[c-nsp] FWSM logging problem

Andrew Yourtchenko ayourtch at cisco.com
Wed Dec 16 13:35:26 EST 2009


On Wed, 16 Dec 2009, Holemans Wim wrote:

> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> on our FWSM and wanted to see whomever on campus is trying to access
> this address (Botnet C&C).
>
> I added the following line in the ACL (even raised priority), you can
> see that the rules triggers when I tried to telnet the address :
>
> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> log critical interval 30 (hitcnt=9) 0x6e051e8c
>
>
>
> There is however no corresponding syslog message on our syslog server or
> in the buffered logs on the FWSM.

Any chances you'd have "%FWSM-1-106101: Number of cached deny-flows for 
ACL log has reached limit " somewhere ?

Check on "show access-list" output:

FWSM(config)# sh access-list | inc flows
access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 1)

Here I've configured 1 flow. Once you reach the flow limit, the further 
logs are suppressed (AFAIK, with the logic being, that since the whole 
idea behind the "log" is to decrease the amount of logging messages, if 
we get a lot of hits, we are probably already under stress, so would not 
want to stress further by downgrading the logs to sending them per-packet).

If you have a lot of ACEs that are marked with "log" keyword, this might 
be what you see. Decreasing the interval should help to keep the # of logs 
under max.

>
> These are our logging settings  : already raised queue size, some
> messages moved to another log level so they don't get send to our syslog
> server. ACL log messages are normally of ID 106100 level debugging, I
> can find several of them on the syslog server but not for the specifiec
> ACE.

For the specific ACE, you can remove the "log" keyword. Bit
counter-intuitive as this might seem, it would not stop the logging for 
the denied sessions - just the messages will be different ("firewall-style"):

%FWSM-4-106023: Deny icmp src outside:X.1.1.1 dst inside:Y.1.1.1 (type 
8, code 0) by access-group "foo" [0x17a38302, 0x0]

instead of:

%FWSM-6-106100: access-list foo denied icmp outside/X.1.1.1(0) -> 
inside/Y.1.1.3(8) hit-cnt 1 (first hit) [0xe6aea397, 0x0]

That 106023 will be sent one-message-per-hit.

So I think it should precisely fit what you are looking for.

cheers,
andrew


More information about the cisco-nsp mailing list