HPE Community
Aruba & ProVision-based
1753797 Members
7426 Online
108805 Solutions
New Discussion

ACL deny logging on a 5406zl

 
mrichar1
New Member

‎01-24-2013 03:54 AM

‎01-24-2013 03:54 AM

ACL deny logging on a 5406zl

We've set up a Procurve 5406zl with recent firmware (OS: K.15.08.0013, BootROM: K.15.28) and are playing with acl logging.

 

Our logging setup is as follows:

 

 

Debug Logging
Source IP Selection: 192.168.0.254
Destination: 
Logging --
192.168.1.43 loghost
Protocol = UDP
Port = 514
Facility = syslog
Severity = debug
System Module = all-pass
Priority Desc =
Enabled debug types:
event
acl log 

 

This seems to log properly to our syslog server.

 

We have several ACLs, each of which has more than one deny ACEs with 'log' set.  When these are matched, we see the following in our logs:

 

Jan 24 11:46:51 192.168.0.254 ACL: ACL mClistCtrl:01/24/13 11:46:51 : Router ACL external-input seq#25 denied 1748 packets 
Jan 24 11:46:51 192.168.0.254 ACL: ACL mClistCtrl:01/24/13 11:46:51 : Router ACL external-output seq#18 denied 2 packets

 These come in around every 5 minutes as a 'summary' - but we'd like to get more info on these matches.

 

We can obviously look at the ACE from the seq# number to see which rule matched, but we'd like to get more information on what the packet was that triggered the match (source/target address, port etc). 

 

Are we missing something in our setup that's meaning we're not seeing this information?  Or is this just how these devices log?  Is there any way we can improve on the level of information logged?

 

Thanks!

0 Kudos
1 REPLY 1
Peter_Debruyne
Honored Contributor

‎01-26-2013 05:39 AM

‎01-26-2013 05:39 AM

Re: ACL deny logging on a 5406zl

Hi,

 

Provision is quite limited on the acl debugging, this is because it is a hardware process on the ASIC and any logging/debugging must pass the CPU SW of the switch, which is easily overloaded. (hence the 5 minute summaries to protect the CPU).

 

Not sure if you would get more output, but you can try:

debug destination logging

debug acl

 

Otherwise, I would simply activate a port mirror and use the good old wireshark.

 

Best regards,Peter

The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.