cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
666
Views
0
Helpful
8
Replies

Logging permitted and denied matches against a routers ACL

Kevin Melton
Level 2
Level 2

I have a 3825 router on my customers Border to the Internet. I wish to log both allowed and denied traffic so that it can be sent to our log correlation tool for PCI compliancy.

I have examined the routers log, and it does not contain any information with respect to the "permitted" or "denied" traffic.

I configured the following statement to determine if I could get the results to write to the log, but it failed:

"permit tcp any any established log"

What do I need to configure to have all the "permits and denies" logged.

Is this relevant to the logging level?

Thanks!

8 Replies 8

Mark Yeates
Level 7
Level 7

Kevin,

Yes the ACL log feature is relevant to the logging level. You will need your logging level set to be informational to see them in your logs.

HTH,

Mark

Mark

I have it set to "debugging" already... Is that not inclusive of "informational" level??

Thank You

Kevin,

It is inclusive if your logging is set to debugging. Do you have all the logging levels set to debugging or is this going to a syslog server?

Mark

Here are the statements configured on the router:

bhigw2#sho run | inc log

service timestamps log datetime msec localtime

logging buffered 32768 debugging

no logging console

aaa authentication login default group tacacs+ local

login block-for 100 attempts 3 within 30

login delay 10

login quiet-mode access-class 199

login on-failure

login on-success

log config

permit tcp any any established log

logging trap debugging

logging 206.248.224.14

thx

Kevin,

Your logging commands look good, which makes me wonder if you are not able to use log with the established command on the same access list line.

Mark

do you not have to have a line under the permit line to say deny ip any any log

this should then send the info to be logged, otherwise it is just dropped and not logged

Mark

I ended up configuring the word logging behind all of the ACL entries in the ACL, and now I am getting "permitted" and "denied" entries within the log.

I am also getting another message:

051692: Sep 4 08:59:56.858: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 5291 packets

Can you explain what this logging rate-limited means?

Thanks again

Kevin,

Glad you got that problem resolved. The rate limit of messages prevent repetitive individual log messages from filling up your logging buffer and creating CPU excessive utilization. The default value for ACL rate limit is five minutes.

HTH,

Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: