Solved: Cisco ASA ACE logging

patrik.spiess · ‎03-19-2010

I use a Cisco ASA 5520 with version 8.2(2)

What I want to do ist to log some of the ACEs configured.

How it works:

# logging enable

# logging trap informational

# logging host inside x.x.x.x

# access-list inside_access_in extended permit ip any any log

=> This gives me the 6-106100 message for every hit of this ACE

Now the problem:

I want to have the same 6-106100 message for this ACE even if I configure logging trap to errors:

# logging trap errors

# access-list inside_access_in extended permit ip any any log errors

In this case my syslog server does not get theese 6-106100 messages. But why?

Changing the severity of this message does not work either:

# logging message 106100 level errors

INFO: Please use the access-list command to change the severity level of this syslog

I did not find any way to have theese 6-106100 messages sent to my syslog server if the logging trap command is set to anything lower than informational.

Any ideas?

Kureli Sankar · ‎03-19-2010

Pls. remove that acl line and then put it back again with the changed logging level.

It will work and show you 106100 in error level.

The reason is that when the log is hit for that traffic and when you change the level it doesn't take the newly changed level until traffic stops flowing matching the acl.

-KS

View solution in original post

Jennifer Halim · ‎03-19-2010

Maybe you want to try to change the default interval to 1 second on the access-list.

access-list inside_access_in extended permit ip any any log errors interval 1

Probably just test logging to buffer and see if you are seeing those messages:

logging buffered errors

logging buffer-size 10000

patrik.spiess · ‎03-19-2010

No, still the same

If I use

#access-list inside-clients_access_in extended permit ip any any log interval 1

(which defaults to informational) then I can see the 106100 messages

If I use

#access-list inside-clients_access_in extended permit ip any any log errors interval 1

I cannot see the 106100 messages (neither with 'logging buffered informational' nor with 'logging buffered erros')

Jennifer Halim · ‎03-19-2010

Sounds like a bug to me.

Kureli Sankar · ‎03-19-2010

Pls. remove that acl line and then put it back again with the changed logging level.

It will work and show you 106100 in error level.

The reason is that when the log is hit for that traffic and when you change the level it doesn't take the newly changed level until traffic stops flowing matching the acl.

-KS

patrik.spiess · ‎03-22-2010

Thanks to kusankar

Now I'm able to log theese 106100 messages even if trap severity is set to error.

It's just a little bit annoying to first have to remove an ACL line an then put it back again. During this time I may loose some conections because of the missing ACL line (even it's just a few seconds).

Thanks

Patrik