Real-Time log viewer does not work with filter from accesslist

Answered Question

Hi,

Our ASA 5510 is currently running 8.0(4) with ASDM version 6.2(1).

While going through (using ASDM) our access rules I found a rule giving me more hits than I found normal. I therefore wanted to inspect which packets that were being accepted through that access rule so I right-clicked the access rule and selected "Show Log".

The "Real-Time Log Viewer" windows apperes and "Filter by" is auto-filled with "0x40cf6367". Even though I see that number of packets increasing in the ASDM,  the log shows no rows. If I click the button "Show all" I see all packets running through our ASA5510. Based on that I guess that my "global" log settings for ASDM is correct.

PS: The global ASDM setting is set to "Debugging" so it shouldnt be a severity filter blocking my packets in the Real-Time Log Viewer.

Is this a known bug, or is it me misunderstanding the purpose of "Show Log"?

Thank you for any assistance,

Regards,

Erik

I have this problem too.
0 votes
Correct Answer by mirober2 about 6 years 4 months ago

Hi Erik,

On the Configuration > Firewall > Access Rules page, if you scroll over a bit what does it say in the "Logging" field for that ACE? If it's blank, edit the ACE and set the "Logging Level" drop-down to something like "Informational". Then apply your changes and repeat your test. You should see events in the Real-Time viewer now.

By default, the "Default" option for the "Logging Level" drop-down will not log hits for a 'permit' ACE (you should see 'deny' hits, though). When you set the "Logging Level" to something else (i.e. informational), it adds the 'log' keyword to the ACE on the CLI. The log messages generated by this keyword are what you will see in the Real-Time viewer when traffic is permitted by an ACE.

Hope that helps.

-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mirober2 Wed, 07/28/2010 - 05:39

Hi Erik,

On the Configuration > Firewall > Access Rules page, if you scroll over a bit what does it say in the "Logging" field for that ACE? If it's blank, edit the ACE and set the "Logging Level" drop-down to something like "Informational". Then apply your changes and repeat your test. You should see events in the Real-Time viewer now.

By default, the "Default" option for the "Logging Level" drop-down will not log hits for a 'permit' ACE (you should see 'deny' hits, though). When you set the "Logging Level" to something else (i.e. informational), it adds the 'log' keyword to the ACE on the CLI. The log messages generated by this keyword are what you will see in the Real-Time viewer when traffic is permitted by an ACE.

Hope that helps.

-Mike

Actions

This Discussion

Related Content