Cisco ASA Series Cli Configuration Manual page 593

Configuring Logging for Access Lists
This chapter describes how to configure access list logging for extended access lists and Webytpe access
lists, and it describes how to manage deny flows.
This chapter includes the following sections:
•
•
Configuring Logging for Access Lists
This section includes the following topics:
•
•
•
•
•
•
•
•
Information About Logging Access List Activity
By default, when traffic is denied by an extended ACE or a Webtype ACE, the ASA generates syslog
message 106023 for each denied packet in the following form:
%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id
If the ASA is attacked, the number of syslog messages for denied packets can be very large. We
recommend that you instead enable logging using syslog message 106100, which provides statistics for
each ACE and enables you to limit the number of syslog messages produced. Alternatively, you can
disable all logging.
Configuring Logging for Access Lists, page 1-1
Managing Deny Flows, page 1-5
Information About Logging Access List Activity, page 1-1
Licensing Requirements for Access List Logging, page 1-2
Guidelines and Limitations, page 1-2
Default Settings, page 1-3
Configuring Access List Logging, page 1-3
Monitoring Access Lists, page 1-4
Configuration Examples for Access List Logging, page 1-4
Feature History for Access List Logging, page 1-5
1
C H A P T E R
Cisco ASA Series CLI Configuration Guide
1-1