Generate log message only after a certain number of ACL hits

August 27, 2008 at 12:44 pm | Posted in Blogroll | Leave a comment

By default, the log messages are sent at the first matching packet and after that, identical messages are accumulated for 5-minute intervals, with a single message being sent with the number of packets permitted and denied during that interval.

However, you can use the ip access-list log-update command to set the number of packets that, when match an access list (and are permitted or denied), cause the system to generate a log message. You might want to do this to receive log messages more frequently than at 5-minute intervals.

Configuration

Rack1R6#sh run | in access|vty
ip access-list log-update threshold 10
access-list 99 permit 129.1.46.100
access-list 99 deny   any log
line vty 0 4
 access-class 99 in

Verification

Default behavior (without the “ip access-list log-update threshold 10”

Rack1R6#
! First message generated when first hit (for a new IP) occurs
Aug 27 18:26:49.606: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.5.5 -> 0.0.0.0, 1 packet 
Aug 27 18:27:50.103: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.54.5 -> 0.0.0.0, 1 packet 
! Then the following hits for the known IP is cumulative in the next log message
Aug 27 18:31:49.872: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.5.5 -> 0.0.0.0, 25 packets 
Aug 27 18:33:49.872: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.54.5 -> 0.0.0.0, 15 packets  

After "ip access-list log-update threshold 10"
OLD IP, (need 10 hits, and does not need to wait for 5 min interval)
Aug 27 18:37:42.893: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.54.5 -> 0.0.0.0, 10 packets 
Aug 27 18:37:55.701: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.54.5 -> 0.0.0.0, 10 packets 
Aug 27 18:38:10.569: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.5.5 -> 0.0.0.0, 10 packets 
NEW IP
Aug 27 18:38:49.873: %SEC-6-IPACCESSLOGNP: list 99 denied 0 129.1.46.4 -> 0.0.0.0, 1 packet 
Aug 27 18:38:51.257: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.4.4 -> 0.0.0.0, 1 packet 
Aug 27 18:39:04.045: %SEC-6-IPACCESSLOGNP: list 99 denied 0 150.1.4.4 -> 0.0.0.0, 10 packets

Doc CD Navigation

  • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2
  • IP Services Commands: access-class Through ip mask-reply
  • ip access-list log-update
Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: