Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7705
Views
0
Helpful
2
Replies

Changing syslog message 106100 severity level

karlchatterton
Level 1
Level 1

‎03-06-2012 03:49 AM - edited ‎03-11-2019 03:38 PM

Hi,

I'm fine tuning some of our ASA logging config, and am having an issue with one particular syslog ID.

The message is:

syslog 106100: default-level informational (enabled)

and the log settings are:

Syslog logging: enabled

    Facility: 20

    Timestamp logging: enabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: level errors, 2389314 messages logged

    Monitor logging: disabled

    Buffer logging: level notifications, 100889 messages logged

    Trap logging: level informational, facility 20, 1080679 messages logged

        Logging to 10.1.1.1 errors: 1  dropped: 2

    History logging: level warnings, 83057 messages logged

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 2571771 messages logged

This ACE log entry is generated by explicit deny any any statements at the end of all the ACLs, e.g.

access-list inside_access_in extended deny ip any any log interval 600

Based on the config, I would expect to see this being logged to the syslog server, but not to the local buffer, but am still seeing them locally in the buffer:

Feb 22 2012 10:58:20: %ASA-4-106100: access-list inside_access_in denied udp INSIDE/HOSTABC(52629) -> OUTSIDE/HOSTXXX(162) hit-cnt 5 300-second interval [0x3baecf1e, 0x0]

It also still shows these as level "warning", %ASA-4-106100, instead of the default %ASA-6-106100

I've tried removing and re-applying the config at different levels but it still reports in the buffer log as level "warning", %ASA-4-106100

This also doesnt affect every 106100 log that is generated. Most messages are generated at the correct level 6 severity but some seem to randomly log at level 4. There doesn't seem to be any pattern to this. The same access-list line can produce severity level 4 and 6 106100 messages.

Any ideas?

Thanks

Karl

Labels:
0 Helpful
2 Replies 2

begomez
Level 1
Level 1

‎10-10-2012 08:10 PM

Hey Karl,

Came across your post, when looking up my own ACL specific logging wasn't working at all. Found out I was hitting a bug - CSCsz73284. Upgraded any I got many, many 106100 logs at the "error" level.

Not sure if this is still relevant for you, or if you have found your answer yet, but it could be that you've got some particular access-list entry in the config that is getting hit, where the "log warnings" is configured at the end like this:

access-list extended deny log warnings

The log level for 106100 can differ depending on the log level of a particular access-list entry, and it cannot be changed globally. e.g.

ASA(config)# logging message 106100 level errors

INFO: Please use the access-list command to change the severity level of this syslog

ASA(config)#

Regards,

Ben

0 Helpful

nkarthikeyan
Level 7
Level 7

‎10-11-2012 12:51 AM

Hi Karl,

I do see a small difference in those 2 different level of errors %ASA-4-106100 & %ASA-6-106100. In this level 4 is generated by ASA and Level 6 is triggered for Syslogging.

So which ever ACL you have pointed with log is triggered with level 6 & wherevr you have the plain deny rule will have the logs triggered with level 4.

For %ASA-6-106100

================

http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279924

%ASA-4-106100

=============

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4769049

Please do rate if the given information helps.

By

Karthik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card