cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
565
Views
0
Helpful
7
Replies

CSA logging even though logging is turned off

jjkruege
Level 1
Level 1

I have setup CSA for several users. One of the log messages we receive on many hosts is the UPNP port 1900 blocked messages. I would like to leave the rule itself alone so we can use it in other groups, so I created an exception. I set it up as a high priority deny and did not check the "log" box. I assumed that this would just silently deny the connections. Unfortunately, I still receive hundreds of messages in my log about UPNP.

From the log I can see that it fired from my exception policy, not from the base policy. I had to make it a high priority deny in order to make it above all the other denies. Am I doing something wrong with this expection policy or will I always be stuck with these log messages.

Thanks,

Josh

7 Replies 7

tsteger1
Level 8
Level 8

You need to set it to "take precedence over other deny rules". The first rule logs it and your second one can't unlog it. I would also put it in the same policy.

I don't think that it is a rule ordering issue though. The rule ID that is firing is actually from my exception rule. That rule is not supposed to log. I made it a high priority deny so that it would be placed above the regular deny that was firing previously.

Is the "take precedence" box checked? That is the preferred method to keep rules from logging (See Manipulating Precedence in the CSAMC help). Also, are you in testmode? It will log in testmode even if you have logging turned off and that box checked.

Try it, it works for us.

Ahhh, that must be it. We do have the "take precedence" box checked, but we have them in test mode. I will move them out of test mode and see if the logging messages go away. That is strange. I would have expected the logging to not happen in test mode too. Oh well. Thanks for the help!

Josh

I am having the same problem as the user who originally posted in this forum:

1) Rule is a DENY for SSDP services

2) Take precedence over other Deny rules is checked

3) Logging is unchecked

However, this rule is still logging deny actions. I am trying to cut down on unnecessary logging and this is taking up about 10% percent of our logs (about 2000 logs a day).

Any help would be greatly appreciated.

I'm guessing that there is either:

1. Another rule stepping on it

2. There is a deny/strong deny mismatch

3. It's in test mode.

If any of these are true, you'll see that behavior.

What version? CSA 5.2 has the rule preconfigured as part of the XP Remote Control Module.

Tom

Thanks, actually I found it. There was a rule override for logging on the group level. I believe that was a cause of the problem. I swore I had already turned it off, but I guess I was mistaken.

*Note* I am the same user as above, I just had my user ID changed.

Review Cisco Networking for a $25 gift card