03-06-2012 03:49 AM - edited 03-11-2019 03:38 PM
Hi,
I'm fine tuning some of our ASA logging config, and am having an issue with one particular syslog ID.
The message is:
syslog 106100: default-level informational (enabled)
and the log settings are:
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level errors, 2389314 messages logged
Monitor logging: disabled
Buffer logging: level notifications, 100889 messages logged
Trap logging: level informational, facility 20, 1080679 messages logged
Logging to 10.1.1.1 errors: 1 dropped: 2
History logging: level warnings, 83057 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 2571771 messages logged
This ACE log entry is generated by explicit deny any any statements at the end of all the ACLs, e.g.
access-list inside_access_in extended deny ip any any log interval 600
Based on the config, I would expect to see this being logged to the syslog server, but not to the local buffer, but am still seeing them locally in the buffer:
Feb 22 2012 10:58:20: %ASA-4-106100: access-list inside_access_in denied udp INSIDE/HOSTABC(52629) -> OUTSIDE/HOSTXXX(162) hit-cnt 5 300-second interval [0x3baecf1e, 0x0]
It also still shows these as level "warning", %ASA-4-106100, instead of the default %ASA-6-106100
I've tried removing and re-applying the config at different levels but it still reports in the buffer log as level "warning", %ASA-4-106100
This also doesnt affect every 106100 log that is generated. Most messages are generated at the correct level 6 severity but some seem to randomly log at level 4. There doesn't seem to be any pattern to this. The same access-list line can produce severity level 4 and 6 106100 messages.
Any ideas?
Thanks
Karl
10-10-2012 08:10 PM
Hey Karl,
Came across your post, when looking up my own ACL specific logging wasn't working at all. Found out I was hitting a bug - CSCsz73284. Upgraded any I got many, many 106100 logs at the "error" level.
Not sure if this is still relevant for you, or if you have found your answer yet, but it could be that you've got some particular access-list entry in the config that is getting hit, where the "log warnings" is configured at the end like this:
access-list
The log level for 106100 can differ depending on the log level of a particular access-list entry, and it cannot be changed globally. e.g.
ASA(config)# logging message 106100 level errors
INFO: Please use the access-list command to change the severity level of this syslog
ASA(config)#
Regards,
Ben
10-11-2012 12:51 AM
Hi Karl,
I do see a small difference in those 2 different level of errors %ASA-4-106100 & %ASA-6-106100. In this level 4 is generated by ASA and Level 6 is triggered for Syslogging.
So which ever ACL you have pointed with log is triggered with level 6 & wherevr you have the plain deny rule will have the logs triggered with level 4.
For %ASA-6-106100
================
http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279924
%ASA-4-106100
=============
http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4769049
Please do rate if the given information helps.
By
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide