Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1557
Views
5
Helpful
1
Replies

Logging for a specific ACL line

marcos.sousa7
Level 1
Level 1

‎02-20-2015 10:34 AM - edited ‎03-11-2019 10:32 PM

Hello, I'm currently evaluating rules on ASA.

There are some rules applied, but some of the traffic does not match those rules. I created a rule allowing everything and I need to see what traffic is hitting this especific rule on line 3.

Example:
access-list OUTSIDE_IN line 1 extended permit tcp 10.1.16.0 255.255.255.0 10.153.224.0 255.255.240.0 eq 88
access-list OUTSIDE_IN line 2 extended permit udp 10.1.16.0 255.255.255.0 10.153.224.0 255.255.240.0 eq domain
access-list OUTSIDE_IN line 3 extended permit ip 10.1.16.0 255.255.255.0 10.153.224.0 255.255.240.0 log informational

When I enable log, I see all the traffic, not the only one I wanted. There's a way to see only traffic coming on line 3?

Regards

Labels:
0 Helpful
1 Reply 1

Milan Mesic
Level 1
Level 1

‎02-22-2015 10:12 AM

Hi Marcos,

You see all traffic because for lines for which no "log" keyword at ACL line end is added, it will still be logged, see:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/a1.html#wp1564948

... If you enter the log keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). If you do not enter the log keyword, then the default system log message 106023 is generated...

So what you can do is instead of "log informatioanl", put "log warnings" to log this ACL line 3 at syslog level 4 (warnings), and in addition to that decrease logging level that is visible for the method how you monitor logs, for example some of following lines (depending whether you monitor logs at syslog server, terminal, or from local buffer (show logg command):

hostname(config)# logging trap warnings
hostname(config)# logging enable

hostname(config)# logging monitor warnings
hostname(config)# terminal monitor

hostname(config)# logging buffered warnings

Also, before any significant changes to ASA configuration, migrations, software upgrades, etc., I always recommend testing the configuration with fw123test:

http://www.networksea.com/fw123test/

BR,

Milan

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card