cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5909
Views
13
Helpful
6
Replies

How do I get ASA access-list "permit" entries into my logging buffer?

jimmyc_2
Beginner
Beginner

I can not seem to view my "permit" entries in the log on my ASA 5520.

Is it possible?

I set up logging-lists, changed the level to 3 on  the logging statement, and simply can't find it anywhere.

Partial config:

logging enabled

logging timestamp

logging JC-L3 level errors

logging monitor JC-L3

logging buffered JC-L3

logging trap notifications

logging history warnings

logging flash-bufferwrap

no logging message 111007

logging rate-limit 15 60 level 3

Thanks

jimmyc

2 Accepted Solutions

Accepted Solutions

Shrikant Sundaresh
Cisco Employee
Cisco Employee

Hi Jimmy,

You need to log the syslog id 106100 in your logging list. Also you would have to add the "log" keyword at the end of the access-list entry for which you want to see the logs.

Hope this helps.

-Shrikant

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks

View solution in original post

Hi Jimmy,

Using logs to determine which access-list hasn't been used in some time, wouldn't be appropriate.

Use the command "clear access-list counter" to make all counters 0 for that access-list.

After a week or two of monitoring, use the command:

sh access-list | in hitcnt=0

This will show you all the access-list entries that haven't matched any traffic.

You can then proceed to remove them, after manually reviewing if they are needed or not.

Hope this helps.

-Shrikant

View solution in original post

6 Replies 6

Shrikant Sundaresh
Cisco Employee
Cisco Employee

Hi Jimmy,

You need to log the syslog id 106100 in your logging list. Also you would have to add the "log" keyword at the end of the access-list entry for which you want to see the logs.

Hope this helps.

-Shrikant

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks

Thanks, I tweaked paramaters, and most of what I need works.

If you use ASDM to set a permit statement to "log, level 3"  why doesn't it show up as "ASA-3...." statement?   That threw me way off.  I gave up and set it to Level 6, and am getting "ASA-6" messages. 

Have you used logging lists?  How do I get that into my buffer or syslog; all the example show how to get it to console.

thanks again

jimmyc

Hi Jimmy,

You can change the default logging level of a particular syslog, using the following command:

logging message level

So if you want the ACL logs to log at level 3, you would need to do:

logging message 106100 level 3

To log to buffer:

logging buffer

To log to syslog server:

logging trap

logging host

Hope this helps.

-Shrikant

Thanks Shrikant,

Here is my big picture dilema.   I've got an ASA configuration that I inherited from an old Checkpoint, and it has a ton of "permit" statements that are no longer relevant, and those statements should be deleted.  These permit statements are not isolated, but are part of several  large rule-sets.

If I do a "show access-list access-list-bob" it breaks down every individual line, with it's hit count.  I need to confirm the ones that have a hit count=0 have not used in the past several months.

My syslog statements are not showing the permit statements with hitcnt=0, so I can't go back to confirm it's okay to delete those rules.

Thanks

Hi Jimmy,

Using logs to determine which access-list hasn't been used in some time, wouldn't be appropriate.

Use the command "clear access-list counter" to make all counters 0 for that access-list.

After a week or two of monitoring, use the command:

sh access-list | in hitcnt=0

This will show you all the access-list entries that haven't matched any traffic.

You can then proceed to remove them, after manually reviewing if they are needed or not.

Hope this helps.

-Shrikant

Good advice, many thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: