www.unix.org.ua

[egeorgopoulos]

Is there any command that disables the logging at once regarding access lists?


Thank you.

[ganeshh_iyer]

Hi,

By default, logging message 106023 (default severity level 4, warnings) is generated when a deny access list entry is matched with a traffic flow. Only the overall ACL is listed in the message, with no reference to the actual denying ACL entry.
You can log messages when specific access control entries (ACEs, or individual permit/deny statements within an ACL) permit or deny a traffic flow by adding the log keyword to an ACE.

You can set the logging severity level on a per-ACE basis if needed. Otherwise, severity level 6 is the default.

Firewall(config)# access-list acl_name [extended] {permit | deny} ... log [level] [interval seconds]

Enter the access list entry normally, but add the log keyword at the end. If you want to log activity on this entry at a severity level other than 6, specify the level (1 to 7) too.

You can also re-enter the ACE with the log disable keywords to completely disable all ACE logging (both message IDs 106100 and 106023). In this case, the sample command would be re-entered as

Firewall(config)# access-list acl_out permit tcp any host 192.168.199.100 eq www log disable


Hope to Help !!
Ganesh.H

[egeorgopoulos]

So, there is no command that disables the logging of the firewall without going through all ACEs and adding the "log disable"?


Thanks for your answer.

[jeye]

You want to disable all logging on the firewall (assuming it is an ASA)??? If yes, you can do no logging enable to disable all logging. The output should look something like this.

ASA3# sh logging
Syslog logging: disabled


HTH,
jerry

[AJAZ NAWAZ]

So what's the difference between these two?

access-list acl_out permit tcp any host 192.168.199.100 eq www log disable

and

access-list acl_out permit tcp any host 192.168.199.100 eq www