cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
567
Views
0
Helpful
3
Replies

Where is the logging occuring?

Kevin Melton
Level 2
Level 2

CSC Forum

I am working on a client site today.  The client has an ACL applied to the WAN interface of their ASA in an inbound direction, which is not uncommon.  The last line of the ACL has an ACE that reads

"access-list WAN_access_in_1 line 45 extended permit ip any any log debugging interval 300"

What I am unclear about is where the logging occurs.  I explained to the IT Admin on site that they may not want to have ip permit any any, and that if we figured out what that traffic that was matching that ACE was, we could just write a rule for it.  So I wanted to examine the logs since logging is enabled on that ACE so I could see where the traffic was coming from.

I looked at the log buffer, but there is not data in the log before with respect to the ACE.  Where would it be logging to based on the statement?  There is not a syslog server at this client, so it has to be either the log buffer or the ASDM log I think...?

Also what does the interval 300 mean in the ACE?

Thanks

Kevin

1 Accepted Solution

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hi Kevin,

Take a look at the output of 'show run log' on the ASA. That should tell you the different logging destinations that are configured.

-Mike

View solution in original post

3 Replies 3

mirober2
Cisco Employee
Cisco Employee

Hi Kevin,

Take a look at the output of 'show run log' on the ASA. That should tell you the different logging destinations that are configured.

-Mike

Yes Mike

Well I had done exactly that I I see the following:

logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered debugging
logging trap debugging
logging asdm informational
logging host inside 192.168.1.146
logging host inside 172.16.32.157
snmp-server enable traps syslog

but this does not tell me which logging method that the ACE statement is writing to...

"access-list WAN_access_in_1 extended permit ip any any log debugging"

My assumption was that it should be in the log buffer, but I still need to verify this so I can extract the data that I need.  I do not see any "permit" activity in the log buffer.  Yet I can see hit counts on the ACE when I use ASDM.

Hi Kevin,

You should see the hits in the 'show log' output, and also in the syslogs saved to 192.168.1.146 and 172.16.32.157. The message you should see is %ASA-7-106100.

Hope that helps.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: