Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

logging on ACLs - problem with deny ACEs

I discovered that recently our FWSM does not want to log deny-flows any more.

Whenever I want a certain ACE to be logged, I enable the logging with the alert level - and it gets Syslogged.

Configuration used:

---

BE01NF31/UNIVEG# sh run log

logging enable

logging timestamp

logging list ErLst level alerts

logging list ErLst message 106100

logging buffer-size 16384

logging trap ErLst

logging asdm ErLst

logging host FW_Ext BE01S514

logging permit-hostdown

logging class config trap warnings

logging class ip trap alerts

---

Whenever I log a 'permit' ACE, it works fine, but when I want to log a 'deny' ACE, nothing is sent to the Syslog server.

What can cause this behaviour? What can I check?

Thanks !!

1 REPLY
Cisco Employee

Re: logging on ACLs - problem with deny ACEs

There is a possibility that you might be hitting the maximum number of ACL log deny-flows via syslog message# 106101:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/system/message/logmsgs.html#wp1727742

However since you are only sending syslog message# 106100 to your syslog server, you are not seeing the other syslog messages that might give you an explaination on why you are not seeing the deny logs.

Hope that helps.

401
Views
0
Helpful
1
Replies