Cisco ASA Series Command Reference, I - R Commands
logging asdm -- logout message
Downloads: This chapterpdf (PDF - 565.0KB) The complete bookPDF (PDF - 8.29MB) | The complete bookePub (ePub - 686.0KB) | The complete bookMobi (Mobi - 532.0KB) | Feedback

Table of Contents

logging asdm through logout message Commands

logging asdm

logging asdm-buffer-size

logging buffered

logging buffer-size

logging class

logging console

logging debug-trace

logging device-id

logging emblem

logging enable

logging facility

logging flash-bufferwrap

logging flash-maximum-allocation

logging flash-minimum-free

logging flow-export-syslogs enable | disable

logging from-address

logging ftp-bufferwrap

logging ftp-server

logging history

logging host

logging list

logging mail

logging message

llogging monitor

logging permit-hostdown

logging queue

logging rate-limit

logging recipient-address

logging savelog

logging standby

logging timestamp

logging trap

login

login-button

login-message

login-title

logo

logout

logout-message

logging asdm through logout message Commands

logging asdm

To send syslog messages to the ASDM log buffer, use the logging asdm command in global configuration mode. To disable logging to the ASDM log buffer, use the no form of this command.

logging asdm [ logging_list | level]

no logging asdm [ logging_list | level]

 
Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

logging_list

Specifies the list that identifies the messages to send to the ASDM log buffer. For information about creating lists, see the logging list command.

 
Defaults

ASDM logging is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Before any messages are sent to the ASDM log buffer, you must enable logging using the logging enable command.

When the ASDM log buffer is full, the ASA deletes the oldest message to make room in the buffer for new messages. To control the number of syslog messages retained in the ASDM log buffer, use the logging asdm-buffer-size command.

The ASDM log buffer is a different buffer than the log buffer enabled by the logging buffered command.

Examples

The following example shows how to enable logging, send log buffer messages of severity levels 0, 1, and 2 to the ASDM, and how to set the ASDM log buffer size to 200 messages:

ciscoasa(config)# logging enable
ciscoasa(config)# logging asdm 2
ciscoasa(config)# logging asdm-buffer-size 200
ciscoasa(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level critical, 48 messages logged
 

 
Related Commands

Command
Description

clear logging asdm

Clears the ASDM log buffer of all messages that it contains.

logging asdm-buffer-size

Specifies the number of ASDM messages retained in the ASDM log buffer

logging enable

Enables logging.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging configuration.

logging asdm-buffer-size

To specify the number of syslog messages retained in the ASDM log buffer, use the logging asdm-buffer-size command in global configuration mode. To reset the ASDM log buffer to its default size of 100 messages, use the no form of this command.

logging asdm-buffer-size num_of_msgs

no logging asdm-buffer-size num_of_msgs

 
Syntax Description

num_of_msgs

Specifies the number of syslog messages that the ASA retains in the ASDM log buffer.

 
Defaults

The default ASDM syslog buffer size is 100 messages.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

When the ASDM log buffer is full, the ASA deletes the oldest message to make room in the buffer for new messages. To control whether logging to the ASDM log buffer is enabled or to control the kind of syslog messages retained in the ASDM log buffer, use the logging asdm command.

The ASDM log buffer is a different buffer than the log buffer enabled by the logging buffered command.

Examples

The following example shows how to enable logging, sendmessages of severity levels 0, 1, and 2 to the ASDM log buffer, and how to set the ASDM log buffer size to 200 messages:

ciscoasa(config)# logging enable
ciscoasa(config)# logging asdm 2
ciscoasa(config)# logging asdm-buffer-size 200
ciscoasa(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level critical, 48 messages logged
 

 
Related Commands

Command
Description

clear logging asdm

Clears the ASDM log buffer of all messages that it contains.

logging asdm

Enables logging to the ASDM log buffer.

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.

logging buffered

To enable the ASA to send syslog messages to the log buffer, use the logging buffered command in global configuration mode. To disable logging to the log buffer, use the no form of this command.

logging buffered [ logging_list | level]

no logging buffered [ logging_list | level]

 
Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

logging_list

Specifies the list that identifies the messages to send to the log buffer. For information about creating lists, see the logging list command.

 
Defaults

The defaults are as follows:

  • Logging to the buffer is disabled.
  • The buffer size is 4 KB.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Before any messages are sent to the log buffer, you must enable logging using the logging enable command.

New messages append to the end of the buffer. When the buffer fills up, the ASA clears the buffer and continues adding messages to it. When the log buffer is full, the ASA deletes the oldest message to make room in the buffer for new messages. You can have buffer contents automatically saved each time the contents of the buffer have “wrapped,” which means that all the messages since the last save have been replaced by new messages. For more information, see the logging flash-bufferwrap and logging ftp-bufferwrap commands.

At any time, you can save the contents of the buffer to flash memory. For more information, see the logging savelog command.

You can view syslog messages that have been sent to the buffer with the show logging command.

Examples

The following example configures logging to the buffer for severity level 0 and level 1 events:

ciscoasa(config)# logging buffered alerts
ciscoasa(config)#
 

The following example creates a list named” notif-list” with a maximum severity level of 7 and configures logging to the buffer for syslog messages identified by the “notif-list” list:

ciscoasa(config)# logging list notif-list level 7
ciscoasa(config)# logging buffered notif-list
ciscoasa(config)#
 

 
Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all syslog messages that it contains.

logging buffer-size

Specifies log buffer size.

logging enable

Enables logging.

logging list

Creates a reusable list of message selection criteria.

logging savelog

Saves the contents of the log buffer to flash memory.

logging buffer-size

To specify the size of the log buffer, use the logging buffer-size command in global configuration mode. To reset the log buffer to its default size of 4 KB of memory, use the no form of this command.

logging buffer-size bytes

no logging buffer-size bytes

 
Syntax Description

bytes

Sets the amount of memory used for the log buffer, in bytes. For example, if you specify 8192, the ASA uses 8 KB of memory for the log buffer.

 
Defaults

The default log buffer size is 4 KB of memory.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

To see whether the ASA is using a log buffer of a size other than the default buffer size, use the show running-config logging command. If the logging buffer-size command is not shown, then the ASA uses a log buffer of 4 KB.

For more information about how the ASA uses the buffer, see the logging buffered command.

Examples

The following example enables logging, enables the logging buffer, and specifies that the ASA uses 16 KB of memory for the log buffer:

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered
ciscoasa(config)# logging buffer-size 16384
ciscoasa(config)#

 
Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all syslog messages that it contains.

logging buffered

Enables logging to the log buffer.

logging enable

Enables logging.

logging flash-bufferwrap

Writes the log buffer to flash memory when the log buffer is full.

logging savelog

Saves the contents of the log buffer to flash memory.

logging class

To configure the maximum severity level per logging destination for a message class, use the logging class command in global configuration mode. To remove a message class severity level configuration, use the no form of this command.

logging class class destination level [ destination level . . .]

no logging class class

 
Syntax Description

class

Specifies the message class whose maximum severity levels are configured per destination. For valid values of class , see the “Usage Guidelines” section.

destination

Specifies a logging destination for class . For the destination, the level determines the maximum severity level sent to destination . For valid values of destination , see the “Usage Guidelines” section that follows.

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action is needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

 
Defaults

By default, the ASA does not apply severity levels on a logging destination and message class basis. Instead, each enabled logging destination receives messages for all classes at the severity level determined by the logging list or severity level specified when you enabled the logging destination.

 
Command Modes

The following table shows the modes in which you may enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

8.0(2)

Added eigrp to valid class values.

8.2(1)

Added dap to valid class values.

 
Usage Guidelines

Valid values for class include the following:

  • auth —User authentication.
  • bridge —Transparent firewall.
  • ca —PKI certificate authority.
  • config —Command interface.
  • dap— Dynamic Access Policies.
  • eap —Extensible Authentication Protocol (EAP). Logs the following types of events to support Network Admission Control: EAP session state changes, EAP status query events, and a hexadecimal dump of EAP header and packet contents.
  • eapoudp —Extensible Authentication Protocol (EAP) over UDP. Logs EAPoUDP events to support Network Admission Control, and generates a complete record of EAPoUDP header and packet contents.
  • eigrp —EIGRP routing.
  • email —Email proxy.
  • ha —Failover.
  • ids —Intrusion detection system.
  • ip —IP stack.
  • ipaa— IP address assignment
  • nac —Network Admission Control. Logs the following types of events: initializations, exception list matches, ACS transactions, clientless authentications, default ACL applications, and revalidations.
  • np —Network processor.
  • ospf —OSPF routing.
  • rip —RIP routing.
  • rm —Resource Manager.
  • session —User session.
  • snmp —SNMP.
  • sys —System.
  • vpn —IKE and IPsec.
  • vpnc —VPN client.
  • vpnfo —VPN failover.
  • vpnlb —VPN load balancing.

Valid logging destinations are as follows:

  • asdm —To learn about this destination, see the logging asdm command.
  • buffered —To learn about this destination, see the logging buffered command.
  • console —To learn about this destination, see the logging console command.
  • history —To learn about this destination, see the logging history command.
  • mail —To learn about this destination, see the logging mail command.
  • monitor —To learn about this destination, see the logging monitor command.
  • trap —To learn about this destination, see the logging trap command.

Examples

The following example specifies that, for failover-related messages, the maximum severity level for the ASDM log buffer is 2 and the maximum severity level for the syslog buffer is 7:

ciscoasa(config)# logging class ha asdm 2 buffered 7
 

 
Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging console

To enable the ASA to display syslog messages in console sessions, use the logging console command in global configuration mode. To disable the display of syslog messages in console sessions, use the no form of this command.

logging console [ logging_list | level]

no logging console


NoteWe recommend that you do not use this command, because it may cause many syslog messages to be dropped due to buffer overflow. For more information, see the “Usage Guidelines” section. We recommend that you do not use this command, because it may cause many syslog messages to be dropped due to buffer overflow. For more information, see the “Usage Guidelines” section.


 
Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

logging_list

Specifies the list that identifies the messages to send to the console session. For information about creating lists, see the logging list command.

 
Defaults

The ASA does not display syslog messages in console sessions by default.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Before any messages are sent to the console, you must enable logging using the logging enable command.


Caution Using the logging console command could significantly degrade system performance. Instead, use the logging buffered command to start logging and the show logging command to view the messages. To make viewing the most current messages easier, use the clear logging buffer command to clear the buffer.

Examples

The following example shows how to enable syslog messages of severity levels 0, 1, 2, and 3 to appear in console sessions:

ciscoasa(config)# logging enable
ciscoasa(config)# logging console errors
ciscoasa(config)#
 

 
Related Commands

Command
Description

logging enable

Enables logging.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging debug-trace

To redirect debugging messages to logs as syslog message 711001 issued at severity level 7, use the logging debug-trace command in global configuration mode. To stop sending debugging messages to logs, use the no form of this command.

logging debug-trace

no logging debug-trace

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

By default, the ASA does not include debugging output in syslog messages.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Debugging messages are generated as severity level 7 messages. They appear in logs with the syslog message number 711001, but do not appear in any monitoring session.

Examples

The following example shows how to enable logging, send log messages to the system log buffer, redirect debugging output to logs, and turn on debugging of disk activity.

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered
ciscoasa(config)# logging debug-trace
ciscoasa(config)# debug disk filesystem
 

The following is sample output of a debugging message that could appear in the logs:

%ASA-7-711001: IFS: Read: fd 3, bytes 4096
 

 
Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging device-id

To configure the ASA to include a device ID in non-EMBLEM-format syslog messages, use the logging device-id command in global configuration mode. To disable the use of a device ID, use the no form of this command.

logging device-id { cluster-id | context-name | hostname | ipaddress interface_name [ system ] | string text }

no logging device-id { cluster-id | context-name | hostname | ipaddress interface_name [ system ] | string text }

 
Syntax Description

cluster-id

Specifies the unique name of an individual ASA unit in the cluster as the device ID.

hostname

Specifies the hostname of the ASA as the device ID.

ipaddress interface_name

Specifies the device ID or the IP address of the interface in interface_name . If you use the ipaddress keyword, syslog messages sent to an external server include the IP address of the interface specified, regardless of which interface the ASA uses to send the log data to the external server.

string text

Specifies the characters included in text as the device ID, which can be up to 16 characters long. You cannot use white space characters or any of the following characters:

  • &—ampersand
  • '—single quote
  • "—double quote
  • <—less than
  • >—greater than
  • ?—question mark

system

(Optional) In the cluster environment, dictates that the device ID becomes the system IP address on the interface.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

The cluster-id and system keywords have been added.

 
Usage Guidelines

If you use the ipaddress keyword, the device ID becomes the specified ASA interface IP address, regardless of the interface from which the message is sent. This keyword provides a single, consistent device ID for all messages that are sent from the device. If you use the system keyword, the specified ASA uses the system IP address instead of the local IP address of the unit in a cluster. The cluster-id and system keywords apply to the ASA 5580 and 5585-X only.

Examples

The following example shows how to configure a host named “secappl-1”:

ciscoasa(config)# logging device-id hostname
ciscoasa(config)# show logging
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 991 messages logged
Trap logging: disabled
History logging: disabled
Device ID: hostname "secappl-1"
 

The hostname appears at the beginning of syslog messages, as shown in the following message:

secappl-1 %ASA-5-111008: User 'enable_15' executed the 'logging buffer-size 4096' command.
 

 
Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging emblem

To use the EMBLEM format for syslog messages sent to destinations other than a syslog server, use the logging emblem command in global configuration mode. To disable the use of EMBLEM format, use the no form of this command.

logging emblem

no logging emblem

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

By default, the ASA does not use EMBLEM format for syslog messages.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was changed to be independent of the logging host command.

 
Usage Guidelines

The logging emblem command lets you to enable EMBLEM-format logging for all logging destinations other than syslog servers. If you also enable the logging timestamp keyword, the messages with a time stamp are sent.

To enable EMBLEM-format logging for syslog servers, use the format emblem option with the logging host command.

Examples

The following example shows how to enable logging and enable the use of EMBLEM-format for logging to all logging destinations except syslog servers:

ciscoasa(config)# logging enable
ciscoasa(config)# logging emblem
ciscoasa(config)#

 
Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging enable

To enable logging for all configured output locations, use the logging enable command in global configuration mode. To disable logging, use the no form of this command.

logging enable

no logging enable

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

Logging is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was changed from the logging on command.

 
Usage Guidelines

The logging enable command allows you to enable or disable sending syslog messages to any of the supported logging destinations. You can stop all logging with the no logging enable command.

You can enable logging to individual logging destinations with the following commands:

  • logging asdm
  • logging buffered
  • logging console
  • logging history
  • logging mail
  • logging monitor
  • logging trap

Examples

The following example shows how to enable logging. The output of the show logging command illustrates how each possible logging destination must be enabled separately:

ciscoasa(config)# logging enable
ciscoasa(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
 

 
Related Commands

Command
Description

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging facility

To specify the logging facility used for messages sent to syslog servers, use the logging facility command in global configuration mode. To reset the logging facility to its default of 20, use the no form of this command.

logging facility facility

no logging facility

 
Syntax Description

facility

Specifies the logging facility; valid values are 16 through 23.

 
Defaults

The default facility is 20 (LOCAL4).

 
Command Modes

The following table shows the modes in which you can enter the command, with the exceptions noted in the Syntax Description section.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Syslog servers file messages based on the facility number in the message. There are eight possible facilities: 16 (LOCAL0) through 23 (LOCAL7).

Examples

The following example shows how to specify that the ASA indicate the logging facility as 16 in syslog messages. The output of the show logging command includes the facility being used by the ASA:

ciscoasa(config)# logging facility 16
ciscoasa(config)# show logging
Syslog logging: enabled
Facility: 16
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level errors, facility 16, 3607 messages logged
Logging to infrastructure 10.1.2.3
History logging: disabled
Device ID: 'inside' interface IP address "10.1.1.1"
Mail logging: disabled
ASDM logging: disabled
 

 
Related Commands

Command
Description

logging enable

Enables logging.

logging host

Defines a syslog server.

logging trap

Enables logging to syslog servers.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging flash-bufferwrap

To enable the ASA to write the log buffer to flash memory every time the buffer is full of messages that have never been saved, use the logging flash-bufferwrap command in global configuration mode. To disable writing of the log buffer to flash memory, use the no form of this command.

logging flash-bufferwrap

no logging flash-bufferwrap

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

The defaults are as follows:

  • Logging to the buffer is disabled.
  • Writing the log buffer to flash memory is disabled.
  • The buffer size is 4 KB.
  • Minimum free flash memory is 3 MB.
  • Maximum flash memory allocation for buffer logging is 1 MB.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

For the ASA to write the log buffer to flash memory, you must enable logging to the buffer; otherwise, the log buffer never has data to be written to flash memory. To enable logging to the buffer, use the logging buffered command.

While the ASA writes log buffer contents to flash memory, it continues storing any new event messages to the log buffer.

The ASA creates log files with names that use a default time-stamp format, as follows:

LOG-YYYY-MM-DD-HHMMSS.TXT
 

where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.

The availability of flash memory affects how the ASA saves syslog messages using the logging flash-bufferwrap command. For more information, see the logging flash-maximum-allocation and the logging flash-minimum-free commands.

Examples

The following example shows how to enable logging, enable the log buffer, and enable the ASA to write the log buffer to flash memory:

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered
ciscoasa(config)# logging flash-bufferwrap

ciscoasa(config)#

 
Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all syslog messages that it contains.

copy

Copies a file from one location to another, including to a TFTP or FTP server.

delete

Deletes a file from the disk partition, such as saved log files.

logging buffered

Enables logging to the log buffer.

logging buffer-size

Specifies log buffer size.

logging flash-maximum-allocation

To specify the maximum amount of flash memory that the ASA uses to store log data, use the logging flash-maximum-allocation command in global configuration mode. To reset the maximum amount of flash memory used for this purpose to its default size of 1 MB of flash memory, use the no form of this command.

logging flash-maximum-allocation kbytes

no logging flash-maximum-allocation kbytes

 
Syntax Description

kbytes

The largest amount of flash memory, in kilobytes, that the ASA can use to save log buffer data.

 
Defaults

The default maximum flash memory allocation for log data is 1 MB.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command determines how much flash memory is available for the logging savelog and logging flash-bufferwrap commands.

If a log file to be saved by logging savelog or logging flash-bufferwrap causes flash memory use for log files to exceed the maximum amount specified by the logging flash-maximum-allocation command, the ASA deletes the oldest log files to free sufficient memory for the new log file. If there are no files to delete or if, after all old files are deleted, free memory is too small for the new log file, the ASA fails to save the new log file.

To see whether the ASA has a maximum flash memory allocation of a size different than the default size, use the show running-config logging command. If the logging flash-maximum-allocation command is not shown, then the ASA uses a maximum of 1 MB for saved log buffer data. The memory allocated is used for both the logging savelog and logging flash-bufferwrap commands.

For more information about how the ASA uses the log buffer, see the logging buffered command.

Examples

The following example shows how to enable logging, enable the log buffer, enable the ASA to write the log buffer to flash memory, with the maximum amount of flash memory used for writing log files set to approximately 1.2 MB of memory:

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered
ciscoasa(config)# logging flash-bufferwrap
ciscoasa(config)# logging flash-maximum-allocation 1200
ciscoasa(config)#
 

 
Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all syslog messages it contains.

logging buffered

Enables logging to the log buffer.

logging enable

Enables logging.

logging flash-bufferwrap

Writes the log buffer to flash memory when the log buffer is full.

logging flash-minimum-
free

Specifies the minimum amount of flash memory that must be available for the ASA to permit writing of the log buffer to flash memory.

logging flash-minimum-free

To specify the minimum amount of free flash memory that must exist before the ASA saves a new log file, use the logging flash-minimum-free command in global configuration mode. To reset the minimum required amount of free flash memory to its default size of 3 MB, use the no form of this command.

logging flash-minimum-free kbytes

no logging flash-minimum-free kbytes

 
Syntax Description

kbytes

The minimum amount of flash memory, in kilobytes, that must be available before the ASA saves a new log file.

 
Defaults

The default minimum free flash memory is 3 MB.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The logging flash-minimum-free command specifies how much flash memory the logging savelog and logging flash-bufferwrap commands must preserve at all times.

If a log file to be saved by logging savelog or logging flash-bufferwrap would cause the amount of free flash memory to fall below the limit specified by the logging flash-minimum-free command, the ASA deletes the oldest log files to ensure that the minimum amount of memory remains free after saving the new log file. If there are no files to delete or if, after all old files are deleted, free memory would still be below the limit, the ASA fails to save the new log file.

Examples

The following example shows how to enable logging, enable the log buffer, enable the ASA to write the log buffer to flash memory, and specifies that the minimum amount of free flash memory must be 4000 KB:

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered
ciscoasa(config)# logging flash-bufferwrap
ciscoasa(config)# logging flash-minimum-free 4000
ciscoasa(config)#
 

 
Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all syslog messages that it contains.

logging buffered

Enables logging to the log buffer.

logging enable

Enables logging.

logging flash-bufferwrap

Writes the log buffer to flash memory when the log buffer is full.

logging flash-maximum-
allocation

Specifies the maximum amount of flash memory that can be used for writing log buffer contents.

logging flow-export-syslogs enable | disable

To enable all of the syslog messages that NetFlow captures, use the logging flow-export-syslogs enable command in global configuration mode. To disable all of the syslog messages that NetFlow captures, use the logging flow-export-syslogs disable command in global configuration mode.

logging flow-export-syslogs {enable | disable}

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

By default, all syslogs that are captured by NetFlow are enabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.1(1)

This command was introduced.

 
Usage Guidelines

If the security appliance is configured to export NetFlow data, to improve performance, we recommend that you disable redundant syslog messages (those also captured by NetFlow) by entering the logging flow-export-syslogs disable command. The syslog messages that will be disabled are as follows:

 

Syslog Message
Description

106015

A TCP flow was denied because the first packet was not a SYN packet.

106023

A flow that is denied by an ingress ACL or an egress ACL that is attached to an interface through the access-group command.

106100

A flow that is permitted or denied by an ACL.

302013 and 302014

A TCP connection and deletion.

302015 and 302016

A UDP connection and deletion.

302017 and 302018

A GRE connection and deletion.

302020 and 302021

An ICMP connection and deletion.

313001

An ICMP packet to the security appliance was denied.

313008

An ICMPv6 packet to the security appliance was denied.

710003

An attempt to connect to the security appliance was denied.


NoteAlthough this is a configuration mode command, it is not stored in the configuration. Only the Although this is a configuration mode command, it is not stored in the configuration. Only the no logging message xxxxxx commands are stored in the configuration.


Examples

The following example shows how to disable redundant syslog messages that NetFlow captures and the sample output that appears:

ciscoasa(config)# logging flow-export-syslogs disable
 
ciscoasa(config)# show running-config logging
 
no logging message xxxxx1
no logging message xxxxx2
 

where the xxxxx1 and xxxxx2 are syslog messages that are redundant because the same information has been captured through NetFlow. This command is like a command alias, and will convert to a batch of no logging message xxxxxx commands. After you have disabled the syslog messages, you can enable them individually with the logging message xxxxxx command, where xxxxxx is the specific syslog message number.

 
Related Commands

Commands
Description

flow-export destination interface-name ipv4-address | hostname udp-port

Specifies the IP address or hostname of the NetFlow collector, and the UDP port on which the NetFlow collector is listening.

flow-export template timeout-rate minutes

Controls the interval at which the template information is sent to the NetFlow collector.

show flow-export counters

Displays a set of runtime counters for NetFlow.

logging from-address

To specify the sender e-mail address for syslog messages sent by the ASA, use the logging from-address command in global configuration mode. All sent syslog messages appear to come from the address you specify. To remove the sender e-mail address, use the no form of this command.

logging from-address from-email-address

no logging from-address from-email-address

 
Syntax Description

from-email-address

Source e-mail address, that is, the e-mail address that syslog messages appear to come from (for example, cdb@example.com).

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Sending syslog messages by e-mail is enabled by the logging mail command.

The address specified with this command need not correspond to an existing e-mail account.

Examples

To enable logging and set up the ASA to send syslog messages by e-mail, use the following criteria:

  • Send messages that are critical, alerts, or emergencies.
  • Send messages using ciscosecurityappliance@example.com as the sender address.
  • Send messages to admin@example.com.
  • Send messages using SMTP, the primary servers pri-smtp-host, and secondary server sec-smtp-host.

Enter the following commands:

ciscoasa(config)# logging enable
ciscoasa(config)# logging mail critical
ciscoasa(config)# logging from-address ciscosecurityappliance@example.com
ciscoasa(config)# logging recipient-address admin@example.com
ciscoasa(config)# smtp-server pri-smtp-host sec-smtp-host
 

 
Related Commands

Command
Description

logging enable

Enables logging.

logging mail

Enables the ASA to send syslog messages by e-mail and determines which messages are sent by e-mail.

logging recipient-address

Specifies the e-mail address to which syslog messages are sent.

smtp-server

Configures an SMTP server.

show logging

Displays the enabled logging options.

logging ftp-bufferwrap

To enable the ASA to send the log buffer to an FTP server every time the buffer is full of messages that have never been saved, use the logging ftp-bufferwrap command in global configuration mode. To disable sending the log buffer to an FTP server, use the no form of this command.

logging ftp-bufferwrap

no logging ftp-bufferwrap

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

The defaults are as follows:

  • Logging to the buffer is disabled.
  • Sending the log buffer to an FTP server is disabled.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

When you enable logging ftp-bufferwrap , the ASA sends log buffer data to the FTP server that you specify with the logging ftp-server command. While the ASA sends log data to the FTP server, it continues storing any new event messages to the log buffer.

For the ASA to send log buffer contents to an FTP server, you must enable logging to the buffer; otherwise, the log buffer never has data to be written to flash memory. To enable logging to the buffer, use the logging buffered command.

The ASA creates log files with names that use a default time-stamp format, as follows:

LOG-YYYY-MM-DD-HHMMSS.TXT
 

where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.

Examples

The following example shows how to enable logging, enable the log buffer, specify an FTP server, and enable the ASA to write the log buffer to an FTP server. The example specifies an FTP server whose hostname is logserver-352. The server can be accessed with the username, logsupervisor and password, 1luvMy10gs. Log files are to be stored in the /syslogs directory:

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered
ciscoasa(config)# logging ftp-server logserver-352 /syslogs logsupervisor 1luvMy10gs
ciscoasa(config)# logging ftp-bufferwrap
ciscoasa(config)#
 

 
Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all syslog messages that it contains.

logging buffered

Enables logging to the log buffer.

logging buffer-size

Specifies log buffer size.

logging enable

Enables logging.

logging ftp-server

Specifies FTP server parameters for use with the logging ftp-bufferwrap command.

logging ftp-server

To specify details about the FTP server that the ASA sends log buffer data to when logging ftp-bufferwrap is enabled, use the logging ftp-server command in global configuration mode. To remove all details about an FTP server, use the no form of this command.

logging ftp-server ftp_server path username [ 0 | 8 ] password

no logging ftp-server ftp_server path username [ 0 | 8 ] password

 
Syntax Description

0

(Optional) Specifies that an unencrypted (clear text) user password will follow.

8

(Optional) Specifies that an encrypted user password will follow.

ftp-server

External FTP server IP address or hostname.

Note If you specify a hostname, be sure that DNS is operating correctly on your network.

password

The password for the username specified, which can be up to 64 characters long.

path

Directory path on the FTP server where the log buffer data is to be saved. This path is relative to the FTP root directory. For example:

/security_appliances/syslogs/appliance107
 

username

A username that is valid for logging in to the FTP server.

 
Defaults

No FTP server is specified by default.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.3(1)

Support for password encryption has been added.

 
Usage Guidelines

You can only specify one FTP server. If a logging FTP server is already specified, using the logging ftp-server command replaces this FTP server configuration with the new one that you enter.

The ASA does not verify the FTP server information that you specify. If you misconfigure any of the details, the ASA fails to send log buffer data to the FTP server.

During bootup or upgrade of the ASA, single-digit passwords and passwords startingwith a digit followed by a whitespace are not supported. For example, 0 pass and 1 are invalid passwords.

Examples

The following example shows how to enable logging, enable the log buffer, specify an FTP server, and enable the ASA to write the log buffer to an FTP server. This example specifies an FTP server whose hostname is logserver. The server can be accessed with the username, user1 and password, pass1. Log files are to be stored in the /path1 directory:

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered
ciscoasa(config)# logging ftp-server logserver /path1 user1 pass1
ciscoasa(config)# logging ftp-bufferwrap
 

The following example shows how to enter an encrypted password:

ciscoasa(config)# logging ftp-server logserver /path1 user1 8 JPAGWzIIFVlheXv2I9nglfytOzHU
 

The following example shows how to enter an unencrypted (clear text) password:

ciscoasa(config)# logging ftp-server logserver /path1 user1 0 pass1
 

 
Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all syslog messages that it contains.

logging buffered

Enables logging to the log buffer.

logging buffer-size

Specifies log buffer size.

logging enable

Enables logging.

logging ftp-bufferwrap

Sends the log buffer to an FTP server when the log buffer is full.

logging history

To enable SNMP logging and specify which messages are to be sent to SNMP servers, use the logging history command in global configuration mode. To disable SNMP logging, use the no form of this command.

logging history [ logging_list | level]

no logging history

 
Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

logging_list

Specifies the list that identifies the messages to send to the SNMP server. For information about creating lists, see the logging list command.

 
Defaults

The ASA does not log to SNMP servers by default.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The logging history command allows you to enable logging to an SNMP server and to set the SNMP message level or event list.

Examples

The following example shows how to enable SNMP logging and specify that messages of severity levels 0, 1, 2, and 3 are sent to the SNMP server configured:

ciscoasa(config)# logging enable
ciscoasa(config)# snmp-server host infrastructure 10.2.3.7 trap community gam327
ciscoasa(config)# snmp-server enable traps syslog
ciscoasa(config)# logging history errors
ciscoasa(config)#

 
Related Commands

Command
Description

logging enable

Enables logging.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

snmp-server

Specifies SNMP server details.

logging host

To define a syslog server, use the logging host command in global configuration mode. To remove a syslog server definition, use the no form of this command.

logging host interface_name syslog_ip [ tcp/ port | udp/ port ] [ format emblem ] [ secure ]

no logging host interface_name syslog_ip [ tcp/ port | udp/ port ] [ format emblem ] [ secure ]

 
Syntax Description

format emblem

(Optional) Enables EMBLEM format logging for the syslog server.

interface_name

Specifies the interface on which the syslog server resides.

port

Indicates the port that the syslog server listens to for messages. Valid port values are 1025 through 65535 for either protocol. If you enter zero as a port number, or use an invalid character or symbol, an error occurs.

secure

(Optional) Specifies that the connection to the remote logging host should use SSL/TLS. This option is valid only if the protocol selected is TCP.

Note A secure logging connection can only be established with an SSL/TLS- capable syslog server. If an SSL/TLS connection cannot be established, all new connections will be denied. You may change this default behavior by entering the logging permit-hostdown command.

syslog_ip

Specifies the IP address of the syslog server.

tcp

Specifies that the ASA should use TCP to send messages to the syslog server.

udp

Specifies that the ASA should use UDP to send messages to the syslog server.

 
Defaults

The default protocol is UDP.

The default setting for the format emblem option is false.

The default setting for the secure option is false.

The default port numbers are as follows:

  • UDP—514
  • TCP —1470

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0

This command was introduced.

8.0(2)

The secure keyword was added.

8.4(1)

Connection blocking can be enabled and disabled.

 
Usage Guidelines

The logging host syslog_ip format emblem command allows you to enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for UDP syslog messages only. If you enable EMBLEM-format logging for a particular syslog server, then the messages are sent to that server. If you use the logging timestamp command, the messages with a time stamp are also sent.

You can use multiple logging host commands to specify additional servers that would all receive the syslog messages. However, you can only specify a server to receive either UDP or TCP syslog messages, not both.

The default setting for connection blocking is on when the logging host command has been configured to use TCP to send messages to a syslog server. If a TCP-based syslog server is configured, you can disable connection blocking with the logging permit-hostdown command.


NoteWhen the When the tcp option is used in the logging host command, the ASA will drop connections across the firewall if the syslog server is unreachable.


You can display only the port and protocol values that you previously entered by using the show running-config logging command and finding the command in the listing—TCP is listed as 6, and UDP is listed as 17. TCP ports work only with the syslog server. The port must be the same port on which the syslog server listens.


NoteAn error message occurs if you try to use the An error message occurs if you try to use the logging host command and the secure keyword with UDP.


Sending syslogs over TCP is not supported on a standby ASA.

Examples

The following example shows how to send syslog messages of severity levels 0, 1, 2, and 3 to a syslog server on the inside interface that uses the default protocol and port number:

ciscoasa(config)# logging enable
ciscoasa(config)# logging host inside 10.2.2.3
ciscoasa(config)# logging trap errors
ciscoasa(config)#
 

 
Related Commands

Command
Description

logging enable

Enables logging.

logging trap

Enables logging to syslog servers.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging list

To create a logging list to use in other commands to specify messages by various criteria (logging level, event class, and message IDs), use the logging list command in global configuration mode. To remove the list, use the no form of this command.

logging list name { level level [ class event_class ] | message start_id [ - end_id ]}

no logging list name

 
Syntax Description

class event_class

(Optional) Sets the class of events for syslog messages. For the level specified, only syslog messages of the class specified are identified by the command. See the “Usage Guidelines” section for a list of classes.

level level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

message start_id [ - end_id ]

Specified a message ID or range of IDs. To look up the default level of a message, use the show logging command or see the syslog messages guide.

name

Sets the logging list name.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

Logging commands that can use lists are the following:

  • logging asdm
  • logging buffered
  • logging console
  • logging history
  • logging mail
  • logging monitor
  • logging trap

Possible values for the event_class include the following:

  • auth —User authentication.
  • bridge —Transparent firewall.
  • ca —PKI certificate authority.
  • config —Command interface.
  • eap —Extensible Authentication Protocol (EAP). Logs the following types of events to support Network Admission Control: EAP session state changes, EAP status query events, and a hexadecimal dump of EAP header and packet contents.
  • eapoudp —Extensible Authentication Protocol (EAP) over UDP. Logs EAPoUDP events to support Network Admission Control, and generates a complete record of EAPoUDP header and packet contents.
  • email —Email proxy.
  • ha —Failover.
  • ids —Intrusion detection system.
  • ip —IP stack.
  • nac —Network Admission Control. Logs the following types of events: initializations, exception list matches, ACS transactions, clientless authentications, default ACL applications, and revalidations.
  • np —Network processor.
  • ospf —OSPF routing.
  • rip —RIP routing.
  • session —User session.
  • snmp —SNMP.
  • sys —System.
  • vpn —IKE and IPSec.
  • vpnc —VPN client.
  • vpnfo —VPN failover.
  • vpnlb —VPN load balancing.

Examples

The following example shows how to use the logging list command:

ciscoasa(config)# logging list my-list 100100-100110
ciscoasa(config)# logging list my-list level critical
ciscoasa(config)# logging list my-list level warning class vpn
ciscoasa(config)# logging buffered my-list
 

The preceding example states that syslog messages that match the criteria specified will be sent to the logging buffer. The criteria specified in this example are:

  • Syslog message IDs that fall in the range of 100100 to 100110
  • All syslog messages with critical level or higher (emergency, alert, or critical)
  • All VPN class syslog messages with warning level or higher (emergency, alert, critical, error, or warning)

If a syslog message satisfies any one of these conditions, it is logged to the buffer.


NoteWhen you design list criteria, the criteria can specify overlapping sets of messages. Syslog messages matching more than one set of criteria are logged normally. When you design list criteria, the criteria can specify overlapping sets of messages. Syslog messages matching more than one set of criteria are logged normally.


 
Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging mail

To enable the ASA to send syslog messages by e-mail and to determine which messages are sent by e-mail, use the logging mail command in global configuration mode. To disable e-mailing of syslog messages, use the no form of this command.

logging mail [ logging_list | level ]

no logging mail [ logging_list | level ]

 
Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

logging_list

Specifies the list that identifies the messages to send to the e-mail recipient. For information about creating lists, see the logging list command.

 
Defaults

Logging to e-mail is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

E-mailed syslog messages appear in the subject line of the e-mails sent.

Examples

To set up the ASA to send syslog messages by e-mail, use the following criteria:

  • Send messages that are critical, alerts, or emergencies.
  • Send messages using ciscosecurityappliance@example.com as the sender address.
  • Send messages to admin@example.com.
  • Send messages using SMTP, the primary servers pri-smtp-host, and secondary server sec-smtp-host.

Enter the following commands:

ciscoasa(config)# logging mail critical
ciscoasa(config)# logging from-address ciscosecurityappliance@example.com
ciscoasa(config)# logging recipient-address admin@example.com
ciscoasa(config)# smtp-server pri-smtp-host sec-smtp-host
 

 
Related Commands

Command
Description

logging enable

Enables logging.

logging from-address

Specifies the e-mail address from which e-mailed syslog messages appear to come.

logging list

Creates a reusable list of message selection criteria.

logging recipient-address

Specifies the e-mail address to which e-mailed syslog messages are sent.

smtp-server

Configures an SMTP server.

logging message

To specify the logging level of a syslog message, use the logging message command with the level keyword in global configuration mode. To reset the logging level of a message to its default level, use the no form of this command.

logging message syslog_id level level

no logging message syslog_id level level

logging message syslog_id

no logging message syslog_id

 
Syntax Description

level level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

syslog_id

The ID of the syslog message that you want to enable or disable or whose severity level you want to modify. To look up the default level of a message, use the show logging command or see the syslog messages guide.

 
Defaults

By default, all syslog messages are enabled and the severity levels of all messages are set to their default levels.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

You can use the logging message command for these purposes:

  • To specify whether a message is enabled or disabled.
  • To indicate the severity level of a message.

You can use the show logging command to determine the level currently assigned to a message and whether the message is enabled.

To prevent the ASA from generating a particular syslog message, use the no form of the logging message command (without the level keyword) in global configuration mode. To let the ASA generate a particular syslog message, use the logging message command (without the level keyword). You can use these two versions of the logging message command in parallel.

Examples

The series of commands in the following example show the use of the logging message command to specify both whether a message is enabled and the severity level of the message:

ciscoasa(config)# show logging message 403503
syslog 403503: default-level errors (enabled)
 
ciscoasa(config)# logging message 403503 level 1
ciscoasa(config)# show logging message 403503
syslog 403503: default-level errors, current-level alerts (enabled)
 
ciscoasa(config)# no logging message 403503
ciscoasa(config)# show logging message 403503
syslog 403503: default-level errors, current-level alerts (disabled)
 
ciscoasa(config)# logging message 403503
ciscoasa(config)# show logging message 403503
syslog 403503: default-level errors, current-level alerts (enabled)
 
ciscoasa(config)# no logging message 403503 level 3
ciscoasa(config)# show logging message 403503
syslog 403503: default-level errors (enabled)
 

 
Related Commands

Command
Description

clear configure logging

Clears all logging configuration or message configuration only.

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

llogging monitor

To enable the ASA to display syslog messages in SSH and Telnet sessions, use the logging monitor command in global configuration mode. To disable the display of syslog messages in SSH and Telnet sessions, use the no form of this command.

logging monitor [ logging_list | level]

no logging monitor

 
Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

logging_list

Specifies the list that identifies the messages to send to the SSH or Telnet session. For information about creating lists, see the logging list command.

 
Defaults

The ASA does not display syslog messages in SSH and Telnet sessions by default.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The logging monitor command enables syslog messages for all sessions in the current context; however, in each session, the terminal command controls whether syslog messages appear in that session.

Examples

The following example shows how to enable the display of syslog messages in console sessions. The use of the errors keyword indicates that messages of severity levels 0, 1, 2, and 3 should display in SSH and Telnet sessions. The terminal command enables the messages to appear in the current session:

ciscoasa(config)# logging enable
ciscoasa(config)# logging monitor errors
ciscoasa(config)# terminal monitor
ciscoasa(config)#
 

 
Related Commands

Command
Description

logging enable

Enables logging.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

terminal

Sets terminal line parameters.

logging permit-hostdown

To make the status of a TCP-based syslog server irrelevant to new user sessions, use the logging permit-hostdown command in global configuration mode. To cause the ASA to deny new user sessions when a TCP-based syslog server is unavailable, use the no form of this command.

logging permit-hostdown

no logging permit-hostdown

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

By default, if you have enabled logging to a syslog server that uses a TCP connection, the ASA does not allow new network access sessions when the syslog server is unavailable for any reason. The default setting is false for the logging permit-hostdown command.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

If you are using TCP as the logging transport protocol for sending messages to a syslog server, the ASA denies new network access sessions as a security measure if the ASA is unable to reach the syslog server. You can use the logging permit-hostdown command to remove this restriction.

Examples

The following example makes the status of TCP-based syslog servers irrelevant to whether the ASA permits new sessions. When the logging permit-hostdown command includes in its output the show running-config logging command, the status of TCP-based syslog servers is irrelevant to new network access sessions.

ciscoasa(config)# logging permit-hostdown
ciscoasa(config)# show running-config logging
logging enable
logging trap errors
logging host infrastructure 10.1.2.3 6/1470
logging permit-hostdown
ciscoasa(config)#
 

 
Related Commands

Command
Description

logging enable

Enables logging.

logging host

Defines a syslog server.

logging trap

Enables logging to syslog servers.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging queue

To specify how many syslog messages the ASA may hold in its queue before processing them according to the logging configuration, use the logging queue command in global configuration mode. To reset the logging queue size to the default of 512 messages, use the no form of this command.

logging queue queue_size

no logging queue queue_size

 
Syntax Description

queue_size

The number of syslog messages permitted in the queue used for storing syslog messages before processing them. Valid values are from 0 to 8192 messages, depending on the platform type. If the logging queue is set to zero, the queue will be the maximum configurable size (8192 messages), depending on the platform. On the ASA-5505, the maximum queue size is 1024. On the ASA-5510, it is 2048, and on all other platforms, it is 8192 .

 
Defaults

The default queue size is 512 messages.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

When traffic is so heavy that the queue fills up, the ASA may discard messages. On the ASA 5505, the maximum queue size is 1024. On the ASA-5510, it is 2048. On all other platforms, it is 8192.

Examples

The following example shows how to display the output of the logging queue and show logging queue commands:

ciscoasa(config)# logging queue 0
ciscoasa(config)# show logging queue
Logging Queue length limit : Unlimited
Current 5 msg on queue, 3513 msgs most on queue, 1 msg discard.
 

In this example, the logging queue command is set to 0, which means that the queue is set to the maximum of 8192. The syslog messages in the queue are processed by the ASA in the manner dictated by the logging configuration, such as sending syslog messages to mail recipients, saving them to flash memory, and so forth.

The output of this example show logging queue command shows that 5 messages are queued, 3513 messages was the largest number of messages in the queue at one time since the ASA was last booted, and that 1 message was discarded. Even though the queue was set for unlimited messages, the message was discarded because no block memory was available to add the message to the queue.

 
Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging rate-limit

To limit the rate at which syslog messages are generated, use the logging rate-limit command in privileged EXEC mode. To disable rate limiting, use the no form of this command in privileged EXEC mode.

logging rate-limit { unlimited | { num [ interval ]}} message syslog_id | level severity_level

[no] logging rate-limit [ unlimited | { num [ interval ]}} message syslog_id ] level severity_level

 
Syntax Description

interval

(Optional) Time interval (in seconds) to use for measuring the rate at which messages are generated. The valid range of values for interval is 0 through 2147483647.

level severity_level

Applies the set rate limits on all syslog messages that belong to a certain severity level. All syslog messages at a specified severity level are rate-limited individually. The valid range for severity_level is 1 through 7.

message

Suppresses reporting of this syslog message.

num

Number of syslog messages that can be generated during the specified time interval. The valid range of values for num is 0 through 2147483647.

syslog_id

ID of the syslog message to be suppressed. The valid range of values is 100000-999999.

unlimited

Disables rate limiting, which means that there is no limit on the logging rate.

 
Defaults

The default setting for interval is 1.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(4)

This command was introduced.

 
Usage Guidelines

The syslog message severity levels are as follows:

  • 0—System is unusable
  • 1—Immediate action needed
  • 2—Critical Conditions
  • 3—Error Conditions
  • 4—Warning Conditions
  • 5—Normal but significant conditions
  • 6—Informational Messages
  • 7—Debugging Messages

Examples

To limit the rate of syslog message generation, you can enter a specific message ID. The following example shows how to limit the rate of syslog message generation using a specific message ID and time interval:

ciscoasa(config)# logging rate-limit 100 600 message 302020
 

This example suppresses syslog message 302020 from being sent to the host after the rate limit of 100 is reached in the specified interval of 600 seconds.

To limit the rate of syslog message generation, you can enter a specific severity level. The following example shows how to limit the rate of syslog message generation using a specific severity level and time interval.

ciscoasa(config)# logging rate-limit 1000 600 level 6
 

This example suppresses all syslog messages under severity level 6 to the specified rate limit of 1000 in the specified time interval of 600 seconds. Each syslog message in severity level 6 has a rate limit of 1000.

 
Related Commands

Command
Description

clear running-config logging rate-limit

Resets the logging rate limit setting to its default.

show logging

Shows the messages currently in the internal buffer or logging configuration settings.

show running-config logging rate-limit

Shows the current logging rate limit setting.

logging recipient-address

To specify the receiving e-mail address for syslog messages sent by the ASA, use the logging recipient-address command in global configuration mode. To remove the receiving e-mail address, use the no form of this command.

logging recipient-address address [ level level ]

no logging recipient-address address [ level level ]

 
Syntax Description

address

Specifies recipient e-mail address when sending syslog messages by e-mail.

level

Indicates that a severity level follows.

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

Note We do not recommend using a severity level greater than 3 with the logging recipient-address command. Higher severity levels are likely to cause dropped syslog messages because of buffer overflow.

The message severity level specified by a logging recipient-address command overrides the message severity level specified by the logging mail command. For example, if a logging recipient-address command specifies a severity level of 7 but the logging mail command specifies a severity level of 3, the ASA sends all messages to the recipient, including those of severity levels 4, 5, 6, and 7.

 
Defaults

The default value is set to the errors logging level.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

You can configure up to 5 recipient addresses. If you want, each recipient address can have a different message level than that specified by the logging mail command. Sending syslog messages by e-mail is enabled by the logging mail command.

Use this command to have more urgent messages sent to a larger number of recipients.

Examples

To set up the ASA to send syslog messages by e-mail, use the following criteria:

  • Send messages that are critical, alerts, or emergencies.
  • Send messages using ciscosecurityappliance@example.com as the sender address.
  • Send messages to admin@example.com.
  • Send messages using SMTP, the primary servers pri-smtp-host, and secondary server sec-smtp-host.

Enter the following commands:

ciscoasa(config)# logging mail critical
ciscoasa(config)# logging from-address ciscosecurityappliance@example.com
ciscoasa(config)# logging recipient-address admin@example.com
ciscoasa(config)# smtp-server pri-smtp-host sec-smtp-host
 

 
Related Commands

Command
Description

logging enable

Enables logging.

logging from-address

Specifies the e-mail address from which syslog messages appear to come.

logging mail

Enables the ASA to send syslog messages by e-mail and determines which messages are sent by e-mail.

smtp-server

Configures an SMTP server.

show logging

Displays the enabled logging options.

logging savelog

To save the log buffer to flash memory, use the logging savelog command in privileged EXEC mode.

logging savelog [ savefile ]

 
Syntax Description

savefile

(Optional) Saved flash memory file name. If you do not specify the file name, the ASA saves the log file using a default time-stamp format, as follows:

LOG- YYYY - MM - DD - HHMMSS .TXT
 

where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.

 
Defaults

The defaults are as follows:

  • Buffer size is 4 KB.
  • Minimum free flash memory is 3 MB.
  • Maximum flash memory allocation for buffer logging is 1 MB.
  • The default log file name is described in the “Syntax Description” section.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Before you can save the log buffer to flash memory, you must enable logging to the buffer; otherwise, the log buffer never has data to be saved to flash memory. To enable logging to the buffer, use the logging buffered command.


NoteThe The logging savelog command does not clear the buffer. To clear the buffer, use the clear logging buffer command.


Examples

The following example enables logging and the log buffer, exits global configuration mode, and saves the log buffer to flash memory using the file name, latest-logfile.txt:

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered
ciscoasa(config)# exit
ciscoasa# logging savelog latest-logfile.txt
ciscoasa#

 
Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all syslog messages that it contains.

copy

Copies a file from one location to another, including to a TFTP or FTP server.

delete

Deletes a file from the disk partition, such as saved log files.

logging buffered

Enables logging to the log buffer.

logging enable

Enables logging.

logging standby

To enable the failover standby ASA to send syslog messages to logging destinations, use the logging standby command in global configuration mode. To disable syslog messaging and SNMP logging, use the no form of this command.

logging standby

no logging standby

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

The logging standby command is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

You can enable the logging standby command to ensure that the syslog messages of the failover standby ASA stay synchronized if failover occurs.


NoteUsing the Using the logging standby command causes twice as much traffic on shared logging destinations, such as syslog servers, SNMP servers, and FTP servers.


Examples

The following example enables the ASA to send syslog messages to the failover standby ASA. The output of the show logging command indicates that this feature is enabled:

ciscoasa(config)# logging standby
ciscoasa(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: enabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: 'inside' interface IP address "10.1.1.1"
Mail logging: disabled
ASDM logging: disabled
 

 
Related Commands

Command
Description

failover

Enables the failover feature.

logging enable

Enables logging.

logging host

Defines a syslog server.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging timestamp

To specify that syslog messages should include the date and time that the messages was generated, use the logging timestamp command in global configuration mode. To remove the date and time from syslog messages, use the no form of this command.

logging timestamp

no logging timestamp

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

The ASA does not include the date and time in syslog messages by default.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The logging timestamp command makes the ASA include a timestamp in all syslog messages.

Examples

The following example enables the inclusion of timestamp information in all syslog messages:

ciscoasa(config)# logging enable
ciscoasa(config)# logging timestamp
ciscoasa(config)#
 

 
Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

logging trap

To specify which syslog messages the ASA sends to a syslog server, use the logging trap command in global configuration mode. To remove this command from the configuration, use the no form of this command.

logging trap [ logging_list | level]

no logging trap

 
Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the ASA generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

  • 0 or emergencies —System is unusable.
  • 1 or alerts —Immediate action needed.
  • 2 or critical —Critical conditions.
  • 3 or errors —Error conditions.
  • 4 or warnings —Warning conditions.
  • 5 or notifications —Normal but significant conditions.
  • 6 or informational —Informational messages.
  • 7 or debugging —Debugging messages.

logging_list

Specifies the list that identifies the messages to send to the syslog server. For information about creating lists, see the logging list command.

 
Defaults

No default syslog message trap is defined.

 
Command Modes

The following table shows the modes in which you can enter the command.

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

If you are using TCP as the logging transport protocol, the ASA denies new network access sessions as a security measure if the ASA is unable to reach the syslog server, if the syslog server is misconfigured, or if the disk is full.

UDP-based logging does not prevent the ASA from passing traffic if the syslog server fails.

Examples

The following example shows how to send syslog messages of severity levels 0, 1, 2, and 3 to a syslog server that resides on the inside interface and uses the default protocol and port number.

ciscoasa(config)# logging enable
ciscoasa(config)# logging host inside 10.2.2.3
ciscoasa(config)# logging trap errors
ciscoasa(config)#
 

 
Related Commands

Command
Description

logging enable

Enables logging.

logging host

Defines a syslog server.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

login

To log into privileged EXEC mode using the local user database (see the username command) or to change user names, use the login command in user EXEC mode.

login

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

From user EXEC mode, you can log in to privileged EXEC mode as any username in the local database using the login command. The login command is similar to the enable command when you have enable authentication turned on (see the aaa authentication console command). Unlike enable authentication, the login command can only use the local username database, and authentication is always required with this command. You can also change users using the login command from any CLI mode.

To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the aaa authorization command for more information.


Caution If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged EXEC mode, you should configure command authorization. Without command authorization, users can access privileged EXEC mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+ authentication, or you can set all local users to level 1 so you can control who can use the system enable password to access privileged EXEC mode.

Examples

The following example shows the prompt after you enter the login command:

ciscoasa> login
Username:

 
Related Commands

Command
Description

aaa authorization command

Enables command authorization for CLI access.

aaa authentication console

Requires authentication for console, Telnet, HTTP, SSH, or enable command access.

logout

Logs out of the CLI.

username

Adds a user to the local database.

login-button

To customize the Login button of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the login-button command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

login-button { text | style } value

[ no ] login-button { text | style } value

 
Syntax Description

style

Specifies you are changing the style.

text

Specifies you are changing the text.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

 
Defaults

The default login button text is “Login”.

The default login button style is:

border: 1px solid black;background-color:white;font-weight:bold; font-size:80%

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn customization configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

  • You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.
  • RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.
  • HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

NoteTo easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities. To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


Examples

The following example customizes the Login button with the text “OK”:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# customization cisco
ciscoasa(config-webvpn-custom)# login-button text OK

 
Related Commands

Command
Description

login-title

Customizes the title of the WebVPN page login box.

group-prompt

Customizes the group prompt of the WebVPN page login box.

password-prompt

Customizes the password prompt of the WebVPN page login box.

username-prompt

Customizes the username prompt of the WebVPN page login box.

login-message

To customize the login message of the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the login-message command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

login-message { text | style } value

[ no ] login-message { text | style } value

 
Syntax Description

text

Specifies you are changing the text.

style

Specifies you are changing the style.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

 
Defaults

The default login message is “Please enter your username and password”.

The default login message style is background-color:#CCCCCC;color:black.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

WebVPN customization configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

  • You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.
  • RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.
  • HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

NoteTo easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities. To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


Examples

In the following example, the login message text is set to “username and password”:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# customization cisco
ciscoasa(config-webvpn-custom)# login-message text username and password

 
Related Commands

Command
Description

login-title

Customizes the title of the login box on the WebVPN page.

username-prompt

Customizes the username prompt of the WebVPN page login.

password-prompt

Customizes the password prompt of the WebVPN page login.

group-prompt

Customizes the group prompt of the WebVPN page login.

login-title

To customize the title of the login box on the WebVPN page displayed to WebVPN users, use the login-title command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

login-title { text | style } value

[ no ] login-title { text | style } value

 
Syntax Description

text

Specifies you are changing the text.

style

Specifies you are changing the HTML style.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

 
Defaults

The default login text is “Login”.

The default HTML style of the login title is background-color: #666666; color: white.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn customization configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

  • You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.
  • RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.
  • HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

NoteTo easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities. To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


Examples

The following example configures the login title style:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# customization cisco
ciscoasa(config-webvpn-custom)# login-title style background-color: rgb(51,51,255);color: rgb(51,51,255); font-family: Algerian; font-size: 12pt; font-style: italic; font-weight: bold

 
Related Commands

Command
Description

login-message

Customizes the login message of the WebVPN login page.

username-prompt

Customizes the username prompt of the WebVPN login page.

password-prompt

Customizes the password prompt of the WebVPN login page.

group-prompt

Customizes the group prompt of the WebVPN login page.

logo

To customize the logo on the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the logo command from webvpn customization mode. To remove a logo from the configuration and reset the default (the Cisco logo), use the no form of this command.

logo {none | file { path value }}

[ no ] logo {none | file { path value }}

 
Syntax Description

file

Indicates you are supplying a file containing a logo.

none

Indicates that there is no logo. Sets a null value, thereby disallowing a logo. Prevents inheriting a logo.

path

The path of the filename. The possible paths are disk0:, disk1:, or flash:

value

Specifies the filename of the logo. Maximum length is 255 characters, with no spaces. File type must be JPG, PNG, or GIF, and must be less than 100 KB.

 
Defaults

The default logo is the Cisco logo.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn customization configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

If the filename you specify does not exist, an error message displays. If you remove a logo file but the configuration still points to it, no logo displays.

The filename cannot contain spaces.

Examples

In the following example, the file cisco_logo.gif contains a custom logo:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# customization cisco
ciscoasa(config-webvpn-custom)#logo file disk0:cisco_logo.gif
 

 
Related Commands

Command
Description

title

Customizes the title of the WebVPN page.

page style

Customizes the WebVPN page using Cascading Style Sheet (CSS) parameters.

logout

To exit from the CLI, use the logout command in user EXEC mode.

logout

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The logout command lets you log out of the ASA. You can use the exit or quit commands to go back to unprivileged mode.

Examples

The following example shows how to log out of the ASA:

ciscoasa> logout

 
Related Commands

Command
Description

login

Initiates the log-in prompt.

exit

Exits an access mode.

quit

Exits configuration or privileged mode.

logout-message

To customize the logout message of the WebVPN logout screen that is displayed to WebVPN users when they logout from WebVPN service, use the logout-message command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

logout-message { text | style } value

[ no ] logout-message { text | style } value

 
Syntax Description

style

Specifies you are changing the style.

text

Specifies you are changing the text.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

 
Defaults

The default logout message text is “Goodbye”.

The default logout message style is background-color:#999999;color:black.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

WebVPN customization configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

  • You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.
  • RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.
  • HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

NoteTo easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities. To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


Examples

The following example configures the logout message style:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# customization cisco
ciscoasa(config-webvpn-custom)# logout-message style background-color: rgb(51,51,255);color: rgb(51,51,255); font-family: Algerian; font-size: 12pt; font-style: italic; font-weight: bold

 
Related Commands

Command
Description

logout-title

Customizes the logout title of the WebVPN page.

group-prompt

Customizes the group prompt of the WebVPN page login box.

password-prompt

Customizes the password prompt of the WebVPN page login box.

username-prompt

Customizes the username prompt of the WebVPN page login box.