10-23-2013 10:27 AM - edited 03-11-2019 07:55 PM
Hi Experts,
Syslog is only showing me hit messages on access-list denying inbound traffic from external (i.e. internet) on outside interface but does not show deny hits from inside traffic going out to any smtp.
i can see increamental hitcounts when i do "show access-list" which tells me the acl is working as should, however i am not able to see that on syslog message.
access-list inside_access_in line 2 extended deny tcp 10.x.x.x 255.0.0.0 any eq smtp log informational interval 300 (hitcnt=1910) 0x73edd974
see output of show run logging
firewall01# show run logging
logging enable
logging timestamp
logging emblem
logging console errors
logging trap warnings
logging asdm notifications
logging queue 0
logging device-id context-name
logging host Inside 10.x.x.1
logging debug-trace
logging permit-hostdown
logging class auth console emergencies
no logging message 313001
no logging message 313008
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
logging message 103012 level alerts
firewall01#
can some help please.
Thanks.
10-23-2013 10:53 AM
Hi,
You have disabled the syslog ID/message that your are looking for with the below command
no logging message 106100
You could enter
logging message 106100
To re-enable the syslog ID
If I recall correct you also have some other connection/translation forming log messages disabled.
Hope this helps
Please remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
10-23-2013 11:01 AM
Seems I remembered the syslog ID wrong
It was actually 106023 that shows the denied connections.
You should see them in the ASDM with current logging settings. And as Julio mentioned for other destinations of logging you would have to make changes or change the above syslog IDs logging level to something that fits the current levels set.
- Jouni
10-23-2013 11:52 AM
Hi Jouni,
Thanks for your response. The syslogID 106023 is enabled and the logging level set is "warning". I do see syslog messages of ID 106023, however it's only deny acl inbound on my outside interface. I would like to see syslog messages of deny acl hits inbound on my inside interface.
10-23-2013 11:58 AM
Hi,
I noticed that I actually mistook the correct syslog ID myself before I checked it from the Syslog documentation for ASA.
I guess you have defined a separate level for your ACL rule at the end of the ACL rule? The original post mentions "Informational" that doesnt match your current levels set in the "logging" commands.
If you had not modified any ACL rules default logging level and had enabled Notifications level logging to the logging destination of your choosing (server, asdm, buffer, etc) , you should see ALL log messages that deny traffic based on ACL rules.
So you you will have to change the logging level of either the actual ACL rules or change the logging level globally for some of the logging destinations you are viewing logs from.
- Jouni
10-23-2013 12:10 PM
It all ends with the correct level definition!!
That's it...
10-23-2013 10:54 AM
Hello,
Here is the thing:
logging host Inside 10.x.x.1
logging trap warnings (level 4)
logging console errors (level 3)
access-list inside_access_in line 2 extended deny tcp 10.x.x.x 255.0.0.0 any eq smtp log informational interval 300 (hitcnt=1910) 0x73edd974 (Level 6)
Do u see the problem? Changed the log keyword on the ACL to be level 3 or 4 depending of where you want to send it (4 if you wanna send it to boths)
Regards,
Jcarvaja
follow me on http://laguiadelnetworking.com
10-23-2013 11:21 AM
The default syslog message for drops based on ACL applied on access-group is 106023 when you enable log option at the end of an ACL the syslopg option would be 106100.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_logging.html
If you enter the log option without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). if you want to change the interval it can be changed up to 1 second but remember that you pass more then one packet per second so it probably won't capture all tries but will most definitively drop all tries based on the deny on the ACL.
If you try to change the log message level for 106100 through the next command:
logging message 106100 level 4
It will not do it and give you the next information log
INFO: Please use the access-list command to change the severity level of this syslog
10-23-2013 12:06 PM
Hello,
Just add the log option with the interval defined as one second on the ACE that is denying traffic on tcp/25.
Just change delete the ACL and readd it with the correct logging level as Julio asked.
no access-list inside_access_in line 2 extended deny tcp 10.x.x.x 255.0.0.0 any eq smtp log
access-list inside_access_in line 2 extended deny tcp 10.x.x.x 255.0.0.0 any eq smtp log 4 interval 1
10-23-2013 01:00 PM
Thanks all for your response.
present logging level on deny acl is now warning.
I do see logging messages from 106023 for inbound acl on outside interface however i do not for inbound inside interface.
however, 106100 is not enabled yet.
Question,
Shouldn't 106023 be able to show messages? or i do have to enable 106100? hope my question is not confusing?
10-23-2013 01:05 PM
Hello,
you have not denied either and by default is enabled. As long as you have it set for informational,
You should be able to see the messages now,
Regards,
Jcarvaja
10-23-2013 01:26 PM
If you enable the keyword log on the ACL for traffic that is logged for what matches the ACL it will only report on syslog ID 106100.
10-28-2013 06:10 PM
Did the information given to you help out for your solution, please let us know?
10-31-2013 10:54 AM
Please update the ticket as resolved or answered so we can close out followup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide