09-03-2008 01:09 PM - edited 03-06-2019 01:09 AM
I have a 3825 router on my customers Border to the Internet. I wish to log both allowed and denied traffic so that it can be sent to our log correlation tool for PCI compliancy.
I have examined the routers log, and it does not contain any information with respect to the "permitted" or "denied" traffic.
I configured the following statement to determine if I could get the results to write to the log, but it failed:
"permit tcp any any established log"
What do I need to configure to have all the "permits and denies" logged.
Is this relevant to the logging level?
Thanks!
09-03-2008 01:24 PM
Kevin,
Yes the ACL log feature is relevant to the logging level. You will need your logging level set to be informational to see them in your logs.
HTH,
Mark
09-03-2008 01:28 PM
Mark
I have it set to "debugging" already... Is that not inclusive of "informational" level??
Thank You
09-03-2008 01:36 PM
Kevin,
It is inclusive if your logging is set to debugging. Do you have all the logging levels set to debugging or is this going to a syslog server?
Mark
09-03-2008 01:42 PM
Here are the statements configured on the router:
bhigw2#sho run | inc log
service timestamps log datetime msec localtime
logging buffered 32768 debugging
no logging console
aaa authentication login default group tacacs+ local
login block-for 100 attempts 3 within 30
login delay 10
login quiet-mode access-class 199
login on-failure
login on-success
log config
permit tcp any any established log
logging trap debugging
logging 206.248.224.14
thx
09-03-2008 01:56 PM
Kevin,
Your logging commands look good, which makes me wonder if you are not able to use log with the established command on the same access list line.
Mark
09-03-2008 03:37 PM
do you not have to have a line under the permit line to say deny ip any any log
this should then send the info to be logged, otherwise it is just dropped and not logged
09-04-2008 06:09 AM
Mark
I ended up configuring the word logging behind all of the ACL entries in the ACL, and now I am getting "permitted" and "denied" entries within the log.
I am also getting another message:
051692: Sep 4 08:59:56.858: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 5291 packets
Can you explain what this logging rate-limited means?
Thanks again
09-04-2008 06:41 AM
Kevin,
Glad you got that problem resolved. The rate limit of messages prevent repetitive individual log messages from filling up your logging buffer and creating CPU excessive utilization. The default value for ACL rate limit is five minutes.
HTH,
Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: