20-4
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter20 Configuring Logging for Access Lists
Configuring Logging for Access Lists
To configure logging for an ACE, enter the following command:
Monitoring Access Lists
To monitor access lists, enter one of the following commands:
Configuration Examples for Access List Logging
This section includes sample configurations for logging access lists.
You might configure the following access list:
hostname(config)# access-list outside-acl permit ip host 10.10.0.0 any log 7 interval 600
hostname(config)# access-list outside-acl permit ip host 10.255.255.255 any
hostname(config)# access-list outside-acl deny ip any any log 2
hostname(config)# access-group outside-acl in interface outside
Command Purpose
access-list access_list_name [extended]
{deny | permit}...[log [[level] [interval
secs] | disable | default]]
Example:
hostname(config)# access-list outside-acl
permit ip host 10.0.0.0 any log 7 interval
600
Configures logging for an ACE.
The access-list access_list_name syntax specifies the access list for which
you want to configure logging.
The extended option adds an ACE.
The deny keyword denies a packet if the conditions are matched. Some
features do not allow deny ACEs, such as NAT. (See the command
documentation for each feature that uses an access list for more
information.)
The permit keyword permits a packet if the conditions are matched.
If you enter the log option without any arguments, you enable syslog
message 106100 at the default level (6) and for the default interval (300
seconds). See the following options:
level—A severity level between 0 and 7. The default is 6.
interval secs—The time interval in seconds between syslog messages,
from 1 to 600. The default is 300. This value is also used as the timeout
value for deleting an inactive flow.
disable—Disables all access list logging.
default—Enables logging to message 106023. This setting is the same
as having no log option.
(See the access-list command in the Cisco Security Appliance Command
Reference for more information about command options.)
Command Purpose
show access list Displays the access list entries by number.
show running-config access-list Displays the current running access list
configuration.