Am having a bit of an issue getting my denied hits on an access-list to log themselves to Syslog (we do real time alerting on it).
#sh ip access-lists VLAN7_OUT
Extended IP access list VLAN7_OUT
9 deny tcp any host 192.168.1.211 eq www log-input (24 matches)
20 permit ip any any (333 matches)
I see this in the logging buffer, but it's not getting exported -
Jul 30 09:23:33: %SEC-6-IPACCESSLOGP: list VLAN7_OUT denied tcp 192.168.51.167(52799) (Vlan51 <mac addr>) -> 192.168.1.211(80), 2 packets
I tried enabling OAL with the following-
Global: mls rate-limit unicast ip icmp unreachable acl-drop 0
Interface: logging ip acess-list cache out (also tried in, just to be sure)
No dice, although I was able to see the info in a 'show logging ip access-list cache'.
Any thoughts how I get the above messages to Syslog on a 6509 Sup720 (PFC3)?
Logging trap is set to notifications that would be level 5 messages as you can see.
Catalyst 6504(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
From the log message that is been generated for you in the devices we can see that we have a message level 6 that would be informational.
Jul 30 09:23:33: %SEC-6-IPACCESSLOGP: list VLAN7_OUT denied tcp 192.168.51.167(52799) (Vlan51 ) -> 192.168.1.211(80), 2 packets
Please type the following command and let me know if you get the messages in your syslog server.
logging trap information
If you check the output of the "show logging" you would notice that logging to host it uses the logging trap.
Trap logging: level notifications, 31970 message lines logged
Logging to 192.168.9.72, 31970 message lines logged, xml disabled,
Let me know the outcome.