011 · ‎02-16-2017

Hi all,

I need help with something.

I manage a multi-context firewall.

The rulebase is huge!

Up until this point we never configured ACL logging on the rules.

Now the client wants use to log the ACL's.

ie:

access-list TEST deny ip any any log

I would need to add the word "log" to the end of every ACL - but in this case there are literally thousands of ACL's.

Is there a command that I can run that will log all ACL's without me having to physically go back to each ACL statement and have to add the word "log" at the end of it?

Urgent assistance would be greatly appreciated!

Kind regards

 - Dale

Marius Gunnerud · ‎02-16-2017

Logging uses CPU and memory.

I would not go as far as saying that I advise against it, but lean more on the side of caution. Just keep in mind that if you do experience a decrease in performance that this could be due to the amount of logging going on. Of course this also depends on what level of logging you are doing. Debuging would most definately have a performance impact with a huge amout of traffic passing through. Informational or notification will have less of an impact.

The enable logging in the ASDM will just enable logging for the ASDM, not what is being logged to the ASDM.

So, the only way I know of to do this is manually or have a programmer create a script that will do it for you.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-16-2017

As far as I know, you would need to add the log keyword at the end of each entry. An option is to create a script that will go through your configuration and pull out the access list entries, add the log keyword to the end and then paste it back in.

Depending on how much traffic actually passes through your firewall, I would caution your client about enabling logging on all the ACL entries. If there is a lot of traffic passing through your ASA, this will impact performance. Perhaps if you are able to narrow it down a bit to critical entries?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

dalem00011 · ‎02-16-2017

Thanks for your swift response Marius.

There are huge amounts of traffic passing through this multi-context ASA.

The client wants logging on all ACL's - I think its for some kind of Tufin integration.

So you would advise against this?

Also, then just to clarify, in ASDM, under logging, there is a check box which states "enable logging" - Would this not maybe solve my issue?

Marius Gunnerud · ‎02-16-2017

Logging uses CPU and memory.

I would not go as far as saying that I advise against it, but lean more on the side of caution. Just keep in mind that if you do experience a decrease in performance that this could be due to the amount of logging going on. Of course this also depends on what level of logging you are doing. Debuging would most definately have a performance impact with a huge amout of traffic passing through. Informational or notification will have less of an impact.

The enable logging in the ASDM will just enable logging for the ASDM, not what is being logged to the ASDM.

So, the only way I know of to do this is manually or have a programmer create a script that will do it for you.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

dalem00011 · ‎02-17-2017

Thanks Marius.

Your advice has been noted.

For now I have informed the client of the risks involved. We plan to roll it out little by little so we can monitor how the ASA handles it.

I also advised we do this only on business critical ACL's.

Fingers crossed all goes well and they take my advice.

But thanks again Marius.

Appreciate it!

ACL Logging