Log Access List - External syslog

Answered Question
Feb 25th, 2009

Hi All,

Has anyone ever setup their ASA to log to an external server what traffic is going flowing thorough access-lists?

I dont want to have to analyse the traffic with capture as i would prefer to let the logs build up over a couple of weeks.

I want to harden rule base as IP is allowed between various networks. To achieve this succesfully I want to log the access-lists externally so I dont miss any tcp/udp ports etc


Correct Answer by vikram_anumukonda about 7 years 12 months ago

the "test" is like a filter for what messages one wants to see on the syslog server.

the below link should help you understand better



you can add the keyword "log" to any number of ACE's in your ACL and analyze it on the syslog.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
vikram_anumukonda Wed, 02/25/2009 - 04:37

do these steps

1) logging on

2) logging list test message 106100

3) logging trap test

4) logging host <> x.x.x.x

106100 - gives you ports and protocols for the permitted traffic , I have tried this config by having an " access-list inside permit ip any any log " to analyze what kind of traffic is traversing the firewall.

you can find the complete list of syslog message numbers here




darkbeatzz Wed, 02/25/2009 - 04:54

Thanks Vikram.

Does test in this command refer to an access-list called test?

darkbeatzz Wed, 02/25/2009 - 06:34

let me be more clear.

Does the logging analyse all access-lists on the firewall or can I specifically monitor each acl



This Discussion