Configuring Logging For An Access Control Entry - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 16 Identifying Traffic with Access Lists
hostname(config)# access-list TEST deny ip any any log
The log options at the end of the extended access-list command lets you to set the following behavior:
•
•
•
System message 106100 is in the following form:
%ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol
interface_name/source_address(source_port) -> interface_name/dest_address(dest_port)
hit-cnt number ({first hit | number-second interval})
When you enable logging for message 106100, if a packet matches an ACE, the security appliance
creates a flow entry to track the number of packets received within a specific interval. The security
appliance generates a system message at the first hit and at the end of each interval, identifying the total
number of hits during the interval. At the end of each interval, the security appliance resets the hit count
to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection. See the
on page 16-20
Permitted packets that belong to established connections do not need to be checked against access lists;
only the initial packet is logged and included in the hit count. For connectionless protocols, such as
ICMP, all packets are logged even if they are permitted, and all denied packets are logged.
See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed
information about this system message.

Configuring Logging for an Access Control Entry

To configure logging for an ACE, see the following information about the log option:
hostname(config)# access-list access_list_name [extended] {deny | permit}...[log [[level]
[interval secs] | disable | default]]
See the
section on page 16-10
If you enter the log option without any arguments, you enable system log message 106100 at the default
level (6) and for the default interval (300 seconds). See the following options:
•
•
•
•
For example, you configure the following access list:
hostname(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600
hostname(config)# access-list outside-acl permit ip host 2.2.2.2 any
hostname(config)# access-list outside-acl deny ip any any log 2
hostname(config)# access-group outside-acl in interface outside
OL-10088-01
Enable message 106100 instead of message 106023
Disable all logging
Return to the default logging using message 106023
to limit the number of logging flows.
"Adding an Extended Access List" section on page 16-5
for complete access-list command syntax.
level—A severity level between 0 and 7. The default is 6.
interval secs—The time interval in seconds between system messages, from 1 to 600. The default
is 300. This value is also used as the timeout value for deleting an inactive flow.
disable—Disables all access list logging.
default—Enables logging to message 106023. This setting is the same as having no log option.
and
Cisco Security Appliance Command Line Configuration Guide
Logging Access List Activity
"Managing Deny Flows" section
"Adding a Webtype Access List"
16-19