Configuring logging on Cisco devices
One of the best ways to understand why Cisco ASA or Cisco router are not passing traffic as needed and exactly what part of configuration is incorrect is to check the event log file. Problem is, the logging of events is turned off by default, and the command sh log will not give you meaningful output, unless you configure logging on your Cisco device.
In order to turn on logging of events, you have to execute the following commands
FW-DELTACONFIG-1(config)#
logging enable
logging timestamp
logging buffer-size 128000
logging buffered 7
This configuration will allow you to capture all possible events occurring in the device’s RAM, while limiting the log file to 128 Kbit. This should be sufficient for analyzing approximately the last 5 to 30 minutes of events, depending on how heavy is the traffic load on your device.
You can see the captured data with the command sh log
FW-DELTACONFIG-1# sh log
Log filter
Even when the load of traffic passing through your device is not very high, the amount of messages in the log file can be overwhelming. This makes finding the desired information somewhat problematic. In order to filter log messages down to only the ones you need, use the command sh log | inc “value”. This will limit the log output only to the lines that contain the desired value.
For example, if you want to see only the log events that are related to processing of a certain access list, you should filter using the name of that access list, like ACL_INSIDE_IN:
FW-DELTACONFIG-1# sh log | inc ACL_INSIDE_IN
Deny tcp src inside:2.2.2.2/2607 dst outside:1.1.1.1/13000 by access-group "ACL_INSIDE_IN" [0x0, 0x0]
Jun 15 2016 15:13:33: %ASA-4-106023: Deny tcp src inside:2.2.2.2/2607 dst outside:1.1.1.1/13000 by access-group "ACL_INSIDE_IN" [0x0, 0x0]
Jun 15 2016 15:13:33: %ASA-4-106023: Deny tcp src inside:2.2.2.2/2607 dst outside:1.1.1.1/13000 by access-group "ACL_INSIDE_IN" [0x0, 0x0]
You can find all packets that contain a certain IP address in a similar fashion:
FW-DELTACONFIG-1# sh log | inc 1.1.1.1
Jun 15 2016 15:33:00: %ASA-6-302015: Built inbound UDP connection 199837817 for outside:1.1.1.1/61563 (1.1.1.1/61563) to inside:3.3.3.3/53 (3.3.3.3/53)
Jun 15 2016 15:33:00: %ASA-6-302015: Built inbound UDP connection 199837818 for outside:1.1.1.1/62939 (1.1.1.1/62939) to inside:3.3.3.3/53 (3.3.3.3/53)
Timing
Another important aspect of event logging is time – the timestamp that shows when an event occurred. The command logging timestamp forces all events in the log file to be recorded with timestamps, but you should note that having the correct current time configured on the device itself is key to having meaningful timestamps.
You can check the device’s current time with the command sh clock
FW-DELTACONFIG-1# sh clock
15:40:11.651 MSK Wed Jun 15 2016
Before you manually set the current time for your device, you should first configure the time zone in which it is located. The following example sets the device into the Moscow time zone of GMT +3
FW-DELTACONFIG-1 (config)#
clock timezone MSK 3
You can set the device’s time manually with the command clock set
FW-DELTACONFIG-1 (config)#
clock set 15:40:00 15 MAY 2016
Alternatively, you can point your device to an NTP server that provides the exact current time. You can use both internal or public NTP servers available on the Internet. You can set several different NTP servers in a list.
FW-DELTACONFIG-1 (config)#
ntp server 50.16.201.39
You can check the clock synchronization status with the command sh ntp associations
FW-DELTACONFIG-1# sh ntp associations
address ref clock st when poll reach delay offset disp
+~50.16.201.39 89.109.251.21 2 919 1024 377 0.6 -2.26 30.5
The smaller the value of disp (30.5), the more accurate the time is on your device.
This article was written by Alexey Yurchenko