Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2779
Views
0
Helpful
1
Replies

logging enabled on ACL rule on an ASA

Go to solution
Kevin Melton
Level 2
Level 2

‎10-12-2010 12:47 PM - edited ‎03-11-2019 11:53 AM

Forum

I am working at a Cisco customer site today.  While looking at some configurations on the customer firewall, I happened to notice that the ACL that they have on their WAN interface on the ASA had a permit ip any any at the end of the ACL.  I asked them if they had ever monitored that entry to see what was using it so that a more specific rule could be written to allow traffic that was needed, and ultimately get rid of the "permit ip any any" altogether.

I noticed the the Hit Count on the ACL entry at the end of the ACL would get a hit count every 30 minutes or so.  I went in and enabled logging on the ACL rule.  I have seen several more hits against the ACE, but for some reason, I do not see in the log any data for this.


This brings me to this question:  What log does the ACL write to if "logging" is enabled on a specific ACE?  I would have thought it was the log buffer, but that is where I am looking, and I dont see the data.

Thanks

Kevin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎10-12-2010 01:31 PM

Hi Kevin,

By default, the hit will be logged to any logging destinations you have configured on level 6. The syslog ID is %ASA-6-106100.

Do you have buffered logging configured at level 6 (informational) or 7 (debugging)? If so, you should see the hits logged there.  If not, check to make sure you don't have message 106100 disabled. Also check the output of 'show logging queue' to see if the firewall is logging too many messages and dropping some.

Hope that helps.

-Mike

View solution in original post

0 Helpful
1 Reply 1

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎10-12-2010 01:31 PM

Hi Kevin,

By default, the hit will be logged to any logging destinations you have configured on level 6. The syslog ID is %ASA-6-106100.

Do you have buffered logging configured at level 6 (informational) or 7 (debugging)? If so, you should see the hits logged there.  If not, check to make sure you don't have message 106100 disabled. Also check the output of 'show logging queue' to see if the firewall is logging too many messages and dropping some.

Hope that helps.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card