No I wanted to log all traffic entering and leaving a specific interface on the ASA.

could this be done on an IOS router ?

You can log everything by an acl applied to an interface, and you can do that on an ASA as well. You append the log keyword at the end of the ACE. The problem is that if you aren't logging the traffic somewhere, then the buffer in the router/ASA will fill up and eventually overwrite. You'll have no way of going back once that happens.

HTH,

John

ahh ok - but how do I get only the traffic from the ACL and not a bunch of other traffic ??

If you are logging to a syslog server, you won't be able to selectively choose what messages are logged unless you filter (all messages are logged by default per severity level and down), and your ACL traffic will be logged as well. This is where a good management system comes in to be able to search your logs. If they just want traffic on this interface, maybe you should look into Websense (quite expensive), or place some sort of IDS to just log traffic in and out of that interface. Either way, they'll still need to have something to be able to search what data they're looking for.

HTH,

John

What I do is the following:

I send all syslog messages to a syslog-ng server (running on linux)and then parse based on the traffic of interest.