CHAPT ER
20-1
Cisco ASA 5500 Series Configuration Guide using the CLI
20
Configuring Logging for Access Lists
This chapter describes how to configure access list logging for extended access lists and Webytpe access
lists, and it describes how to manage deny flows.
This chapter includes the following sections:
Configuring Logging for Access Lists, page20-1
Managing Deny Flows, page20-5

Configuring Logging for Access Lists

This section includes the following topics:
Information About Logging Access List Activity, page20-1
Licensing Requirements for Access List Logging, page20-2
Guidelines and Limitations, page20-2
Default Settings, page20-3
Configuring Access List Logging, page20-3
Monitoring Access Lists, page20-4
Configuration Examples for Access List Logging, page20-4
Feature History for Access List Logging, page 20-5

Information About Logging Access List Activity

By default, when traffic is denied by an extended ACE or a Webtype ACE, the ASA generates syslog
message 106023 for each denied packet in the following form:
%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id
If the ASA is attacked, the number of syslog messages for denied packets can be very large. We
recommend that you instead enable logging using syslog message 106100, which provides statistics for
each ACE and enables you to limit the number of syslog messages produced. Alternatively, you can
disable all logging.