On Wed, 16 Dec 2009, Holemans Wim wrote:
It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
on our FWSM and wanted to see whomever on campus is trying to access
this address (Botnet C&C).
I added the following line in the ACL (even raised priority), you can
see that the rules triggers when I tried to telnet the address :
access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
log critical interval 30 (hitcnt=9) 0x6e051e8c
There is however no corresponding syslog message on our syslog server or
in the buffered logs on the FWSM.
Any chances you'd have "%FWSM-1-106101: Number of cached deny-flows for
ACL log has reached limit " somewhere ?
Check on "show access-list" output:
FWSM(config)# sh access-list | inc flows
access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 1)
Here I've configured 1 flow. Once you reach the flow limit, the further
logs are suppressed (AFAIK, with the logic being, that since the whole
idea behind the "log" is to decrease the amount of logging messages, if
we get a lot of hits, we are probably already under stress, so would not
want to stress further by downgrading the logs to sending them per-packet).
If you have a lot of ACEs that are marked with "log" keyword, this might
be what you see. Decreasing the interval should help to keep the # of logs
under max.
These are our logging settings : already raised queue size, some
messages moved to another log level so they don't get send to our syslog
server. ACL log messages are normally of ID 106100 level debugging, I
can find several of them on the syslog server but not for the specifiec
ACE.
For the specific ACE, you can remove the "log" keyword. Bit
counter-intuitive as this might seem, it would not stop the logging for
the denied sessions - just the messages will be different ("firewall-style"):
%FWSM-4-106023: Deny icmp src outside:X.1.1.1 dst inside:Y.1.1.1 (type
8, code 0) by access-group "foo" [0x17a38302, 0x0]
instead of:
%FWSM-6-106100: access-list foo denied icmp outside/X.1.1.1(0) ->
inside/Y.1.1.3(8) hit-cnt 1 (first hit) [0xe6aea397, 0x0]
That 106023 will be sent one-message-per-hit.
So I think it should precisely fit what you are looking for.
cheers,
andrew
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
