ACLs not showing hit counts on active UDP SYSLOG

Discussion in 'Cisco' started by DigitalVinyl, Apr 2, 2005.

  1. DigitalVinyl

    DigitalVinyl Guest

    I've got an active ACL that is permitting syslog(UDP 514) through to
    thre syslog servers (gigs worth per day), but the ACLs show no match.
    I've gone over them repeatedly and there is no match other thatn those
    we wrote to open syslog up, but no hitcounts. Other lines in the ACl
    have millions of hits.

    Is there some reason why an ACL WON'T show hit counts?
    Is UDP not tracked with hitcount?

    DiGiTAL_ViNYL (no email)
    DigitalVinyl, Apr 2, 2005
    #1
    1. Advertising

  2. In article <>,
    DigitalVinyl <> wrote:
    :I've got an active ACL that is permitting syslog(UDP 514) through to
    :thre syslog servers (gigs worth per day), but the ACLs show no match.
    :I've gone over them repeatedly and there is no match other thatn those
    :we wrote to open syslog up, but no hitcounts. Other lines in the ACl
    :have millions of hits.

    :Is there some reason why an ACL WON'T show hit counts?
    :Is UDP not tracked with hitcount?

    Is the syslog being generated -at- the device itself? If so then
    it would only pass through outgoing ACLs, not incoming ACLs
    (unless you use a particular 'service' option.) Traffic generated
    by the device itself does not enter "in" any physical interface.

    An experiment: try changing the permit to a deny and see if the
    syslog still gets through.
    --
    This signature intentionally left... Oh, darn!
    Walter Roberson, Apr 3, 2005
    #2
    1. Advertising

  3. DigitalVinyl

    DigitalVinyl Guest

    -cnrc.gc.ca (Walter Roberson) wrote:

    >In article <>,
    >DigitalVinyl <> wrote:
    >:I've got an active ACL that is permitting syslog(UDP 514) through to
    >:thre syslog servers (gigs worth per day), but the ACLs show no match.
    >:I've gone over them repeatedly and there is no match other thatn those
    >:we wrote to open syslog up, but no hitcounts. Other lines in the ACl
    >:have millions of hits.
    >
    >:Is there some reason why an ACL WON'T show hit counts?
    >:Is UDP not tracked with hitcount?
    >
    >Is the syslog being generated -at- the device itself? If so then
    >it would only pass through outgoing ACLs, not incoming ACLs
    >(unless you use a particular 'service' option.) Traffic generated
    >by the device itself does not enter "in" any physical interface.
    >
    >An experiment: try changing the permit to a deny and see if the
    >syslog still gets through.

    Well that would be one way. :) We actually installed these permits
    BECAUSE the traffic wasn't going through. Now it is but the ACLs
    haven't show a hit in weeks.

    THe syslogs come from any of ~100 devices located on dozens of
    networks. They all converge on this one x.x.x.61 VLAN, and the 6509
    has the ACL applied on the OUT for the router interface on the VLAN.
    The 61VLANout ACL shows other hits, such as to the .61 backup server
    and some other mgmt servers, but the syslog has no hitcount. THere is
    no other way onto the VLAN, so it should definitely hit this ACL. I
    was wondering if UDPs don't get counted or some oddity about syslog.

    We log gigs per day and most come from beyond the 6509 itself, so I
    know it is routing a heck of a lot of packets to the syslog servers.


    DiGiTAL_ViNYL (no email)
    DigitalVinyl, Apr 3, 2005
    #3
  4. In article <>,
    DigitalVinyl <> wrote:
    :THe syslogs come from any of ~100 devices located on dozens of
    :networks. They all converge on this one x.x.x.61 VLAN, and the 6509
    :has the ACL applied on the OUT for the router interface on the VLAN.
    :The 61VLANout ACL shows other hits, such as to the .61 backup server
    :and some other mgmt servers, but the syslog has no hitcount. THere is
    :no other way onto the VLAN, so it should definitely hit this ACL. I
    :was wondering if UDPs don't get counted or some oddity about syslog.

    Definitely unusual.

    Gigs of logs... ummm, could you fit in a router reboot somewhere along
    the way?
    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
    Walter Roberson, Apr 3, 2005
    #4
  5. DigitalVinyl

    DigitalVinyl Guest

    -cnrc.gc.ca (Walter Roberson) wrote:

    >In article <>,
    >DigitalVinyl <> wrote:
    >:THe syslogs come from any of ~100 devices located on dozens of
    >:networks. They all converge on this one x.x.x.61 VLAN, and the 6509
    >:has the ACL applied on the OUT for the router interface on the VLAN.
    >:The 61VLANout ACL shows other hits, such as to the .61 backup server
    >:and some other mgmt servers, but the syslog has no hitcount. THere is
    >:no other way onto the VLAN, so it should definitely hit this ACL. I
    >:was wondering if UDPs don't get counted or some oddity about syslog.
    >
    >Definitely unusual.
    >
    >Gigs of logs...


    Yeah, I know. Against mgmt decisions I have already turned down
    sysloggin from a debugging level to something mroe useful like
    warning. We were getting up 600mb/hr from a firewall alone. There is a
    point were too much information becomes the equivalent of ignorance.

    >ummm, could you fit in a router reboot somewhere along
    >the way?


    This is a ditribution router for the largest access layer block and
    all of IT services. Rebooting them is akin to asking to reboot the
    cores (which actually do less work than this ditribution router).
    They're a redundant pair but I have no confidence in that design. It
    would have to be a middle of the night thing and this oddity probably
    isn't worth the trouble. Maybe when we schedule a fix for spanning
    tree miconfigurations I'll get a reboot in too.

    DiGiTAL_ViNYL (no email)
    DigitalVinyl, Apr 4, 2005
    #5
  6. In article <>,
    DigitalVinyl <> wrote:
    :>Gigs of logs...

    :Yeah, I know. Against mgmt decisions I have already turned down
    :sysloggin from a debugging level to something mroe useful like
    :warning. We were getting up 600mb/hr from a firewall alone. There is a
    :point were too much information becomes the equivalent of ignorance.

    We pull 73 to 200 Mb a day (at debug level) [more than 1 gig
    the day one of the major worms started up], and it's
    Too Much Information :(

    If I might ask, what program do you use to analyze/ summarize
    your logs? I usually find that even with my custom tools
    that 100 Mb (a day's logs) takes me about 8 hours to analyze
    and and repair all the broken services. [We block by default
    so I occasionally have to scan to see what is not getting through
    but should be.]
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
    Walter Roberson, Apr 4, 2005
    #6
  7. DigitalVinyl

    DigitalVinyl Guest

    -cnrc.gc.ca (Walter Roberson) wrote:

    >In article <>,
    >DigitalVinyl <> wrote:
    >:>Gigs of logs...
    >
    >:Yeah, I know. Against mgmt decisions I have already turned down
    >:sysloggin from a debugging level to something mroe useful like
    >:warning. We were getting up 600mb/hr from a firewall alone. There is a
    >:point were too much information becomes the equivalent of ignorance.
    >
    >We pull 73 to 200 Mb a day (at debug level) [more than 1 gig
    >the day one of the major worms started up], and it's
    >Too Much Information :(
    >
    >If I might ask, what program do you use to analyze/ summarize
    >your logs? I usually find that even with my custom tools
    >that 100 Mb (a day's logs) takes me about 8 hours to analyze
    >and and repair all the broken services.


    Kiwi has some nice filtering, but there isn't time or company desire
    to stay on top of anything basic nevermind to perform due diligence on
    the logs.

    I'm just struggling to get all the devices actually logging and get
    pages out for EMERGency level wanings--which everyone has been missing
    up to now.

    This site is too large (12,000 users) for any manual processing of
    logs except for the investigation of a issue or change.

    >[We block by default
    >so I occasionally have to scan to see what is not getting through
    >but should be.]


    I think this company is the reverse--everything goes through and we
    block when the problem is big enough for everyone to notice. (sigh)
    DiGiTAL_ViNYL (no email)
    DigitalVinyl, Apr 5, 2005
    #7
  8. DigitalVinyl

    DigitalVinyl Guest

    DigitalVinyl <> wrote:

    >I've got an active ACL that is permitting syslog(UDP 514) through to
    >thre syslog servers (gigs worth per day), but the ACLs show no match.
    >I've gone over them repeatedly and there is no match other thatn those
    >we wrote to open syslog up, but no hitcounts. Other lines in the ACl
    >have millions of hits.
    >
    >Is there some reason why an ACL WON'T show hit counts?
    >Is UDP not tracked with hitcount?
    >
    >DiGiTAL_ViNYL (no email)


    I found the answer on a Cisco forum. Packets switched in hardware are
    not counted on the ACL hitcounts, so only exception traffic will be
    noted.
    DiGiTAL_ViNYL (no email)
    DigitalVinyl, Apr 8, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    4
    Views:
    1,227
  2. Tom
    Replies:
    2
    Views:
    5,187
  3. facciabruta
    Replies:
    1
    Views:
    497
    facciabruta
    Aug 31, 2006
  4. urvin
    Replies:
    0
    Views:
    822
    urvin
    Apr 15, 2008
  5. Bryan Richardson

    Question About UDP ACLs in IOS

    Bryan Richardson, Apr 23, 2009, in forum: Cisco
    Replies:
    2
    Views:
    559
    bod43
    Apr 23, 2009
Loading...

Share This Page