Hi,
Would you be looking at the logs through the ASDM Monitoring or reading them from a separate server?
Your basic ASA logging configuration could look something like this
logging on
logging timestamp
logging buffer-size
logging device-id hostname
logging buffered notifications
logging trap informational
logging asdm informational
logging host
"logging trap informational" would mean that your ASA would send a log message of every connection and NAT translation made through the ASA. It would also log messages when those connections and NATs are tore down. (When the connections in question are finished)
"logging asdm informational" should do the same as above but this would only apply when you have opened the Monitor/logging window in through the ASDM.
These to my knowledge dont require any separate command on the actual access-list.
I haven't used the "log" parameters in my ASA configurations but If I understood correctly this parameter would make it so that you will also see permitted connections in the ASA logs while without the "log" parameter you would only see a message when the access-list blocked some connection based on some access-list rule.
The Command Reference states the following:
(Optional) Sets logging options when a ACE matches a packet for network
access (an access list applied with the access-group command). If you enter
the log keyword without any arguments, you enable system log message
106100 at the default level (6) and for the default interval (300 seconds). If
you do not enter the log keyword, then the default system log message
106023 is generated.
Heres link to the syslog IDs mentioned above (Software 8.2)
106100:
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769049
106023:
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769021
- Jouni