%ASA-6-302016

%ASA-6-302015

%ASA-6-302013

We can received those log on both ASDM and syslog server, however, not all of log we suppose to received

Syslog logging: enabled

    Facility: 22

    Timestamp logging: disabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: level informational, 6904 messages logged

    Monitor logging: disabled

    Buffer logging: level debugging, 7175 messages logged

    Trap logging: level warnings, facility 22, 360 messages logged

        Logging to inside 172.16.10.50

    History logging: level informational, 6903 messages logged

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 6903 messages logged

May i ask the log ID for permit packet?

since 106023 is for packet denied by the ACL right?

i found it

%ASA-6-106100: access-list outside_access_in permitted tcp outside/101.226.33.205(50827) -> dmz/10.0.0.71(80)

%ASA-4-106023: Deny tcp src dmz:10.0.0.71/3079 dst outside:119.57.54.51/8080 by access-group "dmz_access_in"

I am facing the same problem with this two type of log

this log is missing, not every time the ACE is hitted

Hello Wai,

Really, Can you share your Access-list and Logging configuration please?

ASA# show run log

logging enable

logging console informational

logging buffered debugging

logging trap warnings

logging history informational

logging asdm informational

logging facility 22

logging host inside 172.16.10.50

and one of our ACE

access-list inside_access_in extended permit udp host 172.16.10.18 any eq domain log

Hello Wai,

Hmm, you should be getting them on the syslog server at least ( are you are sending a lot of traffic to the local buffer of the ASA it might get oversubscripded at the time you go and check it)

Can you doble check it on the server side for me please

I got the same result on my syslog server, just a part of log is recived, i also tried, offline the ASA, directly connect a syslog server, change log server setting on ASA, then I open a Wireshar, found that, ASA not senting out those log at all, ASA just send part of them

Hmm,

what version are you running?

8.2(5)

Hello Wai,

106100

That is the one we should be looking at

Remember this :

When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry to track the number of packets received within a specific interval. The ASA generates a system message at the first hit and at the end of each interval, identifying the total number of hits during the interval. At the end of each interval, the ASA resets the hit count to 0. If no packets match the ACE during an interval, the ASA deletes the flow entry.

Permitted packets that belong to established connections do not need to be checked against access lists; only the initial packet is logged and included in the hit count. For connectionless protocols, such as ICMP, all packets are logged, even if they are permitted, and all denied packets are logged.

You are taking that into consideration right?

Yes, since this firewall is handling thousand of users, i tried this, put a permit any ACE on the top on ACL, and found that i just receive a log entry in about 20 seconds