Show deny ACL logs on routers configure monitor session?

Unanswered Question
Apr 14th, 2009
User Badges:

hi,


I've done this in the past, but can't get it to work this time. I all want to to is show on the configure monitor session of a router I have a telnet session with, is the denied logs as an when they happen.


On my extended access list I have added a "deny ip any any log" then added "logging buffered 8192 notifications" and "logging trap notifications"


If I do a "show ip access-list" I get:


100 deny ip any any (304 matches)


So I now it is logging them but just not showing them, any ideas?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thotsaphon Tue, 04/14/2009 - 05:29
User Badges:
  • Gold, 750 points or more

Andy,

You should do things as follows:

deny ip any any log

logging buffered 8192 information


Edit: You may carefully add this command,"ip access-list log-update threshold 10". It will log a message per 10 hits/packets.


HTH,

Toshi

Giuseppe Larosa Tue, 04/14/2009 - 05:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

hello Andy,


you can do the following:


sh log


sh log | inc Apr 14


or simply


terminal monitor


but you need to add the log option at the end of the ACL statement to have logging in action:


100 deny ip any any log


Hope to help

Giuseppe


Edison Ortiz Tue, 04/14/2009 - 07:00
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i1.html#wp1042595


By default, the log messages are sent at the first matching packet and after that, identical messages are accumulated for 5-minute intervals, with a single message being sent with the number of packets permitted and denied during that interval. However, you can use the ip access-list log-update command to set the number of packets that, when match an access list (and are permitted or denied), cause the system to generate a log message. You might want to do this to receive log messages more frequently than at 5-minute intervals.


HTH,


__


Edison.

Actions

This Discussion