cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2796
Views
0
Helpful
1
Replies

logging enabled on ACL rule on an ASA

Kevin Melton
Level 2
Level 2

Forum

I am working at a Cisco customer site today.  While looking at some configurations on the customer firewall, I happened to notice that the ACL that they have on their WAN interface on the ASA had a permit ip any any at the end of the ACL.  I asked them if they had ever monitored that entry to see what was using it so that a more specific rule could be written to allow traffic that was needed, and ultimately get rid of the "permit ip any any" altogether.

I noticed the the Hit Count on the ACL entry at the end of the ACL would get a hit count every 30 minutes or so.  I went in and enabled logging on the ACL rule.  I have seen several more hits against the ACE, but for some reason, I do not see in the log any data for this.


This brings me to this question:  What log does the ACL write to if "logging" is enabled on a specific ACE?  I would have thought it was the log buffer, but that is where I am looking, and I dont see the data.

Thanks

Kevin

1 Accepted Solution

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hi Kevin,

By default, the hit will be logged to any logging destinations you have configured on level 6. The syslog ID is %ASA-6-106100.

Do you have buffered logging configured at level 6 (informational) or 7 (debugging)? If so, you should see the hits logged there.  If not, check to make sure you don't have message 106100 disabled. Also check the output of 'show logging queue' to see if the firewall is logging too many messages and dropping some.

Hope that helps.

-Mike

View solution in original post

1 Reply 1

mirober2
Cisco Employee
Cisco Employee

Hi Kevin,

By default, the hit will be logged to any logging destinations you have configured on level 6. The syslog ID is %ASA-6-106100.

Do you have buffered logging configured at level 6 (informational) or 7 (debugging)? If so, you should see the hits logged there.  If not, check to make sure you don't have message 106100 disabled. Also check the output of 'show logging queue' to see if the firewall is logging too many messages and dropping some.

Hope that helps.

-Mike

Review Cisco Networking for a $25 gift card