Table Of Contents
Logging in Multiple Context Mode
Enabling and Disabling Logging
Enabling Logging to All Configured Output Destinations
Disabling Logging to All Configured Output Destinations
Configuring Log Output Destinations
Log Output Destination Overview
Designating a Syslog Server as an Output Destination
Designating an E-mail Address as an Output Destination
Designating ASDM as an Output Destination
Viewing Logs Using a Telnet Session
Designating the Log Buffer as an Output Destination
Filtering System Log Messages to be Sent to an Output Destination
Filtering System Log Messages by Class
Filtering System Log Messages with Custom Message Lists
Customizing the Log Configuration
Including the Date and Time in System Log Messages
Including the Device ID in System Log Messages
Generating System Log Messages in EMBLEM Format
Disabling a System Log Message
Changing the Severity Level of a System Log Message
Changing the Amount of Internal Flash Memory Available for Logs
Understanding System Log Messages
Variables Used in System Log Messages
Configuring Logging and SNMP
This chapter describes how to configure logging and SNMP. It also describes the contents of system log messages and the system log message format. This chapter does not provide comprehensive information about all monitoring and logging commands and options. For detailed descriptions and additional commands, see the Cisco Security Appliance Command Reference.
This chapter includes the following sections:
•
Configuring and Managing Logs
Configuring SNMP
This section describes how to use SNMP and includes the following topics:
SNMP Overview
The security appliance provides support for network monitoring using SNMP V1 and V2c. The security appliance supports traps and SNMP read access, but does not support SNMP write access.
You can configure the security appliance to send traps (event notifications) to a network management station (NMS), or you can use the NMS to browse the MIBs on the security appliance. MIBs are a collection of definitions, and the security appliance maintains a database of values for each definition. Browsing a MIB entails issuing an SNMP get request from the NMS. Use CiscoWorks for Windows or any other SNMP V1, MIB-II compliant browser to receive SNMP traps and browse a MIB.
Table 1-1 lists supported MIBs and traps for the security appliance and, in multiple mode, for each context. You can download Cisco MIBs from the following website.
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
After you download the MIBs, compile them for your NMS.
Enabling SNMP
The SNMP agent that runs on the security appliance performs two functions:
•
•
To enable the SNMP agent and identify an NMS that can connect to the security appliance, follow these steps:
Step 1
hostname(config)# snmp-server host interface_name ip_address [trap | poll] [community text] [version 1 | 2c] [udp-port port]Specify trap or poll if you want to limit the NMS to receiving traps only or browsing (polling) only. By default, the NMS can use both functions.
SNMP traps are sent on UDP port 162 by default. You can change the port number using the udp-port keyword.
Step 2
hostname(config)# snmp-server community keyThe SNMP community string is a shared secret between the security appliance and the NMS. The key is a case-sensitive value up to 32 characters in length. Spaces are not permitted.
Step 3
hostname(config)# snmp-server {contact | location} textStep 4
hostname(config)# snmp-server enable [traps [all | feature [trap1] [trap2]] [...]]By default, SNMP core traps are enabled (snmp). If you do not enter a trap type in the command, syslog is the default. To enable or disable all traps, enter the all option. For snmp, you can identify each trap type separately. See Table 1-1 for a list of traps.
Step 5
hostname(config)# logging history levelYou must also enable syslog traps using the preceding snmp-server enable traps command.
Step 6
hostname(config)# logging onThe following example sets the security appliance to receive requests from host 192.168.3.2 on the inside interface.
hostname(config)# snmp-server host 192.168.3.2hostname(config)# snmp-server location building 42hostname(config)# snmp-server contact Pat leehostname(config)# snmp-server community ohwhatakeyistheeConfiguring and Managing Logs
This section describes the logging functionality and configuration. It also describes the system log message format, options and variables.
•
•
•
•
•
•
Logging Overview
security appliance system logs provide you with logging information for monitoring and troubleshooting the security appliance. The logging configuration is very flexible and enables you to customize many aspects of how the security appliance handles system log messages.
Using the logging feature, you can do the following:
•
•
•
•
•
•
•
•
You can choose to send all system log messages, or subsets of system log messages, to any or all output locations. You can filter which system log messages are sent to which locations by the severity of the system log message, the class of the system log message, or by creating a custom log message list.
Logging in Multiple Context Mode
Logging for an Cisco ASA running in multiple context mode functions somewhat differently than for an Cisco ASA running in single context mode. In single context mode, all logging messages generated by the system appear in a single log. In multiple context mode, there are two types of logs that are configured and accessed in different locations: logs that appear in individual security contexts, and a log that appears in the Admin context.
Just as each security context has its own configuration, each security context also has its own logging configuration and system message logs. A security context's message log includes messages related to features that are enabled for that context. For example, context logs include messages related to security policies, routing, logging, and configuration changes for that context. Like an Cisco ASA running in single context mode, logging in security contexts is not enabled by default. If you want logs to be kept for a security context, you must access the security context and configure logging. Similarly, you must access the security context in order to view log messages for that context.
In contrast, logs in the Admin context contain messages related to the overall physical device and overall system configuration. This includes messages related to events and features configured in the Admin context, such as failover, and it also includes messages related to events and features configured in the system execution space, such as interface settings. In the Admin context, you can only view the administration log; you cannot view logs for individual security contexts in the Admin context. If you want logs to be kept for the Admin context, you must access the Admin context and configure logging. Similarly, you must access the Admin context in order to view log messages for that context.
You cannot configure logging or view any logging information in the system execution space.
You can configure logging so that each messages includes the logging device ID for a security context; if you do so, each message includes the name of the context in which the message occurred. If you enable the logging device ID for the Admin context, messages that originate in the system execution space use a device ID of system; messages that originate in the Admin context use a device ID of Admin. For more information about enabling logging device IDs, see Including the Device ID in System Log Messages.
For more information about security contexts, see the chapter titled "Enabling Multiple Context Mode" in the Cisco Security Appliance Command Line Configuration Guide.
Enabling and Disabling Logging
This section describes how to enable and disable logging on the security appliance. It includes the following sections:
•
•
•
Enabling Logging to All Configured Output Destinations
The following steps enable logging; however, you must also specify at least one output destination so that you can view or save the logged messages. If you do not specify an output destination, the security appliance does not save system log messages generated when events occur.
For more information about configuring log output destinations, see the "Configuring Log Output Destinations" section.
To enable logging, complete the following steps:
Step 1
hostname># config tStep 2
hostname(config)# logging enableStep 3
hostname(config)# show loggingSyslog logging: enabledFacility: 20Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: disabledHistory logging: disabledDevice ID: disabledMail logging: disabledASDM logging: disabledDisabling Logging to All Configured Output Destinations
To disable all logging to all configured log output destinations, enter the following command:
hostname(config)# no logging enableViewing the Log Configuration
To view the running log configuration, enter the following command:
hostname(config)# show loggingThe output of the show logging command is similar to the following:
Syslog logging: enabledFacility: 16Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: level errors, facility 16, 3607 messages loggedLogging to infrastructure 10.1.2.3History logging: disabledDevice ID: 'inside' interface IP address "10.1.1.1"Mail logging: disabledASDM logging: disabledDefinitions of the status line entries are as follows:
Configuring Log Output Destinations
This section describes how to specify where the security appliance should save or send the log messages it generates, and it includes the following topics:
•
•
•
•
•
•
Log Output Destination Overview
To view logs generated by the security appliance, you must specify a log output destination. If you enable logging without specifying a log output destination, the security appliance generates messages but does not save them to a location from which you can view them.
You can configure the security appliance to send logs to the following locations:
•
•
•
•
•
Designating a Syslog Server as an Output Destination
This section describes how to configure the security appliance to send logs to a syslog server.
Configuring the security appliance to send logs to a syslog server enables you to archive logs, limited only by the available disk space on the server, and it enables you to manipulate log data after it is saved. For example, you could specify actions to executed when certain types of system log messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script.
The syslog server must run a program (known as a server) called syslogd. UNIX provides a syslog server as part of its operating system. For Windows 95 and Windows 98, obtain a syslogd server from another vendor.
You can configure the security appliance to send data to a syslog server using either UDP or TCP, but not both. If you specify TCP, the security appliance discovers when the syslog server fails and discontinues sending logs. If you specify UDP, the security appliance continues to send logs regardless of whether the syslog server is operational.
You can enable the logging timestamp if you want each log message to contain a timestamp. If you choose UDP for sending logs to the syslog server, you can enable EMBLEM-format logging for each syslog server.
To configure the security appliance to send system log messages to a syslog server, perform the following steps:
Step 1
hostname(config)# logging host if_name ip_address {[tcp/port] | udp/port]} [format emblem]where
format emblem—enables EMBLEM format logging for the syslog server. (UDP only).
interface_name—specifies the interface on which the syslog server resides.
port—specifies the port that the syslog server listens to for system log messages. Valid port values are 1025 through 65535, for either protocol. To display the port and protocol values you used when entering commands previously, use the show running-config logging command and find the command in the listing—the TCP protocol is listed as 6 and the UDP protocol is listed as 17.
ip_address—specifies the IP address of the syslog server.
tcp—specifies that the security appliance should use TCP to send system log messages to the syslog server.
udp—specifies that the security appliance should use TCP to send system log messages to the syslog server.
For example:
hostname(config)# logging host dmz1 192.168.1.5If you want to designate more than one syslog server as output destinations, enter a new command for each syslog server.
Step 2
hostname(config)# logging trap {severity_level (1-7) | message_list}where
severity_level—specifies the severity levels of messages to be sent to the syslog server. For example, if you set the level to 3, then the security appliance sends system log messages for level 3, 2, 1, and 0. You can specify either the number (for example, 2) or the name (for example, critical).
For more information about message severity levels, see Severity Levels.
message_list—specifies a customized message list that identifies the system log messages to send to the syslog server. For information about creating custom message lists, see Filtering System Log Messages with Custom Message Lists.
The following example specifies that the security appliance should send to the syslog server all system log messages with a severity level of level 3 (errors) and higher. The security appliance will send messages with the severity of 3, 2, and 1.
hostname(config)# logging trap errorsStep 3
hostname(config)# logging device-id {hostname | ipaddress if_name | string text}The system log message includes the specified device ID (either the hostname and IP address of the specified interface or a string) in system log messages sent to a syslog server.
Step 4
To modify the logging facility setting, enter the following command:
hostname(config)# logging facility numberFor example:
hostname(config)# logging facility 16Step 5
hostname(config)# show loggingThe following example shows the output of the show logging command:
Syslog logging: enabledFacility: 16Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: level errors, facility 16, 3607 messages loggedLogging to infrastructure 10.1.2.3History logging: disabledDevice ID: 'inside' interface IP address "10.1.1.1"Mail logging: disabledASDM logging: disabled
Designating an E-mail Address as an Output Destination
You can configure the security appliance to send some or all system log messages to an e-mail address. When sent by e-mail, a system log message appears in the subject line of the e-mail message. For this reason, we recommend configuring this option to notify administrators of system log messages with high severity levels, such as critical, alert, and emergency.
To designate an e-mail address as an output destination, perform the following steps:
Step 1
To specify the system log messages to be sent, enter the following command:
hostname(config)# logging mail {message_list|severity_level level}The following example uses a message_list with the name "high-priority," previously set up with the logging list command.
hostname(config)# logging mail high-priorityStep 2
hostname(config)# logging from-address email_addressFor example:
hostname(config)# logging from-address xxx-001@example.comStep 3
To specify a recipient address, enter the following command:
hostname(config)# logging recipient-address e-mail_address [level severity_level]For example:
hostname(config)# logging recipient-address admin@example.com
Note
level 3).Step 4
hostname(config)# smtp-server hostnameFor example:
hostname(config)# smtp-server smtp-host-1
Designating ASDM as an Output Destination
You can configure the security appliance to send system log messages to the ASDM. The security appliance sets aside a buffer area for system log messages waiting to be sent to ASDM and saves messages in the buffer as they occur. The ASDM log buffer is a different buffer than the internal log buffer. For information about the internal log buffer, see Log Buffer Overview.
When the ASDM log buffer is full, security appliance deletes the oldest system log message to make room in the buffer for new system log messages. To control the number of system log messages retained in the ASDM log buffer by changing the size of the buffer.
To specify ASDM as an output destination, perform the following steps:
Step 1
hostname(config)# logging asdm {message_list|severity_level}Command option descriptions are as follows:
level
Sets the maximum level for system log messages. For example, if you set the level to 3, then the security appliance generates system log messages for level 3, 2, 1, and 0. You can specify either the number or the name, as follows:
•
•
•
•
•
•
•
•
message_list
Specifies the list that identifies the system log messages to send to the ASDM log buffer. For information about creating lists, see Filtering System Log Messages with Custom Message Lists.
The following example shows how enable logging and send to the ASDM log buffer system log messages of severity levels 0, 1, and 2.
hostname(config)# logging asdm 2Step 2
hostname(config)# logging asdm-buffer-size num_of_msgswhere num_of_msgs specifies the number of system log messages that the security appliance retains in the ASDM log buffer.
The following example shows how to set the ASDM log buffer size to 200 system log messages.
hostname(config)# logging asdm-buffer-size 200To erase the current contents of the ASDM log buffer, enter the following command:
hostname(config)# clear logging asdmViewing Logs Using a Telnet Session
To view syslog messages in a Telnet session, follow these steps:
Step 1
a.
hostname(config)# telnet ip_address [subnet_mask] [if_name]For example, if a host has the IP address 192.168.1.2, the command is:
hostname(config)# telnet 192.168.1.2 255.255.255.255b.
hostname(config)# telnet timeout 15Step 2
Step 3
Step 4
hostname(config)# enable(Enter your password at the prompt)hostname(config)# configure terminal
Step 5
hostname(config)# logging monitor level (1-7)Step 6
hostname(config)# terminal monitor
This command enables logging only for the current Telnet session. The logging monitor command sets the logging preferences for all Telnet sessions, while the terminal monitor (and terminal no monitor) commands control logging for each individual Telnet session.
Step 7
The syslog messages then appear in the Telnet session window.
Step 8
hostname(config)# terminal no monitorhostname(config)# no logging monitorDesignating the Log Buffer as an Output Destination
This section describes how to configure the security appliance to save system log messages in the internal log buffer, and it includes the following topics:
•
•
•
•
Log Buffer Overview
If configured as an output destination, the log buffer serves as a temporary storage location for system log messages. New messages are appended to the end of the listing. When the buffer is full, that is, when the buffer wraps, old messages are overwritten as new messages are generated. If you want to save log messages, you can configure the security appliance to save the buffer contents to an FTP server or to internal Flash memory each time the buffer fills so that old messages are not overwritten.
The log buffer size determines how many messages can be held in the buffer before it wraps. The default log buffer size is 4 KB.
When you enable the log buffer as an output destination, you can also specify which messages should be saved. Otherwise, all messages are saved in the log buffer as they are generated. You can configure the security appliance to select messages to be saved based on their severity level or based on a set of criteria that you specify in a customized message list. For information about limiting which messages are saved, see Filtering System Log Messages to be Sent to an Output Destination.
Enabling the Log Buffer as an Output Destination
The following procedure describes how to enable the log buffer as a log output destination and how to configure optional log buffer settings.
Step 1
hostname(config)# logging buffered {level | message_list}where level represents the severity level of messages to be saved and message_list is the name of a customized list that is used to select messages to be saved in the log buffer.
For the level option, specify the severity level either by its number (such as 3) or its name (such as error), both of which select messages of that severity level and higher. This means that if you specify severity level 3, messages with severity levels of 3, 2 and 1 will be saved in the log buffer.
For example, to specify that messages with severity levels 1 and 2 should be saved in the log buffer, enter one of the following commands:
hostname(config)# logging buffered criticalor
hostname(config)# logging buffered level 2For the message_list option, specify the name of a message list containing criteria for selecting messages to be saved in the log buffer.
hostname(config)# logging buffered notif-listYou can create a custom message list with the logging list command. For information about how to create a customized message list, see Filtering System Log Messages with Custom Message Lists.
Step 2
hostname(config)# logging buffer-size byteswhere the bytes option sets the amount of memory used for the log buffer, in bytes. For example, if you specify 8192, the security appliance uses 8 KB of memory for the log buffer.
The following example specifies that the security appliance uses 16 KB of memory for the log buffer:
hostname(config)# logging buffer-size 16384
Specifying What Happens When the Log Buffer Wraps
Unless configured otherwise, the security appliance address messages to the log buffer on a continuing basis, overwriting old messages when the buffer is full. If you want to keep a history of logs, you can configure the security appliance to send the buffer contents to another output location each time the buffer fills. Buffer contents can be saved either to internal Flash memory or to an FTP server.
When saving the buffer content to another location, the security appliance creates log files with names that use a default time-stamp format, as follows:
LOG-YYYY-MM-DD-HHMMSS.TXTwhere YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.
While the security appliance writes the log buffer contents to internal Flash memory or an FTP server, it continues saving new messages to the log buffer.
To specify that messages in the log buffer should be saved to internal Flash memory each time the buffer wraps, enter the following command:
hostname(config)# logging flash-bufferwrapTo specify that messages in the log buffer should be saved to an FTP server each time the buffer wraps, perform the following steps:
Step 1
hostname(config)# logging ftp-bufferwrapStep 2
hostname(config)# logging ftp-server {server_address | server_hostname} path username passwordwhere
server_address—Specifies the external FTP server's IP address
server_hostname—Specifies the external FTP server's IP hostname
path—Specifies the directory path on the FTP server where the log buffer data is to be saved. This path is relative to the FTP root directory. For example: /security_appliances/syslogs/appliance107
username—Specifies a username that is valid for logging into the FTP server
password—Specifies the password for the username specified
The following example command specifies the server name logserver-352, the path /syslogs, the username logsupervisor, and the password 1luvMy10gs.
hostname(config)# logging ftp-server logserver-352 /syslogs logsupervisor 1luvMy10gs
Saving the Contents of the Log Buffer to Internal Flash Memory
At any time, you can save the contents of the buffer to internal Flash memory. To save the current contents of the log buffer to internal Flash memory, issue the following command:
hostname(config)# logging savelog [savefile]For example, the following example saves the contents of the log buffer to internal Flash memory using the file name latest-logfile.txt:
hostname(config)# logging savelog latest-logfile.txtClearing the Contents of the Log Buffer
To erase the contents of the log buffer, enter the following command:
hostname(config)# clear logging bufferFiltering System Log Messages to be Sent to an Output Destination
This section describes how to specify which system log messages should go to a particular output destination. It includes the following topics:
•
•
Message Filtering Overview
You can filter generated system log messages so that only certain system log messages are sent to a particular output destination. For example, you could configure the security appliance to send all system log messages to one output destination and also to send a subset of those system log messages to a different output destination.
Specifically, you can configure the security appliance so that system log messages are directed to an output destination according to the following:
•
•
•
•
For example, you could configure the security appliance to send to the internal log buffer all system log messages with severity levels of 1, 2 and 3, send all system log messages in the "ha" class to a particular syslog server, or create a list of messages that you name "high-priority" that are sent to an e-mail address to notify system administrators of a possible problem.
Filtering System Log Messages by Class
The system log message class provides a method of categorizing system log messages by type, equivalent to a feature or function of the security appliance. For example, the "vpnc" class denotes the VPN client.
With logging classes, you can specify an output location for an entire category of system log messages with a single command.
You can use system message classes in two ways:
•
•
All system log messages in a particular class share the same initial 3 digits in their system log message ID numbers. For example, all system log message IDs that begin with the digits 611 are associated with the vpnc (VPN client) class. System log messages associated with the VPN client feature range from 611101 to 611323.
Sending All Messages in a Class to a Specified Output Destination
To configure the security appliance to send an entire system log message class to a configured output destination, enter the following command:
hostname(config)# logging class message_class {buffered | console | history | mail | monitor | trap} [severity_level]where:
message_class—specifies a class of system log messages to be sent to the specified output destination. See Table 1-2for a list of system log message classes.
buffered | console | history | mail | monitor | trap—specifies the output destination to which system log messages in this class should be sent. Select one destination per command line entry. If you want to specify that a class should go to more than one destination, enter a new command for each output destination.
severity_level—further restricts the system log messages to be sent to the output destination by specifying a severity level. For more information about message severity levels, see Severity Levels.
The following example specifies that all system log messages related to the class ha (high availability, also known as failover) with a severity level of 1 (alerts) should be sent to the internal logging buffer.
hostname(config)# logging ha buffered alertshostname(config)#Table 1-2 lists the system log message classes and the ranges of system log message IDs associated with each class.
Filtering System Log Messages with Custom Message Lists
Creating a custom message list is a flexible way to exercise fine control over which system log messages are sent to which output destination. In a custom system log message list, you specify groups of system log messages using any or all of the following criteria: severity level, message IDs, ranges of system message IDs, or by message class.
For example, message lists can be used to:
•
•
A message list can include multiple criteria for selecting messages. However, you must add each message selection criteria with a new command entry. It is possible to create a message list containing overlapping message selection criteria. If two criteria in a message list select the same message, the message is logged only once.
Note
To create a customized list that the security appliance can use to select messages to be saved in the log buffer, perform the following steps:
Step 1
hostname(config)# logging list {message_list | [severity_level|message_class|message_ID|range_of_IDs]}where
message_list—specifies the name of the list containing message selection criteria
severity_level—specifies that all messages with the specified severity level should go to the log buffer
message_class—specifies that all messages associated with the specified message class should be saved in the log buffer
message_ID—specifies an individual system log message ID number
range_of_IDs—specifies a range of message ID numbers (for example, 103401-103599)
The following example creates a message list named notif-list that specifies messages with a severity level of 3 or higher should be saved in the log buffer:
hostname(config)# logging list notif-list level 3Step 2
The following example adds criteria to the message list: a range of message ID numbers, and the message class ha (high availability or failover). See Filtering System Log Messages by Class for more information about message classes.
hostname(config)# logging list notif-list 104024-105999hostname(config)# logging list my-list level criticalhostname(config)# logging list notif-list class ha(config)# logging list my-list level warning class vpnThe preceding example states that system log messages that match the criteria specified will be sent to the log buffer. The specified criteria for system log messages to be included in the list are:
•
•
•
A system log message is logged if it satisfies any of these conditions. If a system log satisfies more than one of the conditions, the message is logged only once.
Customizing the Log Configuration
This section describes other options for fine tuning the logging configuration. It includes the following topics:
•
•
•
•
•
•
•
Configuring the Logging Queue
The Cisco ASA has a fixed number of blocks in memory that can be allocated for buffering system log messages while they are waiting to be sent to the configured output destination. The number of blocks required depends on the length of the system log message queue and the number of syslog servers specified.
To specify the number of system log messages the security appliance can hold in its queue before sending them to the configured output destination, enter the following command:
hostname(config)# logging queue message_countwhere the message_count variable specifies the number of system log messages that can remain in the system log message queue while awaiting processing. The default is 512 system log messages. A setting of 0 (zero) indicates unlimited system log messages, that is, the queue size is limited only by block memory availability.
To view the queue and queue statistics, enter the following command:
hostname(config)# show logging queueIncluding the Date and Time in System Log Messages
To specify that system log messages should include the date and time that the system log messages was generated, enter the following command:
hostname(config)# logging timestampIncluding the Device ID in System Log Messages
To configure the security appliance to include a device ID in non-EMBLEM-format system log messages, enter the following command:
hostname(config)# logging device-id {context-name | hostname | ipaddress interface_name | string text}where
context-name—indicates that the name of the current context should be used as the device ID (applies only to security appliances running in multiple context mode only).
hostname—specifies that the hostname of the security appliance should be used as the device ID.
ipaddress interface_name—specifies that the IP address of the interface specified as interface_name should be used as the device ID.
If you use the ipaddress option, the device ID becomes the specified security appliance interface IP address, regardless of the interface from which the system log message is sent. This keyword provides a single, consistent device ID for all system log messages that are sent from the device.
string text—specifies that the characters entered in the text option should be used as the device ID. The string contain as many as 16 characters. You cannot use white space characters or any of the following characters in text:
•
•
•
•
•
•
Note
The following example enables the logging device ID for the security appliance:
hostname(config)# logging device-id hostnameThe following example enables the logging device ID for a security context on the security appliance:
hostname(config)# logging device-id context-nameIf you enable the logging device ID for the Admin context in multiple context mode, messages that originate in the system execution space use a device ID of system, and messages that originate in the Admin context use the name of the Admin context as the device ID.
Generating System Log Messages in EMBLEM Format
To use the EMBLEM format for system log messages sent to destinations other than a syslog server, enter the following command:
hostname(config)# logging emblemTo use the EMBLEM format for system log messages sent to a syslog server over UDP, specify the format emblem option when you configure the syslog server as a n output destination. Enter the following command:
hostname(config)# logging host interface_name ip_address {tcp[/port] | udp[/port]} [format emblem]where
interface_name and IP_address specifies the syslog server to receive the system log messages, tcp[/port] and udp[/port] indicate the protocol and port that should be used, and format emblem enables EMBLEM formatting for messages sent to the syslog server.
The Cisco ASA can send system log messages using either the UDP or TCP protocol; however, you can enable the EMBLEM format only for messages sent over UDP. The default protocol and port are UDP/514.
For example:
hostname(config)# logging host interface_1 122.243.006.123 udp format emblemDisabling a System Log Message
To prevent the security appliance from generating a particular system log message, enter the following command:
hostname(config)# no logging message message_numberhostname(config)#For example:
hostname(config)# no logging message 113019hostname(config)#To reenable a disabled system log message, enter the following command:
hostname(config)# logging message message_numberFor example:
hostname(config)# logging message 113019hostname(config)#To see a list of disabled system log messages, enter the following command:
hostname(config)# show logging messageTo reenable logging of all disabled system log messages, enter the following command:
hostname(config)# clear config logging disabledChanging the Severity Level of a System Log Message
To specify the logging level of a system log message, enter the following command:
hostname(config)# logging message message_ID level severity_levelThe following example modifies the severity level of system log message ID 113019 from 4 (warnings) to 5 (notifications):
hostname(config)# logging message 113019 level 5hostname(config)#To reset the logging level of a system log message to its default level, enter the following command.
hostname(config)# logging message message_ID level severity_levelThe following example modifies the severity level of system log message ID 113019 to its default value of 4 (warnings).
hostname(config)# no logging message 113019 level 5hostname(config)#To see a list of system log messages with modified severity levels, enter the following command:
hostname(config)# show logging messageTo reset the severity level of all modified system log messages back to their defaults, enter the following command:
hostname(config)# clear config logging levelhostname(config)#The series of commands in the following example illustrates the use of the logging message command to control both whether a system log message is enabled and the severity level of the system log message.
hostname(config)# show logging message 403503syslog 403503: default-level errors (enabled)hostname(config)# logging message 403503 level 1hostname(config)# show logging message 403503syslog 403503: default-level errors, current-level alerts (enabled)hostname(config)# no logging message 403503hostname(config)# show logging message 403503syslog 403503: default-level errors, current-level alerts (disabled)hostname(config)# logging message 403503hostname(config)# show logging message 403503syslog 403503: default-level errors, current-level alerts (enabled)hostname(config)# no logging message 403503 level 3hostname(config)# show logging message 403503syslog 403503: default-level errors (enabled)Changing the Amount of Internal Flash Memory Available for Logs
You can cause the security appliance to save the contents of the log buffer to Internal flash memory in two ways:
•
•
By default, the security appliance can use up to 1 MB of internal Flash memory for log data. The default minimum amount of internal Flash memory that must be free for the security appliance to save log data is 3 MB.
If a log file being saved to internal Flash memory would cause the amount of free internal Flash memory to fall below the configured minimum limit, the security appliance deletes the oldest log files to ensure that the minimum amount of memory remains free after saving the new log file. If there are no files to delete or if, after all old files are deleted, free memory would still be below the limit, the security appliance fails to save the new log file.
To modify the settings for the amount of internal Flash memory available for logs, complete the following steps:
Step 1
hostname(config)# logging flash-maximum-allocation kbyteswhere kbytes specifies the maximum amount of internal Flash memory, in kilobytes, that can be used for saving log files.
The following example sets the maximum amount of internal Flash memory that can be used for log files to approximately 1.2 MB:
hostname(config)# logging flash-maximum-allocation 1200Step 2
hostname(config)# logging flash-minimum-free kbyteswhere kbytes specifies the minimum amount of internal Flash memory, in kilobytes, that must be available before the security appliance saves a new log file.
The following example specifies that the minimum amount of free internal Flash memory must be 4000 KB before the security appliance can save a new log file:
hostname(config)# logging flash-minimum-free 4000
Understanding System Log Messages
This section describes the contents of system log messages generated by the security appliance. It includes the following topics:
•
System Log Message Format
System Log messages begin with a percent sign (%) and are structured as follows:
%PIX|ASA Level Message_number: Message_textField descriptions are as follows:
PIX|ASA
Identifies the system log message facility code for messages generated by the Cisco ASA. This value is always PIX|ASA.
Level
1-7. The level reflects the severity of the condition described by the system log message. The lower the number, the more severe the condition. See Table 1-3 for more information.
Message_number
A unique 6-digit number that identifies the system log message.
Message_text
A text string describing the condition. This portion of the system log message sometimes includes IP addresses, port numbers, or usernames. Table 1-4 lists the variable fields and the type of information in them.
Severity Levels
Table 1-3 lists the system log message severity levels.
Note
Variables Used in System Log Messages
System log messages often contain variables. Table 1-4 lists most variables that are used in this guide to describe system log messages. Some variables that appear in only one system log message are not listed.
