Logging permitted and denied matches against a routers ACL

Unanswered Question
Sep 3rd, 2008

I have a 3825 router on my customers Border to the Internet. I wish to log both allowed and denied traffic so that it can be sent to our log correlation tool for PCI compliancy.

I have examined the routers log, and it does not contain any information with respect to the "permitted" or "denied" traffic.

I configured the following statement to determine if I could get the results to write to the log, but it failed:

"permit tcp any any established log"

What do I need to configure to have all the "permits and denies" logged.

Is this relevant to the logging level?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark Yeates Wed, 09/03/2008 - 13:24

Kevin,

Yes the ACL log feature is relevant to the logging level. You will need your logging level set to be informational to see them in your logs.

HTH,

Mark

Kevin Melton Wed, 09/03/2008 - 13:28

Mark

I have it set to "debugging" already... Is that not inclusive of "informational" level??

Thank You

Mark Yeates Wed, 09/03/2008 - 13:36

Kevin,

It is inclusive if your logging is set to debugging. Do you have all the logging levels set to debugging or is this going to a syslog server?

Mark

Kevin Melton Wed, 09/03/2008 - 13:42

Here are the statements configured on the router:

bhigw2#sho run | inc log

service timestamps log datetime msec localtime

logging buffered 32768 debugging

no logging console

aaa authentication login default group tacacs+ local

login block-for 100 attempts 3 within 30

login delay 10

login quiet-mode access-class 199

login on-failure

login on-success

log config

permit tcp any any established log

logging trap debugging

logging 206.248.224.14

thx

Mark Yeates Wed, 09/03/2008 - 13:56

Kevin,

Your logging commands look good, which makes me wonder if you are not able to use log with the established command on the same access list line.

Mark

STEVE DUE Wed, 09/03/2008 - 15:37

do you not have to have a line under the permit line to say deny ip any any log

this should then send the info to be logged, otherwise it is just dropped and not logged

Kevin Melton Thu, 09/04/2008 - 06:09

Mark

I ended up configuring the word logging behind all of the ACL entries in the ACL, and now I am getting "permitted" and "denied" entries within the log.

I am also getting another message:

051692: Sep 4 08:59:56.858: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 5291 packets

Can you explain what this logging rate-limited means?

Thanks again

Mark Yeates Thu, 09/04/2008 - 06:41

Kevin,

Glad you got that problem resolved. The rate limit of messages prevent repetitive individual log messages from filling up your logging buffer and creating CPU excessive utilization. The default value for ACL rate limit is five minutes.

HTH,

Mark

Actions

This Discussion