We've set up a Procurve 5406zl with recent firmware (OS: K.15.08.0013, BootROM: K.15.28) and are playing with acl logging.
Our logging setup is as follows:
Debug Logging
Source IP Selection: 192.168.0.254
Destination:
Logging --
192.168.1.43 loghost
Protocol = UDP
Port = 514
Facility = syslog
Severity = debug
System Module = all-pass
Priority Desc =
Enabled debug types:
event
acl log
This seems to log properly to our syslog server.
We have several ACLs, each of which has more than one deny ACEs with 'log' set. When these are matched, we see the following in our logs:
Jan 24 11:46:51 192.168.0.254 ACL: ACL mClistCtrl:01/24/13 11:46:51 : Router ACL external-input seq#25 denied 1748 packets
Jan 24 11:46:51 192.168.0.254 ACL: ACL mClistCtrl:01/24/13 11:46:51 : Router ACL external-output seq#18 denied 2 packets
These come in around every 5 minutes as a 'summary' - but we'd like to get more info on these matches.
We can obviously look at the ACE from the seq# number to see which rule matched, but we'd like to get more information on what the packet was that triggered the match (source/target address, port etc).
Are we missing something in our setup that's meaning we're not seeing this information? Or is this just how these devices log? Is there any way we can improve on the level of information logged?
Thanks!