Displaying acl log entries – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

ServerIron ADX Security Guide

71

53-1002440-03

ACL logging

2

NOTE

The software requires that an ACL has already been applied to the interface.

When you enable redirection, the deny action of the ACL entry is still honored. Traffic that matches
the ACL is not forwarded.

Displaying ACL log entries

The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry,
the software generates a Syslog message and an SNMP trap. Messages for packets permitted or
denied by ACLs are at the warning level of the Syslog.

When the first Syslog entry for a packet permitted or denied by an ACL is generated, the software
starts an ACL timer. After this, the software sends Syslog messages every one to ten minutes,
depending on the value of the timer interval. If an ACL entry does not permit or deny any packets
during the timer interval, the software does not generate a Syslog entry for that ACL entry.

NOTE

For an ACL entry to be eligible to generate a Syslog entry for permitted or denied packets, logging
must be enabled for the entry. The Syslog contains entries only for the ACL entries that deny packets
and have logging enabled.

To display Syslog entries, enter the following command from any CLI prompt.

In this example, the two-line message at the bottom is the first entry, which the software
immediately generates the first time an ACL entry permits or denies a packet. In this case, an entry
in ACL 101 denied a packet. The packet was a TCP packet from host 209.157.22.198 and was
destined for TCP port 80 (HTTP) on host 198.99.4.69.

When the software places the first entry in the log, the software also starts the five-minute timer for
subsequent log entries. Thus, five minutes after the first log entry, the software generates another
log entry and SNMP trap for denied packets.

In this example, the software generates the second log entry five minutes later.

The time stamp for the third entry is much later than the time stamps for the first two entries. In
this case, no ACLs denied packets for a very long time. In fact, since no ACLs denied packets during
the five-minute interval following the second entry, the software stopped the ACL log timer. The
software generated the third entry as soon as the ACL denied a packet. The software restarted the
five-minute ACL log timer at the same time. As long as at least one ACL entry permits or denies a
packet, the timer continues to generate new log entries and SNMP traps every five minutes.

ServerIronADX(config)# show log

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

Buffer logging: level ACDMEINW, 38 messages logged

level code: A=alert C=critical D=debugging M=emergency E=error

I=informational N=notification W=warning

Log Buffer (50 entries):

21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18

0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s)

00d07h03m30s:warning:list 101 denied tcp 209.157.22.26(0)(Ethernet 4/18

0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s)

00d06h58m30s:warning:list 101 denied tcp 209.157.22.198(0)(Ethernet 4/18

0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s)