Cannot log ACL denies on 6509 SUP720 to syslog

Answered Question
Jul 30th, 2013
User Badges:

Hi all,


Am having a bit of an issue getting my denied hits on an access-list to log themselves to Syslog (we do real time alerting on it).


#sh ip access-lists VLAN7_OUT

Extended IP access list VLAN7_OUT

    9 deny tcp any host 192.168.1.211 eq www log-input (24 matches)

    20 permit ip any any (333 matches)


I see this in the logging buffer, but it's not getting exported -


Jul 30 09:23:33: %SEC-6-IPACCESSLOGP: list VLAN7_OUT denied tcp 192.168.51.167(52799) (Vlan51 <mac addr>) -> 192.168.1.211(80), 2 packets


I tried enabling OAL with the following-


Global: mls rate-limit unicast ip icmp unreachable acl-drop 0

Interface: logging ip acess-list cache out  (also tried in, just to be sure)


No dice, although I was able to see the info in a 'show logging ip access-list cache'.


Any thoughts how I get the above messages to Syslog on a 6509 Sup720 (PFC3)?


Thanks...

Correct Answer by Roberto Rodriguez about 4 years 2 weeks ago

Hi Ryan,


Logging trap is set to notifications that would be level 5 messages as you can see.


Catalyst 6504(config)#logging trap ?

  <0-7>          Logging severity level

  alerts         Immediate action needed           (severity=1)

  critical       Critical conditions               (severity=2)

  debugging      Debugging messages                (severity=7)

  emergencies    System is unusable                (severity=0)

  errors         Error conditions                  (severity=3)

  informational  Informational messages            (severity=6)

  notifications  Normal but significant conditions (severity=5)

  warnings       Warning conditions                (severity=4)

 


From the log message that is been generated for you in the devices we can see that we have a message level 6 that would be informational.



Jul 30 09:23:33: %SEC-6-IPACCESSLOGP: list VLAN7_OUT denied tcp 192.168.51.167(52799) (Vlan51 ) -> 192.168.1.211(80), 2 packets



Please type the following command and let me know if you get the messages in your syslog server.


logging trap information



If you check the output of the "show logging" you would notice that logging to host it uses the logging trap.


Trap logging: level notifications, 31970 message lines logged

        Logging to 192.168.9.72, 31970 message lines logged, xml disabled,

               filtering disabled


Let me know the outcome.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Roberto Rodriguez Tue, 07/30/2013 - 09:06
User Badges:

Hi,


I would appreciate if you could post the following outputs.


show run | inc logg

show logging

sh ver | inc image file


Thanks,


Robert Rodriguez

ryan.lambert Tue, 07/30/2013 - 09:38
User Badges:

Hi Roberto,


Here you go.


Thanks.


CS1#sh run | i logg
logging userinfo
logging event link-status default
logging trap notifications
logging source-interface Loopback0
logging 192.168.9.72
logging 192.168.9.80
logging 192.168.50.131
privilege exec level 10 show logging


CS1#sh logging
Syslog logging: enabled (0 messages dropped, 150 messages rate-limited, 45 flushes, 0 overruns, xml                                                 disabled, filtering disabled)
    Console logging: level debugging, 31919 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 108 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 32006 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level notifications, 31970 message lines logged
        Logging to 192.168.9.72, 31970 message lines logged, xml disabled,
               filtering disabled
        Logging to 192.168.9.80, 31970 message lines logged, xml disabled,
               filtering disabled
        Logging to 192.168.50.131, 515 message lines logged, xml disabled,
               filtering disabled


CS1#sh ver | inc image file
System image file is "sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH3a.bin"

      


As an aside, just to confirm I am not missing them, my message lines logged to syslog destinations does not increase when I am able to get the ACL deny to show up in the buffer itself.

Correct Answer
Roberto Rodriguez Tue, 07/30/2013 - 09:55
User Badges:

Hi Ryan,


Logging trap is set to notifications that would be level 5 messages as you can see.


Catalyst 6504(config)#logging trap ?

  <0-7>          Logging severity level

  alerts         Immediate action needed           (severity=1)

  critical       Critical conditions               (severity=2)

  debugging      Debugging messages                (severity=7)

  emergencies    System is unusable                (severity=0)

  errors         Error conditions                  (severity=3)

  informational  Informational messages            (severity=6)

  notifications  Normal but significant conditions (severity=5)

  warnings       Warning conditions                (severity=4)

 


From the log message that is been generated for you in the devices we can see that we have a message level 6 that would be informational.



Jul 30 09:23:33: %SEC-6-IPACCESSLOGP: list VLAN7_OUT denied tcp 192.168.51.167(52799) (Vlan51 ) -> 192.168.1.211(80), 2 packets



Please type the following command and let me know if you get the messages in your syslog server.


logging trap information



If you check the output of the "show logging" you would notice that logging to host it uses the logging trap.


Trap logging: level notifications, 31970 message lines logged

        Logging to 192.168.9.72, 31970 message lines logged, xml disabled,

               filtering disabled


Let me know the outcome.

ryan.lambert Tue, 07/30/2013 - 09:58
User Badges:

Thanks. That worked. Never even thought to glance at that.


Appreciate the help.

Actions

This Discussion