Comware Based

ACL Deny Syslog Logging

 
EdDe007
New Member

ACL Deny Syslog Logging

Hey All,

Switch is a JG932A, HPE 5130 software 7.1.070 Release 3506P06.

I know this subject has already been tackled in this forum however without success, at least from my end.

The scenario is simple enough:
I have an ACL attached to a VLAN interface. This ACL ends with a deny all. Counting and logging are enabled. I can see that the deny entry is being hit as the counting is increasing in value.
Syslog server is working fine. So much so that I already receive messages from this switch, including debugging level 7 messages when debugging is enabled.

My questions are:

  • If I get this to work at all, does it give me the source, destination and ports used for the traffic hitting the deny rule? Or do I get some sort of summarized message mostly good for nothing ?
  • How do I configure this? No matter how much I try I simply cannot get it to work.
    I have cleaned the config to start mostly from scratch and my info-center is now pretty simple.
  • Is there any other way to see the traffic hitting the deny rule?


info-center loghost source Vlan-interfacexx
info-center loghost xxx.xxx.xxx.xxx
info-center source default loghost level informational

Any help would be very much appreciated.


Thank you

1 REPLY 1
Ivan_B
HPE Pro

Re: ACL Deny Syslog Logging

Hi @EdDe007 !

  • If I get this to work at all, does it give me the source, destination and ports used for the traffic hitting the deny rule? Or do I get some sort of summarized message mostly good for nothing ?

You will get only cummulative statistics which ACL rule has been triggered and how many times since last logging interval. You can't see details of the packet that hit the rule.

The log message will be something like this one:

 

ACL/6/PFILTER_STATIS_INFO: GigabitEthernet1/0/1 (inbound): Packet-filter 2000 rule 0 permit source 1.1.1.1 0 logging 10000 packet(s). 

or

ACL/6/ACL_STATIS_INFO: GigabitEthernet1/0/1 (inbound): Packet-filter 2000 rule 0 permit source 1.1.1.1 0 logging 10000 packet(s). 

 

  • How do I configure this? No matter how much I try I simply cannot get it to work. I have cleaned the config to start mostly from scratch and my info-center is now pretty simple.

Start with 'acl logging interval 5' global configuration command. This command will enable sending to logbuffer cummulative reports of ACL rules hits every 5 minutes. The interval must be multiple of 5 in the range of 0 to 1440. 0 means loggind is disabled. You can verify if logs are generated by 'display logbuffer' command. Statistics will be reported only for rules that have 'logging' parameter set. If those messages appear in the logbuffer, they should be sent to the external syslog server as well.

  • Is there any other way to see the traffic hitting the deny rule?

There is a way, set 'logging' parameter to the deny rule. 

 

 

I am an HPE employee

Accept or Kudo