Seems I remembered the syslog ID wrong

It was actually 106023 that shows the denied connections.

You should see them in the ASDM with current logging settings. And as Julio mentioned for other destinations of logging you would have to make changes or change the above syslog IDs logging level to something that fits the current levels set.

- Jouni

Hi Jouni,

Thanks for your response. The syslogID 106023 is enabled and the logging level set is "warning". I do see syslog messages of ID 106023, however it's only deny acl inbound on my outside interface. I would like to see syslog messages of deny acl hits inbound on my inside interface.

Hi,

I noticed that I actually mistook the correct syslog ID myself before I checked it from the Syslog documentation for ASA.

I guess you have defined a separate level for your ACL rule at the end of the ACL rule? The original post mentions "Informational" that doesnt match your current levels set in the "logging" commands.

If you had not modified any ACL rules default logging level and had enabled Notifications level logging to the logging destination of your choosing (server, asdm, buffer, etc) , you should see ALL log messages that deny traffic based on ACL rules.

So you you will have to change the logging level of either the actual ACL rules or change the logging level globally for some of the logging destinations you are viewing logs from.

- Jouni

It all ends with the correct level definition!!

That's it...

The default syslog message for drops based on ACL applied on access-group is 106023 when you enable log option at the end of an ACL the syslopg option would be 106100.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_logging.html

If you enter the  log option without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). if you want to change the interval it can be changed up to 1 second but remember that you pass more then one packet per second so it probably won't capture all tries but will most definitively drop all tries based on the deny on the ACL.

If you try to change the log message level for 106100 through the next command:

logging message 106100 level 4

It will not do it and give you the next information log

INFO: Please use the access-list command to change the severity level of this syslog

Hello,

Just add the log option with the interval defined as one second on the ACE that is denying traffic on tcp/25.

Just change delete the ACL and readd it with the correct logging level as Julio asked.

no access-list inside_access_in line 2 extended deny tcp 10.x.x.x  255.0.0.0 any eq smtp log

access-list inside_access_in line 2 extended deny tcp 10.x.x.x  255.0.0.0 any eq smtp log 4 interval 1

Thanks all for your response.

present logging level on deny acl is now warning.

I do see logging messages from 106023 for inbound acl on outside interface however i do not for inbound inside interface.

however, 106100 is not enabled yet.

Question,

Shouldn't 106023 be able to show messages? or i do have to enable 106100? hope my question is not confusing?

Hello,

you have not denied either and by default is enabled. As long  as you have it set for informational,

You should be able to see the messages now,

Regards,

Jcarvaja

If you enable the keyword log on the ACL for traffic that is logged for what matches the ACL it will only report on syslog ID 106100.

Did the information given to you help out for your solution, please let us know?

Please update the ticket as resolved or answered so we can close out followup.