Real-time Log Viewer filter not showing rule hits with ACL

rcoote5902_2 · ‎12-21-2011

Hello,

I'm running into this issue on an ASA 5520 running version 8.2(2)9 and ASDM version 6.2(1).

I have an ACL denying traffic to a certain IP range and the logging level set to Debugging. The hit count is rising quite rapidly but when selecting "Show Log" the Real-Time Log Viewer opens with a value of 0x13d0ee2a in the "Filter By" field and no logs are ever shown.

Logging is enabled globally and Logging Filters on ASDM is set to Debugging as well.

Any ideas on how I can get the RTLV working?

Thanks,

Rob

puseth · ‎12-22-2011

Hi Rob,

By default if packet is permitted/denied by the access-list the log with the log id *106100* is generated which happens at notification level, There have been few bugs where we've seen issue like these.

Can you verify if you are seeing any logs either on ASDM/CLI with this syslog id 106100.

Instead of doing show rule, trying to capture logs in ASDM in real time monitoring and initiate some traffic and filter this using either source/destination ip address.

Puneet

rcoote5902_2 · ‎04-20-2012

Sorry for the delay in responding, log ID 106100 shows disabled in ASDM. I've enabled it, but Logging level shows N/A. and I don't seem to be able to change that. Any ideas?

Jouni Forss · ‎04-20-2012

Hi,

Normally if you want to change logging message level the command would be

logging message level

Not sure if it helps in this situation.

If you just use ASDM you can use Tools -> Command Line Interface to insert the command

- Jouni

rcoote5902_2 · ‎04-20-2012

I tried that but apparently it's a special syslog message that requires an ACL...

INFO: Please use the access-list command to change the severity level of this syslog

Jouni Forss · ‎04-20-2012

Hi,

Well in CLI format when you configure an access-list line (ACE) the format is as follows.

access-list ACL permit ip any any log

To my understanding the syslog id you have discussed is related to the above "log" parameter that you attach to an ACE. Attaching the parameter "log" to the ACE means it will generate a log message of the hits to the particular ACE. Default without any "log" parameters configured in an ACL, only Deny messages are logged by the ASA.

- Jouni

rcoote5902_2 · ‎04-20-2012

I'm trying to log ACL hits, and logging is set on the ACL I'm trying to monitor. With that said, syslog 106100 messages are not being logged, so while hits are being recorded they aren't spitting out syslog messages. I'm reading through the advanced syslong info on the ASA and it appears syslog 106100 requires some special treatment.

Jouni Forss · ‎04-20-2012

Hi,

I am getting log messages on my home ASA atleast.

The Syslog ID is different depending on if I use the "log" parameter or not.

If I dont have log parameter, the traffic hitting the Deny line will log as 106023

If I do have the log paramter, the traffic hitting the Deny line will log as 106100

Both show on ASDM Real-Time Log Viewer

- Jouni