Cisco Security Appliance Command Reference, Version 8.0
logging asdm -- logout message
Downloads: This chapterpdf (PDF - 626.0KB) The complete bookPDF (PDF - 27.03MB) | Feedback

logging asdm through logout message Commands

Table Of Contents

logging asdm through logout message Commands

logging asdm

logging asdm-buffer-size

logging buffered

logging buffer-size

logging class

logging console

logging debug-trace

logging device-id

logging emblem

logging enable

logging facility

logging flash-bufferwrap

logging flash-maximum-allocation

logging flash-minimum-free

logging from-address

logging ftp-bufferwrap

logging ftp-server

logging history

logging host

logging list

logging mail

logging message

logging monitor

logging permit-hostdown

logging queue

logging rate-limit

logging recipient-address

logging savelog

logging standby

logging timestamp

logging trap

login

login-button

login-message

login-title

logo

logout

logout-message


logging asdm through logout message Commands


logging asdm

To send system log messages to the ASDM log buffer, use the logging asdm command in global configuration mode. To disable logging to the ASDM log buffer, use the no form of this command.

logging asdm [logging_list | level]

no logging asdm [logging_list | level]

Syntax Description

level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

logging_list

Specifies the list that identifies the messages to send to the ASDM log buffer. For information about creating lists, see the logging list command.


Defaults

ASDM logging is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Before any messages are sent to the ASDM log buffer, you must enable logging using the logging enable command.

When the ASDM log buffer is full, security appliance deletes the oldest message to make room in the buffer for new messages. To control the number of system log messages retained in the ASDM log buffer, use the logging asdm-buffer-size command.

The ASDM log buffer is a different buffer than the log buffer enabled by the logging buffered command.

Examples

This example shows how to enable logging and send to the ASDM log buffer messages of severity levels 0, 1, and 2. It also shows how to set the ASDM log buffer size to 200 messages.

hostname(config)# logging enable
hostname(config)# logging asdm 2
hostname(config)# logging asdm-buffer-size 200
hostname(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level critical, 48 messages logged

Related Commands

Command
Description

clear logging asdm

Clears the ASDM log buffer of all messages it contains.

logging asdm-buffer-size

Specifies the number of ASDM messages retained in the ASDM log buffer

logging enable

Enables logging.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging configuration.


logging asdm-buffer-size

To specify the number of system log messages retained in the ASDM log buffer, use the logging asdm-buffer-size command in global configuration mode. To reset the ASDM log buffer to its default size of 100 messages, use the no form of this command.

logging asdm-buffer-size num_of_msgs

no logging asdm-buffer-size num_of_msgs

Syntax Description

num_of_msgs

Specifies the number of system log messages that the security appliance retains in the ASDM log buffer.


Defaults

The default ASDM syslog buffer size is 100 messages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

When the ASDM log buffer is full, security appliance deletes the oldest message to make room in the buffer for new messages. To control whether logging to the ASDM log buffer is enabled or to control the kind of system log messages retained in the ASDM log buffer, use the logging asdm command.

The ASDM log buffer is a different buffer than the log buffer enabled by the logging buffered command.

Examples

This example shows how enable logging and send to the ASDM log buffer messages of severity levels 0, 1, and 2. It also shows how to set the ASDM log buffer size to 200 messages.

hostname(config)# logging enable
hostname(config)# logging asdm 2
hostname(config)# logging asdm-buffer-size 200
hostname(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level critical, 48 messages logged

Related Commands

Command
Description

clear logging asdm

Clears the ASDM log buffer of all messages it contains.

logging asdm

Enables logging to the ASDM log buffer.

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging buffered

To enable the security appliance to send system log messages to the log buffer, use the logging buffered command in global configuration mode. To disable logging to the log buffer, use the no form of this command.

logging buffered [logging_list | level]

no logging buffered [logging_list | level]

Syntax Description

level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

logging_list

Specifies the list that identifies the messages to send to the log buffer. For information about creating lists, see the logging list command.


Defaults

The defaults are as follows:

Logging to the buffer is disabled.

Buffer size is 4 KB.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Before any messages are sent to the log buffer, you must enable logging using the logging enable command.

New messages append to the end of the buffer. When the buffer fills up, the security appliance clears it and continues adding messages to it. When the log buffer is full, the security appliance deletes the oldest message to make room in the buffer for new messages. You can have buffer contents automatically saved each time the contents of the buffer have "wrapped", which means that all the messages since the last save have been replaced by new messages. For more information, see the logging flash-bufferwrap and logging ftp-bufferwrap commands.

At any time, you can save the contents of the buffer to Flash memory. For more information, see the logging savelog command.

System log messages sent to the buffer can be viewed with the show logging command.

Examples

This example configures logging to the buffer for level 0 and level 1 events:

hostname(config)# logging buffered alerts
hostname(config)#

This example creates a list named notif-list with a maximum logging level of 7 and configures logging to the buffer for system log messages identified by the notif-list list.

hostname(config)# logging list notif-list level 7
hostname(config)# logging buffered notif-list
hostname(config)#

Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all system log messages that it contains.

logging buffer-size

Specifies log buffer size.

logging enable

Enables logging.

logging flash-bufferwrap

Writes the log buffer to Flash memory when the log buffer is full.

logging ftp-bufferwrap

Sends the log buffer to an FTP server when the log buffer is full.

logging list

Creates a reusable list of message selection criteria.

logging savelog

Saves the contents of the log buffer to Flash memory.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging buffer-size

To specify the size of the log buffer, use the logging buffer-size command in global configuration mode. To reset the log buffer to its default size of 4 KB of memory, use the no form of this command.

logging buffer-size bytes

no logging buffer-size bytes

Syntax Description

bytes

Sets the amount of memory used for the log buffer, in bytes. For example, if you specify 8192, the security appliance uses 8 KB of memory for the log buffer.


Defaults

The log buffer size is 4 KB of memory.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

To see whether the security appliance is using a log buffer of a size other than the default buffer size, use the show running-config logging command. If the logging buffer-size command is not shown, then the security appliance uses a log buffer of 4 KB.

For more information about how the security appliance uses the buffer, see the logging buffered command.

Examples

This example enables logging, enables the logging buffer, and specifies that the security appliance uses 16 KB of memory for the log buffer:

hostname(config)# logging enable
hostname(config)# logging buffered
hostname(config)# logging buffer-size 16384
hostname(config)# 

Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all system log messages it contains.

logging buffered

Enables logging to the log buffer.

logging enable

Enables logging.

logging flash-bufferwrap

Writes the log buffer to Flash memory when the log buffer is full.

logging savelog

Saves the contents of the log buffer to Flash memory.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging class

To configure the maximum logging level per logging destination for a message class, use the logging class command in global configuration mode. To remove a message class logging level configuration, use the no form of the command.

logging class class destination level [destination level . . .]

no logging class class

Syntax Description

class

Specifies the message class whose maximum logging levels per destination. For valid values of class, see the "Usage Guidelines" section that follows.

destination

Specifies a logging destination for class. For the destination, the level determines the maximum logging level sent to destination. For valid values of destination, see the "Usage Guidelines" section that follows.

level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.


Defaults

By default, the security appliance does not apply logging levels on a logging destination and message class basis. Instead, each enabled logging destination receives messages for all classes at the logging level determined by the logging list or level specified when you enabled the logging destination.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.2(1)

This command was introduced.

8.0(2)

Added eigrp to valid class values.


Usage Guidelines

Valid values for class include the following:

auth—User authentication.

bridge—Transparent firewall.

ca—PKI certificate authority.

config—Command interface.

eap—Extensible Authentication Protocol (EAP). Logs the following types of events to support Network Admission Control: EAP session state changes, EAP status query events, and a hexadecimal dump of EAP header and packet contents.

eapoudp—Extensible Authentication Protocol (EAP) over UDP. Logs EAPoUDP events to support Network Admission Control, and generates a complete record of EAPoUDP header and packet contents.

eigrp—EIGRP routing.

email—Email proxy.

ha—Failover.

ids—Intrusion detection system.

ip—IP stack.

nac—Network Admission Control. Logs the following types of events: initializations, exception list matches, ACS transactions, clientless authentications, default ACL applications, and revalidations.

np—Network processor.

ospf—OSPF routing.

rip—RIP routing.

session—User session.

snmp—SNMP.

sys—System.

vpn—IKE and IPSec.

vpnc—VPN client.

vpnfo—VPN failover.

vpnlb—VPN load balancing.

Valid logging destinations are as follows:

asdm—To learn about this destination, see the logging asdm command.

buffered—To learn about this destination, see the logging buffered command.

console—To learn about this destination, see the logging console command.

history—To learn about this destination, see the logging history command.

mail—To learn about this destination, see the logging mail command.

monitor—To learn about this destination, see the logging monitor command.

trap—To learn about this destination, see the logging trap command.

Examples

This example specifies that, for failover-related messages, the maximum logging level for the ASDM log buffer is 2 and the maximum logging level for the system log buffer is 7:

hostname(config)# logging class ha asdm 2 buffered 7
hostname(config)# 

Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging console

To enable the security appliance to display system log messages in console sessions, use the logging console command in global configuration mode. To disable the display of system log messages in console sessions, use the no form of this command.

logging console [logging_list | level]

no logging console


Note We recommend that you do not use this command because it may cause many system log messages to be dropped due to buffer overflow. For more information, see the "Usage Guidelines" section that follows.


Syntax Description

level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

logging_list

Specifies the list that identifies the messages to send to the console session. For information about creating lists, see the logging list command.


Defaults

The security appliance does not display system log messages in console sessions by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Before any messages are sent to the console, you must enable logging using the logging enable command.


Caution Using the logging console command could significantly degrade system performance. Instead, use the logging buffered command to start logging and the show logging command to view the messages. To make viewing the most current messages easier, use the clear logging buffer command to clear the buffer.

Examples

This example shows how to enable system log messages of levels 0, 1, 2, and 3 to appear in console sessions:

hostname(config)# logging enable
hostname(config)# logging console errors
hostname(config)# 

Related Commands

Command
Description

logging enable

Enables logging.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging debug-trace

To redirect debugging messages to logs as system log message 711001 issued at severity level 7, use the logging debug-trace command in global configuration mode. To stop sending debugging messages to logs, use the no form of this command.

logging debug-trace

no logging debug-trace

Syntax Description

This command has no arguments or keywords.

Defaults

By default, the security appliance does not include debug output in system log messages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Debug messages are generated as severity level 7 messages. They appear in logs with the system log message number 711001, but do not appear in any monitoring session.

Examples

This example shows how to enable logging, send log messages to the system log buffer, redirect debugging output to logs, and turn on debugging disk activity.

hostname(config)# logging enable
hostname(config)# logging buffered
hostname(config)# logging debug-trace
hostname(config)# debug disk filesystem

An example of a debug message that could appear in the logs follows:

%PIX-7-711001: IFS: Read: fd 3, bytes 4096

Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging device-id

To configure the security appliance to include a device ID in non-EMBLEM-format system log messages, use the logging device-id command in global configuration mode. To disable the use of a device ID, use the no form of this command.

logging device-id {context-name | hostname | ipaddress interface_name | string text}

no logging device-id {context-name | hostname | ipaddress interface_name | string text}

Syntax Description

context-name

Specifies the name of the current context as the device ID.

hostname

Specifies the hostname of the security appliance as the device ID.

ipaddress interface_name

Specifies the device ID or the IP address of the interface in interface_name. If you use the ipaddress keyword, system log messages sent to an external server contain the IP address of the interface specified, regardless of which interface the security appliance uses to send the log data to the external server.

string text

Specifies as the device ID the characters contained in text, which can be up to 16 characters long. You cannot use white space characters or any of the following characters:

&—ampersand

'—single quote

"—double quote

<—less than

>—greater than

?—question mark


Defaults

No default device ID is used in system log messages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If you use the ipaddress keyword, the device ID becomes the specified security appliance interface IP address, regardless of the interface from which the message is sent. This keyword provides a single, consistent device ID for all messages that are sent from the device.

Examples

This example shows how to configure a host named secappl-1:

hostname(config)# logging device-id hostname
hostname(config)# show logging
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 991 messages logged
Trap logging: disabled
History logging: disabled
Device ID: hostname "secappl-1"

The host name appears at the beginning of system log messages, such as in the following message:

secappl-1 %PIX-5-111008: User 'enable_15' executed the 'logging buffer-size 4096' command.

Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging emblem

To use the EMBLEM format for system log messages sent to destinations other than a syslog server, use the logging emblem command in global configuration mode. To disable the use of EMBLEM format, use the no form of this command.

logging emblem

no logging emblem

Syntax Description

This command has no arguments or keywords.

Defaults

By default, the security appliance does not use EMBLEM format for system log messages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was changed to be independent of the logging host command.


Usage Guidelines

The logging emblem command lets you to enable EMBLEM-format logging for all logging destinations other than syslog servers. If you also enable the logging timestamp keyword, the messages with a time stamp are sent.

To enable EMBLEM-format logging for syslog servers, use the format emblem option with the logging host command.

Examples

This example shows how to enable logging and enable the use of EMBLEM-format for logging to all logging destinations except syslog servers:

hostname(config)# logging enable
hostname(config)# logging emblem
hostname(config)# 

Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging enable

To enable logging for all configured output locations, use the logging enable command in global configuration mode. To disable logging, use the no form of this command.

logging enable

no logging enable

Syntax Description

This command has no arguments or keywords.

Defaults

Logging is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was changed from the logging on command.


Usage Guidelines

The logging enable command allows you to enable or disable sending system log messages to any of the supported logging destinations. You can stop all logging with the no logging enable command.

You can enable logging to individual logging destinations with the following commands:

logging asdm

logging buffered

logging console

logging history

logging mail

logging monitor

logging trap

Examples

This example shows how to enable logging. The output of the show logging command illustrates how each possible logging destination must be enabled separately.

hostname(config)# logging enable
hostname(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled

Related Commands

Command
Description

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging facility

To specify the logging facility used for messages sent to syslog servers, use the logging facility command in global configuration mode. To reset the logging facility to its default of 20, use the no form of this command.

logging facility  facility

no logging facility 

Syntax Description

facility

Specifies the logging facility; valid values are 16 through 23.


Defaults

The default facility is 20 (LOCAL4).

Command Modes

The following table shows the modes in which you can enter the command, with the exceptions noted in the Syntax Description section:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Syslog servers file messages based on the facility number in the message. There are eight possible facilities: 16 (LOCAL0) through 23 (LOCAL7).

Examples

This example shows how to specify that the security appliance specify the logging facility as 16 in system log messages. The output of the show logging command includes the facility being used by the security appliance.

hostname(config)# logging facility 16
hostname(config)# show logging
Syslog logging: enabled
    Facility: 16
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level errors, facility 16, 3607 messages logged
        Logging to infrastructure 10.1.2.3
    History logging: disabled
    Device ID: 'inside' interface IP address "10.1.1.1"
    Mail logging: disabled
    ASDM logging: disabled

Related Commands

Command
Description

logging enable

Enables logging.

logging host

Defines a syslog server.

logging trap

Enables logging to syslog servers.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging flash-bufferwrap

To enable the security appliance to write the log buffer to Flash memory every time the buffer is full of messages that have never been saved, use the logging flash-bufferwrap command in global configuration mode. To disable writing of the log buffer to Flash memory, use the no form of this command.

logging flash-bufferwrap

no logging flash-bufferwrap

Syntax Description

This command has no arguments or keywords.

Defaults

The defaults are as follows:

Logging to the buffer is disabled.

Writing the log buffer to Flash memory is disabled.

Buffer size is 4 KB.

Minimum free Flash memory is 3 MB.

Maximum Flash memory allocation for buffer logging is 1 MB.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

For the security appliance to write the log buffer to Flash memory, you must enable logging to the buffer; otherwise, the log buffer never has data to be written to Flash memory. To enable logging to the buffer, use the logging buffered command.

While the security appliance writes log buffer contents to Flash memory, it continues storing to the log buffer continues any new event messages.

The security appliance creates log files with names that use a default time-stamp format, as follows:

LOG-YYYY-MM-DD-HHMMSS.TXT

where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.

The availability of Flash memory affects how the security appliance saves system log messages using the logging flash-bufferwrap command. For more information, see the logging flash-maximum-allocation and the logging flash-minimum-free commands.

Examples

This example shows how to enable logging, enable the log buffer, and enable the security appliance to write the log buffer to Flash memory:

hostname(config)# logging enable
hostname(config)# logging buffered
hostname(config)# logging flash-bufferwrap

hostname(config)#

Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all system log messages it contains.

copy

Copies a file from one location to another, including to a TFTP or FTP server.

delete

Deletes a file from the disk partition, such as saved log files.

logging buffered

Enables logging to the log buffer.

logging buffer-size

Specifies log buffer size.

logging enable

Enables logging.

logging flash-maximum-
allocation

Specifies the maximum amount of Flash memory that can be used for writing log buffer contents.

logging flash-minimum-
free

Specifies the minimum amount of Flash memory that must be available for the security appliance to permit writing of the log buffer to Flash memory.

show logging

Displays the enabled logging options.


logging flash-maximum-allocation

To specify the maximum amount of Flash memory that the security appliance uses to store log data, use the logging flash-maximum-allocation command in global configuration mode. To reset the maximum amount of Flash memory used for this purpose to its default size of 1 MB of Flash memory, use the no form of this command.

logging flash-maximum-allocation kbytes

no logging flash-maximum-allocation kbytes

Syntax Description

kbytes

The largest amount of Flash memory, in kilobytes, that the security appliance can use to save log buffer data.


Defaults

The default maximum Flash memory allocation for log data is 1 MB.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

This command determines how much Flash memory is available for the logging savelog and logging flash-bufferwrap commands.

If a log file to be saved by logging savelog or logging flash-bufferwrap causes Flash memory use for log files to exceed the maximum amount specified by the logging flash-maximum-allocation command, the security appliance deletes the oldest log files to free sufficient memory for the new log file. If there are no files to delete or if, after all old files are deleted, free memory is too small for the new log file, the security appliance fails to save the new log file.

To see whether the security appliance has a maximum Flash memory allocation of a size different than the default size, use the show running-config logging command. If the logging flash-maximum-allocation command is not shown, then the security appliance uses a maximum of 1 MB for saved log buffer data. The memory allocated is used for both the logging savelog and logging flash-bufferwrap commands.

For more information about how the security appliance uses the log buffer, see the logging buffered command.

Examples

This example shows how to enable logging, enable the log buffer, enable the security appliance to write the log buffer to Flash memory, with the maximum amount of Flash memory used for writing log files set to approximately 1.2 MB of memory:

hostname(config)# logging enable
hostname(config)# logging buffered
hostname(config)# logging flash-bufferwrap
hostname(config)# logging flash-maximum-allocation 1200
hostname(config)# 

Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all system log messages it contains.

logging buffered

Enables logging to the log buffer.

logging enable

Enables logging.

logging flash-bufferwrap

Writes the log buffer to Flash memory when the log buffer is full.

logging flash-minimum-
free

Specifies the minimum amount of Flash memory that must be available for the security appliance to permit writing of the log buffer to Flash memory.

logging savelog

Saves the contents of the log buffer to Flash memory.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging flash-minimum-free

To specify the minimum amount of free Flash memory that must exist before the security appliance saves a new log file, use the logging flash-minimum-free command in global configuration mode. This command affects how much free Flash memory must exist before the security appliance saves log files created by the logging savelog and logging flash-bufferwrap commands. To reset the minimum required amount of free Flash memory to its default size of 3 MB, use the no form of this command.

logging flash-minimum-free kbytes

no logging flash-minimum-free kbytes

Syntax Description

kbytes

The minimum amount of Flash memory, in kilobytes, that must be available before the security appliance saves a new log file.


Defaults

The default minimum free Flash memory is 3 MB.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The logging flash-minimum-free command specifies how much Flash memory the logging savelog and logging flash-bufferwrap commands must preserve at all times.

If a log file to be saved by logging savelog or logging flash-bufferwrap would cause the amount of free Flash memory to fall below the limit specified by the logging flash-minimum-free command, the security appliance deletes the oldest log files to ensure that the minimum amount of memory remains free after saving the new log file. If there are no files to delete or if, after all old files are deleted, free memory would still be below the limit, the security appliance fails to save the new log file.

Examples

This example shows how to enable logging, enable the log buffer, enable the security appliance to write the log buffer to Flash memory, and specifies that the minimum amount of free Flash memory must be 4000 KB:

hostname(config)# logging enable
hostname(config)# logging buffered
hostname(config)# logging flash-bufferwrap
hostname(config)# logging flash-minimum-free 4000
hostname(config)# 

Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all system log messages it contains.

logging buffered

Enables logging to the log buffer.

logging enable

Enables logging.

logging flash-bufferwrap

Writes the log buffer to Flash memory when the log buffer is full.

logging flash-maximum-
allocation

Specifies the maximum amount of Flash memory that can be used for writing log buffer contents.

logging savelog

Saves the contents of the log buffer to Flash memory.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging from-address

To specify the sender e-mail address for system log messages sent by the security appliance, use the logging from-address command in global configuration mode. All sent system log messages appear to come from the address you specify. To remove the sender e-mail address, use the no form of this command.

logging from-address from-email-address

no logging from-address from-email-address

Syntax Description

from-email-address

Source e-mail address, that is, the e-mail address that system log messages appear to come from (for example, cdb@example.com).


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Sending system log messages by e-mail is enabled by the logging mail command.

The address specified with this command need not correspond to an existing e-mail account.

Examples

To enable logging and set up the security appliance to send system log messages by e-mail, use the following criteria:

Send messages that are critical, alerts, or emergencies.

Send messages using ciscosecurityappliance@example.com as the sender address.

Send messages to admin@example.com.

Send messages using SMTP, the primary servers pri-smtp-host, and secondary server sec-smtp-host.

Enter the following commands:

hostname(config)# logging enable
hostname(config)# logging mail critical
hostname(config)# logging from-address ciscosecurityappliance@example.com
hostname(config)# logging recipient-address admin@example.com
hostname(config)# smtp-server pri-smtp-host sec-smtp-host

Related Commands

Command
Description

logging enable

Enables logging.

logging mail

Enables the security appliance to send system log messages by e-mail and determines which messages are sent by e-mail.

logging recipient-address

Specifies the e-mail address to which system log messages are sent.

smtp-server

Configures an SMTP server.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging ftp-bufferwrap

To enable the security appliance to send the log buffer to an FTP server every time the buffer is full of messages that have never been saved, use the logging ftp-bufferwrap command in global configuration mode. To disable sending the log buffer to an FTP server, use the no form of this command.

logging ftp-bufferwrap

no logging ftp-bufferwrap

Syntax Description

This command has no arguments or keywords.

Defaults

The defaults are as follows:

Logging to the buffer is disabled.

Sending the log buffer to an FTP server is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

When you enable logging ftp-bufferwrap, the security appliance sends log buffer data to the FTP server you specify with the logging ftp-server command. While the security appliance sends log data to the FTP server, it continues storing to the log buffer continues any new event messages.

For the security appliance to send log buffer contents to an FTP server, you must enable logging to the buffer; otherwise, the log buffer never has data to be written to Flash memory. To enable logging to the buffer, use the logging buffered command.

The security appliance creates log files with names that use a default time-stamp format, as follows:

LOG-YYYY-MM-DD-HHMMSS.TXT

where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.

Examples

This example shows how enable logging, enable the log buffer, specify an FTP server, and enable the security appliance to write the log buffer to an FTP server. This example specifies an FTP server whose host name is logserver-352. The server can be accessed with the username logsupervisor and password 1luvMy10gs. Log files are to be stored in the /syslogs directory.

hostname(config)# logging enable
hostname(config)# logging buffered
hostname(config)# logging ftp-server logserver-352 /syslogs logsupervisor 1luvMy10gs
hostname(config)# logging ftp-bufferwrap
hostname(config)#

Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all system log messages it contains.

logging buffered

Enables logging to the log buffer.

logging buffer-size

Specifies log buffer size.

logging enable

Enables logging.

logging ftp-server

Specifies FTP server parameters for use with the logging ftp-bufferwrap command.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging ftp-server

To specify details about the FTP server that the security appliance sends log buffer data to when logging ftp-bufferwrap is enabled, use the logging ftp-server command in global configuration mode. To remove all details about an FTP server, use the no form of this command.

logging ftp-server ftp_server path username [0 | 8] password

no logging ftp-server ftp_server path username [0 | 8] password

Syntax Description

0

(Optional) Specifies that an unencrypted (clear text) user password will follow.

8

(Optional) Specifies that an encrypted user password will follow.

ftp-server

External FTP server IP address or hostname.

Note If you specify a hostname, be sure DNS is operating correctly on your network.

password

The password for the username specified.

path

Directory path on the FTP server where the log buffer data is to be saved. This path is relative to the FTP root directory. For example:

/security_appliances/syslogs/appliance107

username

A username that is valid for logging in to the FTP server.


Defaults

No FTP server is specified by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.

8.0(5)

Support for password encryption was added.


Usage Guidelines

You can only specify one FTP server. If a logging FTP server is already specified, using the logging ftp-server command replaces that FTP server configuration with the new one you enter.

The security appliance does not verify the FTP server information you specify. If you misconfigure any of the details, the security appliance fails to send log buffer data to the FTP server.

During bootup or upgrade of the security appliance, single-digit passwords and passwords startingwith a digit followed by a whitespace are not supported. For example, 0 pass and 1 are invalid passwords.

Examples

This example shows how to enable logging, enable the log buffer, specify an FTP server, and enable the security appliance to write the log buffer to an FTP server. This example specifies an FTP server whose hostname is logserver-352. The server can be accessed with the username logsupervisor and password 1luvMy10gs. Log files are to be stored in the /syslogs directory.

hostname(config)# logging enable
hostname(config)# logging buffered
hostname(config)# logging ftp-server logserver-352 /syslogs logsupervisor 1luvMy10gs
hostname(config)# logging ftp-bufferwrap

The following example shows how to enter an encrypted password:

hostname(config)# logging ftp-server logserver /path1 user1 8 JPAGWzIIFVlheXv2I9nglfytOzHU

The following example shows how to enter an unencrypted (clear text) password:

hostname(config)# logging ftp-server logserver /path1 user1 0 pass1

Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all system log messages it contains.

logging buffered

Enables logging to the log buffer.

logging buffer-size

Specifies log buffer size.

logging enable

Enables logging.

logging ftp-bufferwrap

Sends the log buffer to an FTP server when the log buffer is full.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging history

To enable SNMP logging and specify which messages are to be sent to SNMP servers, use the logging history command in global configuration mode. To disable SNMP logging, use the no form of this command.

logging history [logging_list | level]

no logging history

Syntax Description

level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

logging_list

Specifies the list that identifies the messages to send to the SNMP server. For information about creating lists, see the logging list command.


Defaults

The security appliance does not log to SNMP servers by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The logging history command allows you to enable logging to an SNMP server and to set the SNMP message level or event list.

Examples

This example shows how to enable SNMP logging and specify that messages of levels 0, 1, 2, and 3 are sent to the SNMP server configured:

hostname(config)# logging enable
hostname(config)# snmp-server host infrastructure 10.2.3.7 trap community gam327
hostname(config)# snmp-server enable traps syslog
hostname(config)# logging history errors
hostname(config)# 

Related Commands

Command
Description

logging enable

Enables logging.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

snmp-server

Specifies SNMP server details.


logging host

To define a syslog server, use the logging host command in global configuration mode. To remove a syslog server definition, use the no form of this command.

logging host interface_name syslog_ip [tcp/port | udp/port] [format emblem] [secure] [permit-hostdown]

logging host interface_name syslog_ip

[no] logging host interface_name syslog_ip [tcp/port | udp/port] [format emblem] [secure]

[no] logging host interface_name syslog_ip

Syntax Description

format emblem

(Optional) Enables EMBLEM format logging for the syslog server.

interface_name

Specifies the interface on which the syslog server resides.

permit-hostdown

Allows the adaptive security appliance to continue TCP logging when the syslog server is down or unreachable.

port

Indicates the port that the syslog server listens to for messages. Valid port values are 1025 through 65535 for either protocol.

secure

Specifies that the connection to the remote logging host should use SSL/TLS. This option is valid only if the protocol selected is TCP.

Note A secure logging connection can only be established with a SSL/TLS- capable syslog server. If a SSL/TLS connection cannot be established, all new connections will be denied. You may change this default behavior by entering the logging permit-hostdown command.

syslog_ip

Specifies the IP address of the syslog server.

tcp

Specifies that the adaptive security appliance should use TCP to send messages to the syslog server.

udp

Specifies that the adaptive security appliance should use UDP to send messages to the syslog server.


Defaults

The default protocol is UDP.

The default port numbers are as follows:

UDP—514

TCP —1470

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.

8.0(2)

The secure keyword was added.


Usage Guidelines

The logging host ip_address format emblem command allows you to enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for UDP system log messages only. If you enable EMBLEM-format logging for a particular syslog server, then the messages are sent to that server. If you also enable the logging timestamp keyword, the messages with a time stamp are sent.

You can use multiple logging host commands to specify additional servers that would all receive the system log messages. However, you can only specify a server to receive either UDP or TCP system log messages, not both.


Note When the tcp option is used in the logging host command, the adaptive security appliance will drop connections across the firewall if the syslog server is unreachable.


You can display only the port and protocol values that you previously entered by using the show running-config logging command and finding the command in the listing—TCP is listed as 6 and UDP is listed as 17. TCP ports work only with the syslog server. The port must be the same port on which the syslog server listens.


Note An error message occurs if you try to use the logging host command and the secure keyword with UDP.

The PIX security appliance does not support the secure keyword.


Examples

This example shows how to send system log messages of severity levels 0, 1, 2, and 3 to a syslog server on the inside interface that uses the default protocol and port number.

hostname(config)# logging enable
hostname(config)# logging host inside 10.2.2.3
hostname(config)# logging trap errors
hostname(config)# 

Related Commands

Command
Description

logging enable

Enables logging.

logging trap

Enables logging to syslog servers.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging list

To create a logging list to use in other commands to specify messages by various criteria (logging level, event class, and message IDs), use the logging list command in global configuration mode. To remove the list, use the no form of this command.

logging list name {level level [class event_class] | message start_id[-end_id]}

no logging list name

Syntax Description

class event_class

(Optional) Sets the class of events for system log messages. For the level specified, only system log messages of the class specified are identified by the command. See the "Usage Guidelines" section for a list of classes.

level level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

message start_id[-end_id]

Specified a message ID or range of IDs. To look up the default level of a message, use the show logging command or see the Cisco ASA 5500 Series System Log Messages.

name

Sets the logging list name.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

Logging commands that can use lists are the following:

logging asdm

logging buffered

logging console

logging history

logging mail

logging monitor

logging trap

Possible values for the event_class include the following:

auth—User authentication.

bridge—Transparent firewall.

ca—PKI certificate authority.

config—Command interface.

eap—Extensible Authentication Protocol (EAP). Logs the following types of events to support Network Admission Control: EAP session state changes, EAP status query events, and a hexadecimal dump of EAP header and packet contents.

eapoudp—Extensible Authentication Protocol (EAP) over UDP. Logs EAPoUDP events to support Network Admission Control, and generates a complete record of EAPoUDP header and packet contents.

email—-Email proxy.

ha—Failover.

ids—Intrusion detection system.

ip—IP stack.

nac—Network Admission Control. Logs the following types of events: initializations, exception list matches, ACS transactions, clientless authentications, default ACL applications, and revalidations.

np—Network processor.

ospf—OSPF routing.

rip—RIP routing.

session—User session.

snmp—SNMP.

sys—System.

vpn—IKE and IPSec.

vpnc—VPN client.

vpnfo—VPN failover.

vpnlb—VPN load balancing.

Examples

This example shows how to use the logging list command:

hostname(config)# logging list my-list message 100100-100110
hostname(config)# logging list my-list level critical
hostname(config)# logging list my-list level warning class vpn
hostname(config)# logging buffered my-list

The preceding example states that system log messages that match the criteria specified will be sent to the logging buffer. The criteria specified in this example are:

System log message IDs that fall in the range of 100100 to 100110

All system log messages with a critical level or higher (emergency, alert, or critical)

All VPN class system log messages with a warning level or higher (emergency, alert, critical, error, or warning)

If a system log message satisfies any one of these conditions, it is logged to the buffer.


Note When you design list criteria, criteria can specify overlapping sets of messages. System log messages matching more than one set of criteria are logged normally.


Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging mail

To enable the security appliance to send system log messages by e-mail and to determine which messages are sent by e-mail, use the logging mail command in global configuration mode. To disable e-mailing of system log messages, use the no form of this command.

logging mail [logging_list | level]

no logging mail [logging_list | level]

Syntax Description

level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

logging_list

Specifies the list that identifies the messages to send to the e-mail recipient. For information about creating lists, see the logging list command.


Defaults

Logging to e-mail is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

E-mailed system log messages appear in the subject line of the e-mails sent.

Examples

To set up the security appliance to send system log messages by e-mail, use the following criteria:

Send messages that are critical, alerts, or emergencies.

Send messages using ciscosecurityappliance@example.com as the sender address.

Send messages to admin@example.com.

Send messages using SMTP, the primary servers pri-smtp-host, and secondary server sec-smtp-host.

Enter the following commands:

hostname(config)# logging mail critical
hostname(config)# logging from-address ciscosecurityappliance@example.com
hostname(config)# logging recipient-address admin@example.com
hostname(config)# smtp-server pri-smtp-host sec-smtp-host

Related Commands

Command
Description

logging enable

Enables logging.

logging from-address

Specifies the e-mail address from which e-mailed system log messages appear to come.

logging list

Creates a reusable list of message selection criteria.

logging recipient-address

Specifies the e-mail address to which e-mailed system log messages are sent.

smtp-server

Configures an SMTP server.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging message

To specify the logging level of a system log message, use the logging message command with the level keyword in global configuration mode. To reset the logging level of a message to its default level, use the no form of this command. To prevent the security appliance from generating a particular system log message, use the no form of the logging message command (without the level keyword) in global configuration mode. To let the security appliance generate a particular system log message, use the logging message command (without the level keyword). These two versions of the logging message command can be used in parallel. See the "Examples" section that follows.

logging message syslog_id level level

no logging message syslog_id level level

logging message syslog_id

no logging message syslog_id

Syntax Description

level level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

syslog_id

The ID of the system log message that you want to enable or disable or whose severity level you want to modify. To look up the default level of a message, use the show logging command or see the Cisco ASA 5500 Series System Log Messages.


Defaults

By default, all system log messages are enabled and the severity levels of all messages are set to their default levels.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

You can use the logging message command for two purposes:

To control whether a message is enabled or disabled.

To control the severity level of a message.

You can use the show logging command to determine the level currently assigned to a message and whether the message is enabled.

Examples

The series of commands in the following example illustrate the use of the logging message command to control both whether a message is enabled and the severity level of the messages:

hostname(config)# show logging message 403503
syslog 403503: default-level errors (enabled)

hostname(config)# logging message 403503 level 1
hostname(config)# show logging message 403503
syslog 403503: default-level errors, current-level alerts (enabled)

hostname(config)# no logging message 403503
hostname(config)# show logging message 403503
syslog 403503: default-level errors, current-level alerts (disabled)

hostname(config)# logging message 403503
hostname(config)# show logging message 403503
syslog 403503: default-level errors, current-level alerts (enabled)

hostname(config)# no logging message 403503 level 3
hostname(config)# show logging message 403503
syslog 403503: default-level errors (enabled)

Related Commands

Command
Description

clear configure logging

Clears all logging configuration or message configuration only.

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging monitor

To enable the security appliance to display system log messages in SSH and Telnet sessions, use the logging monitor command in global configuration mode. To disable the display of system log messages in SSH and Telnet sessions, use the no form of this command.

logging monitor [logging_list | level]

no logging monitor

Syntax Description

level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

logging_list

Specifies the list that identifies the messages to send to the SSH or Telnet session. For information about creating lists, see the logging list command.


Defaults

The security appliance does not display system log messages in SSH and Telnet sessions by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The logging monitor command enables system log messages for all sessions in the current context; however, in each session, the terminal command controls whether system log messages appear in that session.

Examples

This example shows how to enable the display of system log messages in console sessions. The use of the errors keyword indicates that messages of levels 0, 1, 2, and 3 should display in SSH and Telnet sessions. The terminal command enables the messages to appear in the current session.

hostname(config)# logging enable
hostname(config)# logging monitor errors
hostname(config)# terminal monitor
hostname(config)# 

Related Commands

Command
Description

logging enable

Enables logging.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.

terminal

Sets terminal line parameters.


logging permit-hostdown

To make the status of a TCP-based syslog server irrelevant to new user sessions, use the logging permit-hostdown command in global configuration mode. To cause the security appliance to deny new user sessions when a TCP-based syslog server is unavailable, use the no form of this command.

logging permit-hostdown

no logging permit-hostdown

Syntax Description

This command has no arguments or keywords.

Defaults

By default, if you have enabled logging to a syslog server that uses a TCP connection, the security appliance does not allow new network access sessions when the syslog server is unavailable for any reason.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

If you are using TCP as the logging transport protocol for sending messages to a syslog server, the security appliance denies new network access sessions as a security measure if the security appliance is unable to reach the syslog server. You can use the logging permit-hostdown command to remove this restriction.

Examples

The following example makes the status of TCP-based syslog servers irrelevant to whether the security appliance permits new sessions. When the logging permit-hostdown command includes in its output the show running-config logging command, the status of TCP-based syslog servers is irrelevant to new network access sessions.

hostname(config)# logging permit-hostdown
hostname(config)# show running-config logging
logging enable
logging trap errors
logging host infrastructure 10.1.2.3 6/1470
logging permit-hostdown
hostname(config)# 

Related Commands

Command
Description

logging enable

Enables logging.

logging host

Defines a syslog server.

logging trap

Enables logging to syslog servers.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging queue

To specify how many system log messages the security appliance may hold in its queue before processing them according to the logging configuration, use the logging queue command in global configuration mode. To reset the logging queue size to the default of 512 messages, use the no form of this command.

logging queue queue_size

no logging queue queue_size

Syntax Description

queue_size

The number of syslog messages permitted in the queue used for storing syslog messages before processing them. Valid values are from 0 to 8192 messages, depending on the platform type. If the logging queue is set to zero, the queue will be the maximum configurable size (8192 messages), depending on the platform. On the ASA-5505, the maximum queue size is 1024, On the ASA-5510, it is 2048, and on all other platforms, it is 8192 .


Defaults

The default queue size is 512 messages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

When traffic is so heavy that the queue fills up, the security appliance may discard messages. On the ASA-5505, the maximum queue size is 1024. On the ASA-5510, it is 2048. On all other platforms, it is 8192 .

Examples

This example shows how to display the output of the logging queue and show logging queue commands:

hostname(config)# logging queue 0
hostname(config)# show logging queue
Logging Queue length limit : Unlimited
Current 5 msg on queue, 3513 msgs most on queue, 1 msg discard.

In this example, the logging queue command is set to 0, which means that the queue is set to the maximum of 8192. The system log messages in the queue are processed by the security appliance in the manner dictated by the logging configuration, such as sending system log messages to mail recipients, saving them to Flash memory, and so forth.

The output of this example show logging queue command shows that 5 messages are queued, 3513 messages was the largest number of messages in the queue at one time since the security appliance was last booted, and that 1 message was discarded. Even though the queue was set for unlimited, the messages was discarded because no block memory was available to add the message to the queue.

Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging rate-limit

To limit the rate at which system log messages are generated, use the logging rate-limit command in privileged EXEC mode. To disable rate limiting, use the no form of this command in privileged EXEC mode.

logging rate-limit {unlimited | {num [interval]}} message syslog_id | level severity_level

[no] logging rate-limit [unlimited | {num [interval]}} message syslog_id ] level severity_level

Syntax Description

interval

(Optional) Time interval (in seconds) to use for measuring the rate at which messages are generated. The valid range of values for interval is 0 through 2147483647.

level severity_level

Applies the set rate limits on all system log messages that belong to a certain severity level. All system log messages at a specified severity level are rate-limited individually. The valid range for severity_level is 1 through 7.

message

Suppresses reporting of this system log message.

num

Number of system messages that can be generated during the specified time interval. The valid range of values for num is 0 through 2147483647.

syslog_id

ID of the system log message to be suppressed. The valid range of values is 100000-999999.

unlimited

Disables rate limiting, which means that there is no limit on the logging rate.


Defaults

The default setting for interval is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
 
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(4)

This command was introduced.


Usage Guidelines

The system message severity levels are as follows:

·0—System Unusable

·1—Take Immediate Action

·2—Critical Condition

·3—Error Message

·4—Warning Message

·5—Normal but significant condition

·6—Informational

·7—Debug Message

Examples

To limit the rate of system log message generation, you can enter a specific message ID. The following example shows how to limit the rate of system log message generation using a specific message ID and time interval:

hostname(config)# logging rate-limit 100 600 message 302020

This example suppresses system log message 302020 from being sent to the host after the rate limit of 100 is reached in the specified interval of 600 seconds.

To limit the rate of system log message generation, you can enter a specific severity level. The following example shows how to limit the rate of system log message generation using a specific severity level and time interval.

hostname(config)# logging rate-limit 1000 600 level 6

This example suppresses all system log messages under severity level 6 to the specified rate limit of 1000 in the specified time interval of 600 seconds. Each system log message in severity level 6 has a rate limit of 1000.

Related Commands

Command
Description

clear running-config logging rate-limit

Resets the logging rate limit setting to its default.

show logging

Shows the messages currently in the internal buffer or to shows logging configuration settings.

show running-config logging rate-limit

Shows the current logging rate limit setting.


logging recipient-address

To specify the receiving e-mail address for system log messages sent by the security appliance, use the logging recipient-address command in global configuration mode. To remove the receiving e-mail address, use the no form of this command. You can configure up to 5 recipient addresses. If you want, each recipient address can have a different message level than that specified by the logging mail command.

logging recipient-address address [level level]

no logging recipient-address address [level level]

Syntax Description

address

Specifies recipient e-mail address when sending system log messages by -email.

level

Indicates that a logging level follows.

level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

Note We do not recommend using a level greater than 3 with the logging recipient-address command. Higher logging levels are likely to cause dropped system log messages because of buffer overflow.

The message level specified by a logging recipient-address command overrides the message level specified by the logging mail command. For example, if a logging recipient-address command specifies a level of 7 but the logging mail command specifies a level of 3, the security appliance sends all messages to the recipient, including those of levels 4, 5, 6, and 7.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Sending system log messages by e-mail is enabled by the logging mail command.

You can configure up to 5 logging recipient-address commands. Each command can have a different logging level than the others. This command is useful when you want more urgent messages to go to a larger number of recipients than less urgent messages are sent to.

Examples

To set up the security appliance to send system log messages by e-mail, use the following criteria:

Send messages that are critical, alerts, or emergencies.

Send messages using ciscosecurityappliance@example.com as the sender address.

Send messages to admin@example.com.

Send messages using SMTP, the primary servers pri-smtp-host, and secondary server sec-smtp-host.

Enter the following commands:

hostname(config)# logging mail critical
hostname(config)# logging from-address ciscosecurityappliance@example.com
hostname(config)# logging recipient-address admin@example.com
hostname(config)# smtp-server pri-smtp-host sec-smtp-host

Related Commands

Command
Description

logging enable

Enables logging.

logging from-address

Specifies the e-mail address from which system log messages appear to come.

logging mail

Enables the security appliance to send system log messages by e-mail and determines which messages are sent by e-mail.

smtp-server

Configures an SMTP server.

show logging

Displays the enabled logging options.

show running-config logging

Displays the currently running logging configuration.


logging savelog

To save the log buffer to Flash memory, use the logging savelog command in privileged EXEC mode.

logging savelog [savefile]

Syntax Description

savefile

(Optional) Saved Flash memory file name. If you do not specify the file name, the security appliance saves the log file using a default time-stamp format, as follows:

LOG-YYYY-MM-DD-HHMMSS.TXT

where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.


Defaults

The defaults are as follows:

Buffer size is 4 KB.

Minimum free Flash memory is 3 MB.

Maximum Flash memory allocation for buffer logging is 1 MB.

The default log file name is described in the "Syntax Description" section.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Before you can save the log buffer to Flash memory, you must enable logging to the buffer; otherwise, the log buffer never has data to be saved to Flash memory. To enable logging to the buffer, use the logging buffered command.


Note The logging savelog command does not clear the buffer. To clear the buffer, use the clear logging buffer command.


Examples

This example enables logging and the log buffer, exits global configuration mode, and saves the log buffer to Flash memory, using the file name latest-logfile.txt:

hostname(config)# logging enable
hostname(config)# logging buffered
hostname(config)# exit
hostname# logging savelog latest-logfile.txt
hostname#

Related Commands

Command
Description

clear logging buffer

Clears the log buffer of all system log messages it contains.

copy

Copies a file from one location to another, including to a TFTP or FTP server.

delete

Deletes a file from the disk partition, such as saved log files.

logging buffered

Enables logging to the log buffer.

logging enable

Enables logging.

show logging

Displays the enabled logging options.


logging standby

To enable the failover standby security appliance to send the system log messages of this security appliance to logging destinations, use the logging standby command in global configuration mode. To disable system log messaging and SNMP logging, use the no form of this command.

logging standby

no logging standby

Syntax Description

This command has no arguments or keywords.

Defaults

The logging standby command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

You can enable logging standby to ensure that the system log messages of the failover standby security appliance stay synchronized if failover occurs.


Note Using the logging standby command causes twice as much traffic on shared logging destinations, such as syslog servers, SNMP servers, and FTP servers.


Examples

The following example enables the security appliance to send system log messages to the failover standby security appliance. The output of the show logging command reveals that this feature is enabled.

hostname(config)# logging standby
hostname(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: enabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: 'inside' interface IP address "10.1.1.1"
    Mail logging: disabled
    ASDM logging: disabled

Related Commands

Command
Description

failover

Enables the failover feature.

logging enable

Enables logging.

logging host

Defines a syslog server.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging timestamp

To specify that system log messages should include the date and time that the messages was generated, use the logging timestamp command in global configuration mode. To remove the date and time from system log messages, use the no form of this command.

logging timestamp

no logging timestamp

Syntax Description

This command has no arguments or keywords.

Defaults

The security appliance does not include the date and time in system log messages by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The logging timestamp command makes the security appliance include a timestamp in all system log messages.

Examples

The following example enables the inclusion of timestamp information in all system log messages:

hostname(config)# logging enable
hostname(config)# logging timestamp
hostname(config)# 

Related Commands

Command
Description

logging enable

Enables logging.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


logging trap

To specify which system log messages the security appliance sends to a syslog server, use the logging trap command in global configuration mode. To remove this command from the configuration, use the no form of this command.

logging trap [logging_list | level]

no logging trap

Syntax Description

level

Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows:

0 or emergencies—System unusable.

1 or alerts—Take immediate action.

2 or critical—Critical condition.

3 or errors—Error.

4 or warnings—Warning.

5 or notifications—Normal but significant condition.

6 or informational—Information.

7 or debugging—Debug messages, log FTP commands, and WWW URLs.

logging_list

Specifies the list that identifies the messages to send to the syslog server. For information about creating lists, see the logging list command.


Defaults

No default system log message trap is defined.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If you are using TCP as the logging transport protocol, the security appliance denies new network access sessions as a security measure if the security appliance is unable to reach the syslog server, if the syslog server is misconfigured, or if the disk is full.

UDP-based logging does not prevent the security appliance from passing traffic if the syslog server fails.

Examples

This example shows how to send system log messages of levels 0, 1, 2, and 3 to a syslog server that resides on the inside interface and uses the default protocol and port number.

hostname(config)# logging enable
hostname(config)# logging host inside 10.2.2.3
hostname(config)# logging trap errors
hostname(config)# 

Related Commands

Command
Description

logging enable

Enables logging.

logging host

Defines a syslog server.

logging list

Creates a reusable list of message selection criteria.

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


login

To log into privileged EXEC mode using the local user database (see the username command) or to change user names, use the login command in user EXEC mode.

login

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

From user EXEC mode, you can log in to privileged EXEC mode as any username in the local database using the login command. The login command is similar to the enable command when you have enable authentication turned on (see the aaa authentication console command). Unlike enable authentication, the login command can only use the local username database, and authentication is always required with this command. You can also change users using the login command from any CLI mode.

To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the aaa authorization command for more information.


Caution If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged EXEC mode, you should configure command authorization. Without command authorization, users can access privileged EXEC mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+ authentication, or you can set all local users to level 1 so you can control who can use the system enable password to access privileged EXEC mode.

Examples

The following example shows the prompt after you enter the login command:

hostname> login
Username:

Related Commands

Command
Description

aaa authorization command

Enables command authorization for CLI access.

aaa authentication console

Requires authentication for console, Telnet, HTTP, SSH, or enable command access.

logout

Logs out of the CLI.

username

Adds a user to the local database.


login-button

To customize the Login button of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the login-button command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

login-button {text | style} value

[no] login-button {text | style} value

Syntax Description

style

Specifies you are changing the style.

text

Specifies you are changing the text.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).


Defaults

The default login button text is "Login".

The default login button style is:

border: 1px solid black;background-color:white;font-weight:bold; font-size:80%

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

WebVPN customization configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.


Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


Examples

The following example customizes the Login button with the text "OK":

F1-asa1(config)# webvpn
F1-asa1(config-webvpn)# customization cisco
F1-asa1(config-webvpn-custom)# login-button text OK

Related Commands

Command
Description

login-title

Customizes the title of the WebVPN page login box.

group-prompt

Customizes the group prompt of the WebVPN page login box.

password-prompt

Customizes the password prompt of the WebVPN page login box.

username-prompt

Customizes the username prompt of the WebVPN page login box.


login-message

To customize the login message of the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the login-message command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

login-message {text | style} value

[no] login-message {text | style} value

Syntax Description

text

Specifies you are changing the text.

style

Specifies you are changing the style.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).


Defaults

The default login message is "Please enter your username and password".

The default login message style is background-color:#CCCCCC;color:black.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

WebVPN customization configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.


Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


Examples

In the following example, the login message text is set to "username and password":

F1-asa1(config)# webvpn
F1-asa1(config-webvpn)# customization cisco
F1-asa1(config-webvpn-custom)# login-message text username and password

Related Commands

Command
Description

login-title

Customizes the title of the login box on the WebVPN page.

username-prompt

Customizes the username prompt of the WebVPN page login.

password-prompt

Customizes the password prompt of the WebVPN page login.

group-prompt

Customizes the group prompt of the WebVPN page login.


login-title

To customize the title of the login box on the WebVPN page displayed to WebVPN users, use the login-title command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

login-title {text | style} value

[no] login-title {text | style} value

Syntax Description

text

Specifies you are changing the text.

style

Specifies you are changing the HTML style.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).


Defaults

The default login text is "Login".

The default HTML style of the login title is background-color: #666666; color: white.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

WebVPN customization configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.


Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


Examples

The following example configures the login title style:

F1-asa1(config)# webvpn
F1-asa1(config-webvpn)# customization cisco
F1-asa1(config-webvpn-custom)# login-title style background-color: rgb(51,51,255);color: 
rgb(51,51,255); font-family: Algerian; font-size: 12pt; font-style: italic; font-weight: 
bold

Related Commands

Command
Description

login-message

Customizes the login message of the WebVPN login page.

username-prompt

Customizes the username prompt of the WebVPN login page.

password-prompt

Customizes the password prompt of the WebVPN login page.

group-prompt

Customizes the group prompt of the WebVPN login page.


logo

To customize the logo on the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the logo command from webvpn customization mode. To remove a logo from the configuration and reset the default (the Cisco logo), use the no form of this command.

logo {none | file {path value}}

[no] logo {none | file {path value}}

Syntax Description

file

Indicates you are supplying a file containing a logo.

none

Indicates that there is no logo. Sets a null value, thereby disallowing a logo. Prevents inheriting a logo.

path

The path of the filename. The possible paths are disk0:, disk1:, or flash:

value

Specifies the filename of the logo. Maximum length is 255 characters, with no spaces. File type must be JPG, PNG, or GIF, and must be less than 100 KB.


Defaults

The default logo is the Cisco logo.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

WebVPN customization configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

If the filename you specify does not exist, an error message displays. If you remove a logo file but the configuration still points to it, no logo displays.

The filename cannot contain spaces.

Examples

In the following example, the file cisco_logo.gif contains a custom logo:

F1-asa1(config)# webvpn
F1-asa1(config-webvpn)# customization cisco
F1-asa1(config-webvpn-custom)#logo file disk0:cisco_logo.gif

Related Commands

Command
Description

title

Customizes the title of the WebVPN page.

page style

Customizes the WebVPN page using Cascading Style Sheet (CSS) parameters.


logout

To exit from the CLI, use the logout command in user EXEC mode.

logout

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The logout command lets you log out of the security appliance. You can use the exit or quit commands to go back to unprivileged mode.

Examples

The following example shows how to log out of the security appliance:

hostname> logout

Related Commands

Command
Description

login

Initiates the log-in prompt.

exit

Exits an access mode.

quit

Exits configuration or privileged mode.


logout-message

To customize the logout message of the WebVPN logout screen that is displayed to WebVPN users when they logout from WebVPN service, use the logout-message command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

logout-message {text | style} value

[no] logout-message {text | style} value

Syntax Description

style

Specifies you are changing the style.

text

Specifies you are changing the text.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).


Defaults

The default logout message text is "Goodbye".

The default logout message style is background-color:#999999;color:black.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

WebVPN customization configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.


Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


Examples

The following example configures the logout message style:

F1-asa1(config)# webvpn
F1-asa1(config-webvpn)# customization cisco
F1-asa1(config-webvpn-custom)# logout-message style background-color: 
rgb(51,51,255);color: rgb(51,51,255); font-family: Algerian; font-size: 12pt; font-style: 
italic; font-weight: bold

Related Commands

Command
Description

logout-title

Customizes the logout title of the WebVPN page.

group-prompt

Customizes the group prompt of the WebVPN page login box.

password-prompt

Customizes the password prompt of the WebVPN page login box.

username-prompt

Customizes the username prompt of the WebVPN page login box.