Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
5909
Views
13
Helpful
6
Replies

How do I get ASA access-list "permit" entries into my logging buffer?

Go to solution
jimmyc_2
Beginner
Beginner

ā€Ž04-07-2011 11:27 AM - edited ā€Ž03-11-2019 01:18 PM

I can not seem to view my "permit" entries in the log on my ASA 5520.

Is it possible?

I set up logging-lists, changed the level to 3 on  the logging statement, and simply can't find it anywhere.

Partial config:

logging enabled

logging timestamp

logging JC-L3 level errors

logging monitor JC-L3

logging buffered JC-L3

logging trap notifications

logging history warnings

logging flash-bufferwrap

no logging message 111007

logging rate-limit 15 60 level 3

Thanks

jimmyc

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

ā€Ž04-07-2011 11:38 AM

Hi Jimmy,

You need to log the syslog id 106100 in your logging list. Also you would have to add the "log" keyword at the end of the access-list entry for which you want to see the logs.

Hope this helps.

-Shrikant

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks

View solution in original post

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to jimmyc_2

ā€Ž04-10-2011 06:22 AM

Hi Jimmy,

Using logs to determine which access-list hasn't been used in some time, wouldn't be appropriate.

Use the command "clear access-list counter" to make all counters 0 for that access-list.

After a week or two of monitoring, use the command:

sh access-list | in hitcnt=0

This will show you all the access-list entries that haven't matched any traffic.

You can then proceed to remove them, after manually reviewing if they are needed or not.

Hope this helps.

-Shrikant

View solution in original post

6 Replies 6

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

ā€Ž04-07-2011 11:38 AM

Hi Jimmy,

You need to log the syslog id 106100 in your logging list. Also you would have to add the "log" keyword at the end of the access-list entry for which you want to see the logs.

Hope this helps.

-Shrikant

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks

Go to solution
jimmyc_2
Beginner
Beginner
In response to Shrikant Sundaresh

ā€Ž04-07-2011 12:49 PM

Thanks, I tweaked paramaters, and most of what I need works.

If you use ASDM to set a permit statement to "log, level 3"  why doesn't it show up as "ASA-3...." statement?   That threw me way off.  I gave up and set it to Level 6, and am getting "ASA-6" messages. 

Have you used logging lists?  How do I get that into my buffer or syslog; all the example show how to get it to console.

thanks again

jimmyc

0 Helpful

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to jimmyc_2

ā€Ž04-07-2011 01:14 PM

Hi Jimmy,

You can change the default logging level of a particular syslog, using the following command:

logging message level

So if you want the ACL logs to log at level 3, you would need to do:

logging message 106100 level 3

To log to buffer:

logging buffer

To log to syslog server:

logging trap

logging host

Hope this helps.

-Shrikant

Go to solution
jimmyc_2
Beginner
Beginner
In response to Shrikant Sundaresh

ā€Ž04-08-2011 01:02 PM

Thanks Shrikant,

Here is my big picture dilema.   I've got an ASA configuration that I inherited from an old Checkpoint, and it has a ton of "permit" statements that are no longer relevant, and those statements should be deleted.  These permit statements are not isolated, but are part of several  large rule-sets.

If I do a "show access-list access-list-bob" it breaks down every individual line, with it's hit count.  I need to confirm the ones that have a hit count=0 have not used in the past several months.

My syslog statements are not showing the permit statements with hitcnt=0, so I can't go back to confirm it's okay to delete those rules.

Thanks

0 Helpful

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to jimmyc_2

ā€Ž04-10-2011 06:22 AM

Hi Jimmy,

Using logs to determine which access-list hasn't been used in some time, wouldn't be appropriate.

Use the command "clear access-list counter" to make all counters 0 for that access-list.

After a week or two of monitoring, use the command:

sh access-list | in hitcnt=0

This will show you all the access-list entries that haven't matched any traffic.

You can then proceed to remove them, after manually reviewing if they are needed or not.

Hope this helps.

-Shrikant

Go to solution
jimmyc_2
Beginner
Beginner
In response to Shrikant Sundaresh

ā€Ž04-11-2011 06:59 AM

Good advice, many thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents