[c-nsp] FWSM logging problem
Holemans Wim
wim.holemans at ua.ac.be
Wed Dec 16 10:44:10 EST 2009
It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
on our FWSM and wanted to see whomever on campus is trying to access
this address (Botnet C&C).
I added the following line in the ACL (even raised priority), you can
see that the rules triggers when I tried to telnet the address :
access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
log critical interval 30 (hitcnt=9) 0x6e051e8c
There is however no corresponding syslog message on our syslog server or
in the buffered logs on the FWSM.
These are our logging settings : already raised queue size, some
messages moved to another log level so they don't get send to our syslog
server. ACL log messages are normally of ID 106100 level debugging, I
can find several of them on the syslog server but not for the specifiec
ACE.
logging enable
logging timestamp
logging emblem
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm informational
logging queue 1024
logging host DA-rt x.x.x.x
logging message 305010 level debugging
logging message 305009 level debugging
logging message 302015 level debugging
logging message 302014 level debugging
logging message 302013 level debugging
logging message 302016 level debugging
logging message 302021 level debugging
Anyone has a clue on how to get all syslog messages for the ACE's that
have a log part ?
Wim Holemans
Netwerkdienst Universiteit Antwerpen
More information about the cisco-nsp
mailing list