Use this command to generate a Syslog on rule hits.


log [entry | implicit | all]
no log [entry | implicit | all]


entry (Optional) Specifies a sequence numbered entry to log when a hit occurs. Valid values: 1 - 5000. Default value: all
implicit (Optional) Specifies the logging of a final implicit deny hit.
all (Optional) Specifies that all hits are to be logged, including the final implicit deny.


If no option is specified, all hits are logged, including the final implicit deny.


Configuration command, L2 ACL configuration mode.


ACL logging is throttled to 1 log message per second. If there are multiple ACL rules with logging enabled (log or log-verbose), and more then one frame is transmitted per second that can hit those rules, only the first frame will generate a message. Logging is sampling and does not report every time that a rule with logging enabled is hit.

The “no” version of this command removes the last (if duplicate entries exist) or the specified (if no duplicate entries exist) log entry.


This example enters configuration mode for L2 ACL list 2 and enables la detailed logging level for a final implicit deny hit:

System(rw-config)->l2 access-list list2
System(rw-cfg-l2-acl)->log implicit