ACL Logging

The IP Access List Logging feature provides the ability to log messages about packets that are permitted or denied by an IP access list. Any packet that matches the access list logs an information message about the packet at the device console. Matched packets are kept track of in the output of the show access-lists command as well.

This can be configured by adding the log keyword at the end of an Access-List (ACL) entry. In the following example, the access list is configured to log any packets that match the deny statement:

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80 R2(config)#access-list 100 deny ip any any log

The output of the show access-lists indicates the number of matched packets that have been logged:

R2#show access-lists Extended IP access list 100 10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www 20 deny ip any any log (1 match)

https://networklessons.com/cisco/ccie-enterprise-infrastructure/extended-access-list-example-on-cisco-router