Solved: Cannot log ACL denies on 6509 SUP720 to syslog

ryan.lambert · ‎07-30-2013

Hi all,

Am having a bit of an issue getting my denied hits on an access-list to log themselves to Syslog (we do real time alerting on it).

#sh ip access-lists VLAN7_OUT

Extended IP access list VLAN7_OUT

9 deny tcp any host 192.168.1.211 eq www log-input (24 matches)

20 permit ip any any (333 matches)

I see this in the logging buffer, but it's not getting exported -

Jul 30 09:23:33: %SEC-6-IPACCESSLOGP: list VLAN7_OUT denied tcp 192.168.51.167(52799) (Vlan51 <mac addr>) -> 192.168.1.211(80), 2 packets

I tried enabling OAL with the following-

Global: mls rate-limit unicast ip icmp unreachable acl-drop 0

Interface: logging ip acess-list cache out (also tried in, just to be sure)

No dice, although I was able to see the info in a 'show logging ip access-list cache'.

Any thoughts how I get the above messages to Syslog on a 6509 Sup720 (PFC3)?

Thanks...

Roberto Rodriguez · ‎07-30-2013

Hi Ryan,

Logging trap is set to notifications that would be level 5 messages as you can see.

Catalyst 6504(config)#logging trap ?

<0-7> Logging severity level

alerts Immediate action needed (severity=1)

critical Critical conditions (severity=2)

debugging Debugging messages (severity=7)

emergencies System is unusable (severity=0)

errors Error conditions (severity=3)

informational Informational messages (severity=6)

notifications Normal but significant conditions (severity=5)

warnings Warning conditions (severity=4)

From the log message that is been generated for you in the devices we can see that we have a message level 6 that would be informational.

Jul 30 09:23:33: %SEC-6-IPACCESSLOGP: list VLAN7_OUT denied tcp 192.168.51.167(52799) (Vlan51 ) -> 192.168.1.211(80), 2 packets

Please type the following command and let me know if you get the messages in your syslog server.

logging trap information

If you check the output of the "show logging" you would notice that logging to host it uses the logging trap.

Trap logging: level notifications, 31970 message lines logged

Logging to 192.168.9.72, 31970 message lines logged, xml disabled,

filtering disabled

Let me know the outcome.

View solution in original post

Roberto Rodriguez · ‎07-30-2013

Hi,

I would appreciate if you could post the following outputs.

show run | inc logg

show logging

sh ver | inc image file

Thanks,

Robert Rodriguez

ryan.lambert · ‎07-30-2013

Hi Roberto,

Here you go.

Thanks.

CS1#sh run | i logg
logging userinfo
logging event link-status default
logging trap notifications
logging source-interface Loopback0
logging 192.168.9.72
logging 192.168.9.80
logging 192.168.50.131
privilege exec level 10 show logging

CS1#sh logging
Syslog logging: enabled (0 messages dropped, 150 messages rate-limited, 45 flushes, 0 overruns, xml                                                 disabled, filtering disabled)
    Console logging: level debugging, 31919 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 108 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 32006 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level notifications, 31970 message lines logged
        Logging to 192.168.9.72, 31970 message lines logged, xml disabled,
               filtering disabled
        Logging to 192.168.9.80, 31970 message lines logged, xml disabled,
               filtering disabled
        Logging to 192.168.50.131, 515 message lines logged, xml disabled,
               filtering disabled

CS1#sh ver | inc image file
System image file is "sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH3a.bin"

As an aside, just to confirm I am not missing them, my message lines logged to syslog destinations does not increase when I am able to get the ACL deny to show up in the buffer itself.

Roberto Rodriguez · ‎07-30-2013