This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to log matched traffic in an ACL

How to log matched traffic in an ACL

Thiago
New Contributor

‎09-23-2014 07:26 PM

The log keyword of an ACL doesn't seem to work, take this simple policy as an example:

entry permit_ICMP {
if {
protocol icmp;
}
then {
permit;
mirror-cpu;
log;
count icmp;
}
}

The counter increments fine, the traffic is permitted (even with a deny any in the end) but there's no log.

Looking forward for an answer for this.

Thanks in advance.

0 Kudos
3 REPLIES 3

Sumit_Tokle
Contributor

‎09-23-2014 11:09 PM

@ paul is absolutely correct.

It's better to use EMS instead of mirror traffic to CPU.
0 Kudos

Thiago
New Contributor

‎09-23-2014 08:04 PM

Thank you Paul,

When I added "configure log filter DefaultFilter add event kern.info" it started to appear in the log.

0 Kudos

Paul_Russo
Extreme Employee

‎09-23-2014 08:04 PM

Hello Thiago

That log is not to log that the entry was executed in the switch log table. it means you can send the packet to the CPU and get header information in the log table.

"log—Logs the packet header."
"log-raw—Logs the packet header in hex format."

In order to have that data execute into the log you need to add a filter

"You must configure an EMS"
"filter to log these messages, for example, configure log filter DefaultFilter add event kern.info. See the Status Monitoring and Statistics chapter for information about"

To test that an entry is working use the counter

Hope that helps
P

GTM-P2G8KFN