Logging (firewall)

Answered Question
Feb 28th, 2010
User Badges:

Is there any command that disables the logging at once regarding access lists?


Thank you.

Correct Answer by Jerry Ye about 7 years 2 months ago

You want to disable all logging on the firewall (assuming it is an ASA)??? If yes, you can do no logging enable to disable all logging. The output should look something like this.


ASA3# sh logging
Syslog logging: disabled


HTH,

jerry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Sun, 02/28/2010 - 22:45
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Is there any command that disables the logging at once regarding access lists?


Thank you.


Hi,


By default, logging message 106023 (default severity level 4, warnings) is generated when a deny access list entry is matched with a traffic flow. Only the overall ACL is listed in the message, with no reference to the actual denying ACL entry.
You can log messages when specific access control entries (ACEs, or individual permit/deny statements within an ACL) permit or deny a traffic flow by adding the log keyword to an ACE.


You can set the logging severity level on a per-ACE basis if needed. Otherwise, severity level 6 is the default.


Firewall(config)# access-list acl_name [extended] {permit | deny} ... log [level] [interval seconds]

Enter the access list entry normally, but add the log keyword at the end. If you want to log activity on this entry at a severity level other than 6, specify the level (1 to 7) too.


You can also re-enter the ACE with the log disable keywords to completely disable all ACE logging (both message IDs 106100 and 106023). In this case, the sample command would be re-entered as


Firewall(config)# access-list acl_out permit tcp any host 192.168.199.100 eq www log disable

Hope to Help !!


If helpful do rate the post


Ganesh.H

egeorgopoulos Mon, 03/01/2010 - 00:39
User Badges:

So, there is no command that disables the logging of the firewall without going through all ACEs and adding the "log disable"?


Thanks for your answer.

Correct Answer
Jerry Ye Mon, 03/01/2010 - 06:29
User Badges:
  • Cisco Employee,

You want to disable all logging on the firewall (assuming it is an ASA)??? If yes, you can do no logging enable to disable all logging. The output should look something like this.


ASA3# sh logging
Syslog logging: disabled


HTH,

jerry

AJAZ NAWAZ Mon, 03/08/2010 - 09:18
User Badges:
  • Silver, 250 points or more

So what's the difference between these two?



access-list acl_out permit tcp any host 192.168.199.100 eq www log disable

and

access-list acl_out permit tcp any host 192.168.199.100 eq www

Actions

This Discussion