Solved: Defining data flow (logging ACL to syslog issues)

jamescox3 · ‎05-03-2012

I have been recently tasked with documenting the data flow for a test dev system that we have. The over all goal is to create access-list based off of the data we find.

we currently have a 3825 with one WAN link, since the data flow is unknown right now I have created an access-list to permit any any log, and have it setup on the WAN interface.

We can see that we are sending messages to the syslog server but we are also seeing a lot of messages access-list logging rate-limited or missed 86111 packets.

What can I do to minimise those messages while getting as much data to the syslog server as possible. Searching the web on that message hasn't returned anything useful yet. But I'am newer to ACL logging.

Thanks for your help.

John Blakley · ‎05-03-2012

You can change the logging threshold:

ip access-list log-update threshold

If you want to catch everything, you'd change this number to 1. I'd caution you on this though because it's going to heavily tax the router.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎05-03-2012

You can change the logging threshold:

ip access-list log-update threshold

If you want to catch everything, you'd change this number to 1. I'd caution you on this though because it's going to heavily tax the router.

HTH,

John

HTH, John *** Please rate all useful posts ***

jamescox3 · ‎05-03-2012

Thanks that appeared to work, I started with the value at 1000 and slowly steped it down until we started to see results we could use.

John Blakley · ‎05-03-2012

Good to hear!

HTH, John *** Please rate all useful posts ***