Cisco ASA ACE logging

Answered Question
Mar 19th, 2010

I use a Cisco ASA 5520 with version 8.2(2)

What I want to do ist to log some of the ACEs configured.

How it works:

# logging enable

# logging trap informational

# logging host inside x.x.x.x

# access-list inside_access_in extended permit ip any any log

=> This gives me the 6-106100 message for every hit of this ACE
Now the problem:
I want to have the same 6-106100 message for this ACE even if I configure logging trap to errors:

# logging trap errors

# access-list inside_access_in extended permit ip any any log errors

In this case my syslog server does not get theese 6-106100 messages. But why?

Changing the severity of this message does not work either:

# logging message 106100 level errors

INFO: Please use the access-list command to change the severity level of this syslog

I did not find any way to have theese 6-106100 messages sent to my syslog server if the logging trap command is set to anything lower than informational.
Any ideas?
I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 10 months ago

Pls. remove that acl line and then put it back again with the changed logging level.

It will work and show you 106100 in error level.

The reason is that when the log is hit for that traffic and when you change the level it doesn't take the newly changed level until traffic stops flowing matching the acl.

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Fri, 03/19/2010 - 02:51

Maybe you want to try to change the default interval to 1 second on the access-list.

access-list inside_access_in extended permit ip any any log errors interval 1

Probably just test logging to buffer and see if you are seeing those messages:


logging buffered errors

logging buffer-size 10000

patrik.spiess Fri, 03/19/2010 - 03:01

No, still the same

If I use

#access-list inside-clients_access_in extended permit ip any any log interval 1

(which defaults to informational) then I can see the 106100 messages

If I use

#access-list inside-clients_access_in extended permit ip any any log errors interval 1

I cannot see the 106100 messages (neither with 'logging buffered informational' nor with 'logging buffered erros')

Correct Answer
Kureli Sankar Fri, 03/19/2010 - 15:42

Pls. remove that acl line and then put it back again with the changed logging level.

It will work and show you 106100 in error level.

The reason is that when the log is hit for that traffic and when you change the level it doesn't take the newly changed level until traffic stops flowing matching the acl.

-KS

patrik.spiess Mon, 03/22/2010 - 00:51

Thanks to kusankar

Now I'm able to log theese 106100 messages even if trap severity is set to error.

It's just a little bit annoying to first have to remove an ACL line an then put it back again. During this time I may loose some conections because of the missing ACL line (even it's just a few seconds).

Thanks

Patrik

Actions

This Discussion

Related Content