-
Cisco Security Appliance Command Reference, Version 8.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Feedback
Table Of Contents
logging asdm through logout message Commands
logging flash-maximum-allocation
logging asdm through logout message Commands
logging asdm
To send system log messages to the ASDM log buffer, use the logging asdm command in global configuration mode. To disable logging to the ASDM log buffer, use the no form of this command.
logging asdm [logging_list | level]
no logging asdm [logging_list | level]
Syntax Description
Defaults
ASDM logging is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Before any messages are sent to the ASDM log buffer, you must enable logging using the logging enable command.
When the ASDM log buffer is full, security appliance deletes the oldest message to make room in the buffer for new messages. To control the number of system log messages retained in the ASDM log buffer, use the logging asdm-buffer-size command.
The ASDM log buffer is a different buffer than the log buffer enabled by the logging buffered command.
Examples
This example shows how to enable logging and send to the ASDM log buffer messages of severity levels 0, 1, and 2. It also shows how to set the ASDM log buffer size to 200 messages.
hostname(config)# logging enablehostname(config)# logging asdm 2hostname(config)# logging asdm-buffer-size 200hostname(config)# show loggingSyslog logging: enabledFacility: 20Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: disabledHistory logging: disabledDevice ID: disabledMail logging: disabledASDM logging: level critical, 48 messages loggedRelated Commands
logging asdm-buffer-size
To specify the number of system log messages retained in the ASDM log buffer, use the logging asdm-buffer-size command in global configuration mode. To reset the ASDM log buffer to its default size of 100 messages, use the no form of this command.
logging asdm-buffer-size num_of_msgs
no logging asdm-buffer-size num_of_msgs
Syntax Description
num_of_msgs
Specifies the number of system log messages that the security appliance retains in the ASDM log buffer.
Defaults
The default ASDM syslog buffer size is 100 messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When the ASDM log buffer is full, security appliance deletes the oldest message to make room in the buffer for new messages. To control whether logging to the ASDM log buffer is enabled or to control the kind of system log messages retained in the ASDM log buffer, use the logging asdm command.
The ASDM log buffer is a different buffer than the log buffer enabled by the logging buffered command.
Examples
This example shows how enable logging and send to the ASDM log buffer messages of severity levels 0, 1, and 2. It also shows how to set the ASDM log buffer size to 200 messages.
hostname(config)# logging enablehostname(config)# logging asdm 2hostname(config)# logging asdm-buffer-size 200hostname(config)# show loggingSyslog logging: enabledFacility: 20Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: disabledHistory logging: disabledDevice ID: disabledMail logging: disabledASDM logging: level critical, 48 messages loggedRelated Commands
logging buffered
To enable the security appliance to send system log messages to the log buffer, use the logging buffered command in global configuration mode. To disable logging to the log buffer, use the no form of this command.
logging buffered [logging_list | level]
no logging buffered [logging_list | level]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Before any messages are sent to the log buffer, you must enable logging using the logging enable command.
New messages append to the end of the buffer. When the buffer fills up, the security appliance clears it and continues adding messages to it. When the log buffer is full, the security appliance deletes the oldest message to make room in the buffer for new messages. You can have buffer contents automatically saved each time the contents of the buffer have "wrapped", which means that all the messages since the last save have been replaced by new messages. For more information, see the logging flash-bufferwrap and logging ftp-bufferwrap commands.
At any time, you can save the contents of the buffer to Flash memory. For more information, see the logging savelog command.
System log messages sent to the buffer can be viewed with the show logging command.
Examples
This example configures logging to the buffer for level 0 and level 1 events:
hostname(config)# logging buffered alertshostname(config)#This example creates a list named notif-list with a maximum logging level of 7 and configures logging to the buffer for system log messages identified by the notif-list list.
hostname(config)# logging list notif-list level 7hostname(config)# logging buffered notif-listhostname(config)#Related Commands
logging buffer-size
To specify the size of the log buffer, use the logging buffer-size command in global configuration mode. To reset the log buffer to its default size of 4 KB of memory, use the no form of this command.
logging buffer-size bytes
no logging buffer-size bytes
Syntax Description
bytes
Sets the amount of memory used for the log buffer, in bytes. For example, if you specify 8192, the security appliance uses 8 KB of memory for the log buffer.
Defaults
The log buffer size is 4 KB of memory.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
To see whether the security appliance is using a log buffer of a size other than the default buffer size, use the show running-config logging command. If the logging buffer-size command is not shown, then the security appliance uses a log buffer of 4 KB.
For more information about how the security appliance uses the buffer, see the logging buffered command.
Examples
This example enables logging, enables the logging buffer, and specifies that the security appliance uses 16 KB of memory for the log buffer:
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging buffer-size 16384hostname(config)#Related Commands
logging class
To configure the maximum logging level per logging destination for a message class, use the logging class command in global configuration mode. To remove a message class logging level configuration, use the no form of the command.
logging class class destination level [destination level . . .]
no logging class class
Syntax Description
Defaults
By default, the security appliance does not apply logging levels on a logging destination and message class basis. Instead, each enabled logging destination receives messages for all classes at the logging level determined by the logging list or level specified when you enabled the logging destination.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Valid values for class include the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Valid logging destinations are as follows:
•
•
•
•
•
•
•
Examples
This example specifies that, for failover-related messages, the maximum logging level for the ASDM log buffer is 2 and the maximum logging level for the system log buffer is 7:
hostname(config)# logging class ha asdm 2 buffered 7hostname(config)#Related Commands
logging enable
Enables logging.
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging console
To enable the security appliance to display system log messages in console sessions, use the logging console command in global configuration mode. To disable the display of system log messages in console sessions, use the no form of this command.
logging console [logging_list | level]
no logging console
Note
Syntax Description
Defaults
The security appliance does not display system log messages in console sessions by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Before any messages are sent to the console, you must enable logging using the logging enable command.
Caution
Examples
This example shows how to enable system log messages of levels 0, 1, 2, and 3 to appear in console sessions:
hostname(config)# logging enablehostname(config)# logging console errorshostname(config)#Related Commands
logging debug-trace
To redirect debugging messages to logs as system log message 711001 issued at severity level 7, use the logging debug-trace command in global configuration mode. To stop sending debugging messages to logs, use the no form of this command.
logging debug-trace
no logging debug-trace
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the security appliance does not include debug output in system log messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Debug messages are generated as severity level 7 messages. They appear in logs with the system log message number 711001, but do not appear in any monitoring session.
Examples
This example shows how to enable logging, send log messages to the system log buffer, redirect debugging output to logs, and turn on debugging disk activity.
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging debug-tracehostname(config)# debug disk filesystemAn example of a debug message that could appear in the logs follows:
%PIX-7-711001: IFS: Read: fd 3, bytes 4096Related Commands
logging enable
Enables logging.
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging device-id
To configure the security appliance to include a device ID in non-EMBLEM-format system log messages, use the logging device-id command in global configuration mode. To disable the use of a device ID, use the no form of this command.
logging device-id {context-name | hostname | ipaddress interface_name | string text}
no logging device-id {context-name | hostname | ipaddress interface_name | string text}
Syntax Description
Defaults
No default device ID is used in system log messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
If you use the ipaddress keyword, the device ID becomes the specified security appliance interface IP address, regardless of the interface from which the message is sent. This keyword provides a single, consistent device ID for all messages that are sent from the device.
Examples
This example shows how to configure a host named secappl-1:
hostname(config)# logging device-id hostnamehostname(config)# show loggingSyslog logging: disabledFacility: 20Timestamp logging: disabledStandby logging: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: level informational, 991 messages loggedTrap logging: disabledHistory logging: disabledDevice ID: hostname "secappl-1"The host name appears at the beginning of system log messages, such as in the following message:
secappl-1 %PIX-5-111008: User 'enable_15' executed the 'logging buffer-size 4096' command.Related Commands
logging enable
Enables logging.
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging emblem
To use the EMBLEM format for system log messages sent to destinations other than a syslog server, use the logging emblem command in global configuration mode. To disable the use of EMBLEM format, use the no form of this command.
logging emblem
no logging emblem
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the security appliance does not use EMBLEM format for system log messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The logging emblem command lets you to enable EMBLEM-format logging for all logging destinations other than syslog servers. If you also enable the logging timestamp keyword, the messages with a time stamp are sent.
To enable EMBLEM-format logging for syslog servers, use the format emblem option with the logging host command.
Examples
This example shows how to enable logging and enable the use of EMBLEM-format for logging to all logging destinations except syslog servers:
hostname(config)# logging enablehostname(config)# logging emblemhostname(config)#Related Commands
logging enable
Enables logging.
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging enable
To enable logging for all configured output locations, use the logging enable command in global configuration mode. To disable logging, use the no form of this command.
logging enable
no logging enable
Syntax Description
This command has no arguments or keywords.
Defaults
Logging is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The logging enable command allows you to enable or disable sending system log messages to any of the supported logging destinations. You can stop all logging with the no logging enable command.
You can enable logging to individual logging destinations with the following commands:
•
•
•
•
•
•
•
Examples
This example shows how to enable logging. The output of the show logging command illustrates how each possible logging destination must be enabled separately.
hostname(config)# logging enablehostname(config)# show loggingSyslog logging: enabledFacility: 20Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: disabledHistory logging: disabledDevice ID: disabledMail logging: disabledASDM logging: disabledRelated Commands
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging facility
To specify the logging facility used for messages sent to syslog servers, use the logging facility command in global configuration mode. To reset the logging facility to its default of 20, use the no form of this command.
logging facility facility
no logging facility
Syntax Description
Defaults
The default facility is 20 (LOCAL4).
Command Modes
The following table shows the modes in which you can enter the command, with the exceptions noted in the Syntax Description section:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Syslog servers file messages based on the facility number in the message. There are eight possible facilities: 16 (LOCAL0) through 23 (LOCAL7).
Examples
This example shows how to specify that the security appliance specify the logging facility as 16 in system log messages. The output of the show logging command includes the facility being used by the security appliance.
hostname(config)# logging facility 16hostname(config)# show loggingSyslog logging: enabledFacility: 16Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: level errors, facility 16, 3607 messages loggedLogging to infrastructure 10.1.2.3History logging: disabledDevice ID: 'inside' interface IP address "10.1.1.1"Mail logging: disabledASDM logging: disabledRelated Commands
logging flash-bufferwrap
To enable the security appliance to write the log buffer to Flash memory every time the buffer is full of messages that have never been saved, use the logging flash-bufferwrap command in global configuration mode. To disable writing of the log buffer to Flash memory, use the no form of this command.
logging flash-bufferwrap
no logging flash-bufferwrap
Syntax Description
This command has no arguments or keywords.
Defaults
The defaults are as follows:
•
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
For the security appliance to write the log buffer to Flash memory, you must enable logging to the buffer; otherwise, the log buffer never has data to be written to Flash memory. To enable logging to the buffer, use the logging buffered command.
While the security appliance writes log buffer contents to Flash memory, it continues storing to the log buffer continues any new event messages.
The security appliance creates log files with names that use a default time-stamp format, as follows:
LOG-YYYY-MM-DD-HHMMSS.TXTwhere YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.
The availability of Flash memory affects how the security appliance saves system log messages using the logging flash-bufferwrap command. For more information, see the logging flash-maximum-allocation and the logging flash-minimum-free commands.
Examples
This example shows how to enable logging, enable the log buffer, and enable the security appliance to write the log buffer to Flash memory:
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging flash-bufferwraphostname(config)#
Related Commands
logging flash-maximum-allocation
To specify the maximum amount of Flash memory that the security appliance uses to store log data, use the logging flash-maximum-allocation command in global configuration mode. To reset the maximum amount of Flash memory used for this purpose to its default size of 1 MB of Flash memory, use the no form of this command.
logging flash-maximum-allocation kbytes
no logging flash-maximum-allocation kbytes
Syntax Description
kbytes
The largest amount of Flash memory, in kilobytes, that the security appliance can use to save log buffer data.
Defaults
The default maximum Flash memory allocation for log data is 1 MB.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
This command determines how much Flash memory is available for the logging savelog and logging flash-bufferwrap commands.
If a log file to be saved by logging savelog or logging flash-bufferwrap causes Flash memory use for log files to exceed the maximum amount specified by the logging flash-maximum-allocation command, the security appliance deletes the oldest log files to free sufficient memory for the new log file. If there are no files to delete or if, after all old files are deleted, free memory is too small for the new log file, the security appliance fails to save the new log file.
To see whether the security appliance has a maximum Flash memory allocation of a size different than the default size, use the show running-config logging command. If the logging flash-maximum-allocation command is not shown, then the security appliance uses a maximum of 1 MB for saved log buffer data. The memory allocated is used for both the logging savelog and logging flash-bufferwrap commands.
For more information about how the security appliance uses the log buffer, see the logging buffered command.
Examples
This example shows how to enable logging, enable the log buffer, enable the security appliance to write the log buffer to Flash memory, with the maximum amount of Flash memory used for writing log files set to approximately 1.2 MB of memory:
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging flash-bufferwraphostname(config)# logging flash-maximum-allocation 1200hostname(config)#Related Commands
logging flash-minimum-free
To specify the minimum amount of free Flash memory that must exist before the security appliance saves a new log file, use the logging flash-minimum-free command in global configuration mode. This command affects how much free Flash memory must exist before the security appliance saves log files created by the logging savelog and logging flash-bufferwrap commands. To reset the minimum required amount of free Flash memory to its default size of 3 MB, use the no form of this command.
logging flash-minimum-free kbytes
no logging flash-minimum-free kbytes
Syntax Description
kbytes
The minimum amount of Flash memory, in kilobytes, that must be available before the security appliance saves a new log file.
Defaults
The default minimum free Flash memory is 3 MB.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The logging flash-minimum-free command specifies how much Flash memory the logging savelog and logging flash-bufferwrap commands must preserve at all times.
If a log file to be saved by logging savelog or logging flash-bufferwrap would cause the amount of free Flash memory to fall below the limit specified by the logging flash-minimum-free command, the security appliance deletes the oldest log files to ensure that the minimum amount of memory remains free after saving the new log file. If there are no files to delete or if, after all old files are deleted, free memory would still be below the limit, the security appliance fails to save the new log file.
Examples
This example shows how to enable logging, enable the log buffer, enable the security appliance to write the log buffer to Flash memory, and specifies that the minimum amount of free Flash memory must be 4000 KB:
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging flash-bufferwraphostname(config)# logging flash-minimum-free 4000hostname(config)#Related Commands
logging from-address
To specify the sender e-mail address for system log messages sent by the security appliance, use the logging from-address command in global configuration mode. All sent system log messages appear to come from the address you specify. To remove the sender e-mail address, use the no form of this command.
logging from-address from-email-address
no logging from-address from-email-address
Syntax Description
from-email-address
Source e-mail address, that is, the e-mail address that system log messages appear to come from (for example, cdb@example.com).
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Sending system log messages by e-mail is enabled by the logging mail command.
The address specified with this command need not correspond to an existing e-mail account.
Examples
To enable logging and set up the security appliance to send system log messages by e-mail, use the following criteria:
•
•
•
•
Enter the following commands:
hostname(config)# logging enablehostname(config)# logging mail criticalhostname(config)# logging from-address ciscosecurityappliance@example.comhostname(config)# logging recipient-address admin@example.comhostname(config)# smtp-server pri-smtp-host sec-smtp-hostRelated Commands
logging ftp-bufferwrap
To enable the security appliance to send the log buffer to an FTP server every time the buffer is full of messages that have never been saved, use the logging ftp-bufferwrap command in global configuration mode. To disable sending the log buffer to an FTP server, use the no form of this command.
logging ftp-bufferwrap
no logging ftp-bufferwrap
Syntax Description
This command has no arguments or keywords.
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When you enable logging ftp-bufferwrap, the security appliance sends log buffer data to the FTP server you specify with the logging ftp-server command. While the security appliance sends log data to the FTP server, it continues storing to the log buffer continues any new event messages.
For the security appliance to send log buffer contents to an FTP server, you must enable logging to the buffer; otherwise, the log buffer never has data to be written to Flash memory. To enable logging to the buffer, use the logging buffered command.
The security appliance creates log files with names that use a default time-stamp format, as follows:
LOG-YYYY-MM-DD-HHMMSS.TXTwhere YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.
Examples
This example shows how enable logging, enable the log buffer, specify an FTP server, and enable the security appliance to write the log buffer to an FTP server. This example specifies an FTP server whose host name is logserver-352. The server can be accessed with the username logsupervisor and password 1luvMy10gs. Log files are to be stored in the /syslogs directory.
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging ftp-server logserver-352 /syslogs logsupervisor 1luvMy10gshostname(config)# logging ftp-bufferwraphostname(config)#Related Commands
logging ftp-server
To specify details about the FTP server that the security appliance sends log buffer data to when logging ftp-bufferwrap is enabled, use the logging ftp-server command in global configuration mode. To remove all details about an FTP server, use the no form of this command.
logging ftp-server ftp_server path username [0 | 8] password
no logging ftp-server ftp_server path username [0 | 8] password
Syntax Description
Defaults
No FTP server is specified by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
8.0(5)
Support for password encryption was added.
Usage Guidelines
You can only specify one FTP server. If a logging FTP server is already specified, using the logging ftp-server command replaces that FTP server configuration with the new one you enter.
The security appliance does not verify the FTP server information you specify. If you misconfigure any of the details, the security appliance fails to send log buffer data to the FTP server.
During bootup or upgrade of the security appliance, single-digit passwords and passwords startingwith a digit followed by a whitespace are not supported. For example, 0 pass and 1 are invalid passwords.
Examples
This example shows how to enable logging, enable the log buffer, specify an FTP server, and enable the security appliance to write the log buffer to an FTP server. This example specifies an FTP server whose hostname is logserver-352. The server can be accessed with the username logsupervisor and password 1luvMy10gs. Log files are to be stored in the /syslogs directory.
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging ftp-server logserver-352 /syslogs logsupervisor 1luvMy10gshostname(config)# logging ftp-bufferwrapThe following example shows how to enter an encrypted password:
hostname(config)# logging ftp-server logserver /path1 user1 8 JPAGWzIIFVlheXv2I9nglfytOzHUThe following example shows how to enter an unencrypted (clear text) password:
hostname(config)# logging ftp-server logserver /path1 user1 0 pass1Related Commands
logging history
To enable SNMP logging and specify which messages are to be sent to SNMP servers, use the logging history command in global configuration mode. To disable SNMP logging, use the no form of this command.
logging history [logging_list | level]
no logging history
Syntax Description
Defaults
The security appliance does not log to SNMP servers by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The logging history command allows you to enable logging to an SNMP server and to set the SNMP message level or event list.
Examples
This example shows how to enable SNMP logging and specify that messages of levels 0, 1, 2, and 3 are sent to the SNMP server configured:
hostname(config)# logging enablehostname(config)# snmp-server host infrastructure 10.2.3.7 trap community gam327hostname(config)# snmp-server enable traps sysloghostname(config)# logging history errorshostname(config)#Related Commands
logging host
To define a syslog server, use the logging host command in global configuration mode. To remove a syslog server definition, use the no form of this command.
logging host interface_name syslog_ip [tcp/port | udp/port] [format emblem] [secure] [permit-hostdown]
logging host interface_name syslog_ip
[no] logging host interface_name syslog_ip [tcp/port | udp/port] [format emblem] [secure]
[no] logging host interface_name syslog_ip
Syntax Description
Defaults
The default protocol is UDP.
The default port numbers are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The logging host ip_address format emblem command allows you to enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for UDP system log messages only. If you enable EMBLEM-format logging for a particular syslog server, then the messages are sent to that server. If you also enable the logging timestamp keyword, the messages with a time stamp are sent.
You can use multiple logging host commands to specify additional servers that would all receive the system log messages. However, you can only specify a server to receive either UDP or TCP system log messages, not both.
Note
You can display only the port and protocol values that you previously entered by using the show running-config logging command and finding the command in the listing—TCP is listed as 6 and UDP is listed as 17. TCP ports work only with the syslog server. The port must be the same port on which the syslog server listens.
Note
The PIX security appliance does not support the secure keyword.Examples
This example shows how to send system log messages of severity levels 0, 1, 2, and 3 to a syslog server on the inside interface that uses the default protocol and port number.
hostname(config)# logging enablehostname(config)# logging host inside 10.2.2.3hostname(config)# logging trap errorshostname(config)#Related Commands
logging list
To create a logging list to use in other commands to specify messages by various criteria (logging level, event class, and message IDs), use the logging list command in global configuration mode. To remove the list, use the no form of this command.
logging list name {level level [class event_class] | message start_id[-end_id]}
no logging list name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Logging commands that can use lists are the following:
•
•
•
•
•
•
•
Possible values for the event_class include the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Examples
This example shows how to use the logging list command:
hostname(config)# logging list my-list message 100100-100110hostname(config)# logging list my-list level criticalhostname(config)# logging list my-list level warning class vpnhostname(config)# logging buffered my-listThe preceding example states that system log messages that match the criteria specified will be sent to the logging buffer. The criteria specified in this example are:
•
•
•
If a system log message satisfies any one of these conditions, it is logged to the buffer.
Note
Related Commands
logging enable
Enables logging.
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging mail
To enable the security appliance to send system log messages by e-mail and to determine which messages are sent by e-mail, use the logging mail command in global configuration mode. To disable e-mailing of system log messages, use the no form of this command.
logging mail [logging_list | level]
no logging mail [logging_list | level]
Syntax Description
Defaults
Logging to e-mail is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
E-mailed system log messages appear in the subject line of the e-mails sent.
Examples
To set up the security appliance to send system log messages by e-mail, use the following criteria:
•
•
•
•
Enter the following commands:
hostname(config)# logging mail criticalhostname(config)# logging from-address ciscosecurityappliance@example.comhostname(config)# logging recipient-address admin@example.comhostname(config)# smtp-server pri-smtp-host sec-smtp-hostRelated Commands
logging message
To specify the logging level of a system log message, use the logging message command with the level keyword in global configuration mode. To reset the logging level of a message to its default level, use the no form of this command. To prevent the security appliance from generating a particular system log message, use the no form of the logging message command (without the level keyword) in global configuration mode. To let the security appliance generate a particular system log message, use the logging message command (without the level keyword). These two versions of the logging message command can be used in parallel. See the "Examples" section that follows.
logging message syslog_id level level
no logging message syslog_id level level
logging message syslog_id
no logging message syslog_id
Syntax Description
Defaults
By default, all system log messages are enabled and the severity levels of all messages are set to their default levels.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
You can use the logging message command for two purposes:
•
•
You can use the show logging command to determine the level currently assigned to a message and whether the message is enabled.
Examples
The series of commands in the following example illustrate the use of the logging message command to control both whether a message is enabled and the severity level of the messages:
hostname(config)# show logging message 403503syslog 403503: default-level errors (enabled)hostname(config)# logging message 403503 level 1hostname(config)# show logging message 403503syslog 403503: default-level errors, current-level alerts (enabled)hostname(config)# no logging message 403503hostname(config)# show logging message 403503syslog 403503: default-level errors, current-level alerts (disabled)hostname(config)# logging message 403503hostname(config)# show logging message 403503syslog 403503: default-level errors, current-level alerts (enabled)hostname(config)# no logging message 403503 level 3hostname(config)# show logging message 403503syslog 403503: default-level errors (enabled)Related Commands
logging monitor
To enable the security appliance to display system log messages in SSH and Telnet sessions, use the logging monitor command in global configuration mode. To disable the display of system log messages in SSH and Telnet sessions, use the no form of this command.
logging monitor [logging_list | level]
no logging monitor
Syntax Description
Defaults
The security appliance does not display system log messages in SSH and Telnet sessions by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The logging monitor command enables system log messages for all sessions in the current context; however, in each session, the terminal command controls whether system log messages appear in that session.
Examples
This example shows how to enable the display of system log messages in console sessions. The use of the errors keyword indicates that messages of levels 0, 1, 2, and 3 should display in SSH and Telnet sessions. The terminal command enables the messages to appear in the current session.
hostname(config)# logging enablehostname(config)# logging monitor errorshostname(config)# terminal monitorhostname(config)#Related Commands
logging permit-hostdown
To make the status of a TCP-based syslog server irrelevant to new user sessions, use the logging permit-hostdown command in global configuration mode. To cause the security appliance to deny new user sessions when a TCP-based syslog server is unavailable, use the no form of this command.
logging permit-hostdown
no logging permit-hostdown
Syntax Description
This command has no arguments or keywords.
Defaults
By default, if you have enabled logging to a syslog server that uses a TCP connection, the security appliance does not allow new network access sessions when the syslog server is unavailable for any reason.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you are using TCP as the logging transport protocol for sending messages to a syslog server, the security appliance denies new network access sessions as a security measure if the security appliance is unable to reach the syslog server. You can use the logging permit-hostdown command to remove this restriction.
Examples
The following example makes the status of TCP-based syslog servers irrelevant to whether the security appliance permits new sessions. When the logging permit-hostdown command includes in its output the show running-config logging command, the status of TCP-based syslog servers is irrelevant to new network access sessions.
hostname(config)# logging permit-hostdownhostname(config)# show running-config logginglogging enablelogging trap errorslogging host infrastructure 10.1.2.3 6/1470logging permit-hostdownhostname(config)#Related Commands
logging queue
To specify how many system log messages the security appliance may hold in its queue before processing them according to the logging configuration, use the logging queue command in global configuration mode. To reset the logging queue size to the default of 512 messages, use the no form of this command.
logging queue queue_size
no logging queue queue_size
Syntax Description
Defaults
The default queue size is 512 messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
When traffic is so heavy that the queue fills up, the security appliance may discard messages. On the ASA-5505, the maximum queue size is 1024. On the ASA-5510, it is 2048. On all other platforms, it is 8192 .
Examples
This example shows how to display the output of the logging queue and show logging queue commands:
hostname(config)# logging queue 0hostname(config)# show logging queueLogging Queue length limit : UnlimitedCurrent 5 msg on queue, 3513 msgs most on queue, 1 msg discard.In this example, the logging queue command is set to 0, which means that the queue is set to the maximum of 8192. The system log messages in the queue are processed by the security appliance in the manner dictated by the logging configuration, such as sending system log messages to mail recipients, saving them to Flash memory, and so forth.
The output of this example show logging queue command shows that 5 messages are queued, 3513 messages was the largest number of messages in the queue at one time since the security appliance was last booted, and that 1 message was discarded. Even though the queue was set for unlimited, the messages was discarded because no block memory was available to add the message to the queue.
Related Commands
logging enable
Enables logging.
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging rate-limit
To limit the rate at which system log messages are generated, use the logging rate-limit command in privileged EXEC mode. To disable rate limiting, use the no form of this command in privileged EXEC mode.
logging rate-limit {unlimited | {num [interval]}} message syslog_id | level severity_level
[no] logging rate-limit [unlimited | {num [interval]}} message syslog_id ] level severity_level
Syntax Description
Defaults
The default setting for interval is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The system message severity levels are as follows:
·0—System Unusable
·1—Take Immediate Action
·2—Critical Condition
·3—Error Message
·4—Warning Message
·5—Normal but significant condition
·6—Informational
·7—Debug Message
Examples
To limit the rate of system log message generation, you can enter a specific message ID. The following example shows how to limit the rate of system log message generation using a specific message ID and time interval:
hostname(config)# logging rate-limit 100 600 message 302020This example suppresses system log message 302020 from being sent to the host after the rate limit of 100 is reached in the specified interval of 600 seconds.
To limit the rate of system log message generation, you can enter a specific severity level. The following example shows how to limit the rate of system log message generation using a specific severity level and time interval.
hostname(config)# logging rate-limit 1000 600 level 6This example suppresses all system log messages under severity level 6 to the specified rate limit of 1000 in the specified time interval of 600 seconds. Each system log message in severity level 6 has a rate limit of 1000.
Related Commands
logging recipient-address
To specify the receiving e-mail address for system log messages sent by the security appliance, use the logging recipient-address command in global configuration mode. To remove the receiving e-mail address, use the no form of this command. You can configure up to 5 recipient addresses. If you want, each recipient address can have a different message level than that specified by the logging mail command.
logging recipient-address address [level level]
no logging recipient-address address [level level]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Sending system log messages by e-mail is enabled by the logging mail command.
You can configure up to 5 logging recipient-address commands. Each command can have a different logging level than the others. This command is useful when you want more urgent messages to go to a larger number of recipients than less urgent messages are sent to.
Examples
To set up the security appliance to send system log messages by e-mail, use the following criteria:
•
•
•
•
Enter the following commands:
hostname(config)# logging mail criticalhostname(config)# logging from-address ciscosecurityappliance@example.comhostname(config)# logging recipient-address admin@example.comhostname(config)# smtp-server pri-smtp-host sec-smtp-hostRelated Commands
logging savelog
To save the log buffer to Flash memory, use the logging savelog command in privileged EXEC mode.
logging savelog [savefile]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Before you can save the log buffer to Flash memory, you must enable logging to the buffer; otherwise, the log buffer never has data to be saved to Flash memory. To enable logging to the buffer, use the logging buffered command.
Note
Examples
This example enables logging and the log buffer, exits global configuration mode, and saves the log buffer to Flash memory, using the file name latest-logfile.txt:
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# exithostname# logging savelog latest-logfile.txthostname#Related Commands
logging standby
To enable the failover standby security appliance to send the system log messages of this security appliance to logging destinations, use the logging standby command in global configuration mode. To disable system log messaging and SNMP logging, use the no form of this command.
logging standby
no logging standby
Syntax Description
This command has no arguments or keywords.
Defaults
The logging standby command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
You can enable logging standby to ensure that the system log messages of the failover standby security appliance stay synchronized if failover occurs.
Note
Examples
The following example enables the security appliance to send system log messages to the failover standby security appliance. The output of the show logging command reveals that this feature is enabled.
hostname(config)# logging standbyhostname(config)# show loggingSyslog logging: enabledFacility: 20Timestamp logging: disabledStandby logging: enabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: disabledHistory logging: disabledDevice ID: 'inside' interface IP address "10.1.1.1"Mail logging: disabledASDM logging: disabledRelated Commands
logging timestamp
To specify that system log messages should include the date and time that the messages was generated, use the logging timestamp command in global configuration mode. To remove the date and time from system log messages, use the no form of this command.
logging timestamp
no logging timestamp
Syntax Description
This command has no arguments or keywords.
Defaults
The security appliance does not include the date and time in system log messages by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The logging timestamp command makes the security appliance include a timestamp in all system log messages.
Examples
The following example enables the inclusion of timestamp information in all system log messages:
hostname(config)# logging enablehostname(config)# logging timestamphostname(config)#Related Commands
logging enable
Enables logging.
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging trap
To specify which system log messages the security appliance sends to a syslog server, use the logging trap command in global configuration mode. To remove this command from the configuration, use the no form of this command.
logging trap [logging_list | level]
no logging trap
Syntax Description
Defaults
No default system log message trap is defined.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you are using TCP as the logging transport protocol, the security appliance denies new network access sessions as a security measure if the security appliance is unable to reach the syslog server, if the syslog server is misconfigured, or if the disk is full.
UDP-based logging does not prevent the security appliance from passing traffic if the syslog server fails.
Examples
This example shows how to send system log messages of levels 0, 1, 2, and 3 to a syslog server that resides on the inside interface and uses the default protocol and port number.
hostname(config)# logging enablehostname(config)# logging host inside 10.2.2.3hostname(config)# logging trap errorshostname(config)#Related Commands
login
To log into privileged EXEC mode using the local user database (see the username command) or to change user names, use the login command in user EXEC mode.
login
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
—
Command History
Usage Guidelines
From user EXEC mode, you can log in to privileged EXEC mode as any username in the local database using the login command. The login command is similar to the enable command when you have enable authentication turned on (see the aaa authentication console command). Unlike enable authentication, the login command can only use the local username database, and authentication is always required with this command. You can also change users using the login command from any CLI mode.
To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the aaa authorization command for more information.
Caution
Examples
The following example shows the prompt after you enter the login command:
hostname> loginUsername:Related Commands
login-button
To customize the Login button of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the login-button command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
login-button {text | style} value
[no] login-button {text | style} value
Syntax Description
Defaults
The default login button text is "Login".
The default login button style is:
border: 1px solid black;background-color:white;font-weight:bold; font-size:80%
Command Modes
The following table shows the modes in which you can enter the command:
WebVPN customization configuration
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the Login button with the text "OK":
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# login-button text OKRelated Commands
login-message
To customize the login message of the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the login-message command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
login-message {text | style} value
[no] login-message {text | style} value
Syntax Description
Defaults
The default login message is "Please enter your username and password".
The default login message style is background-color:#CCCCCC;color:black.
Command Modes
The following table shows the modes in which you can enter the command:
WebVPN customization configuration
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
In the following example, the login message text is set to "username and password":
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# login-message text username and passwordRelated Commands
login-title
To customize the title of the login box on the WebVPN page displayed to WebVPN users, use the login-title command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
login-title {text | style} value
[no] login-title {text | style} value
Syntax Description
Defaults
The default login text is "Login".
The default HTML style of the login title is background-color: #666666; color: white.
Command Modes
The following table shows the modes in which you can enter the command:
WebVPN customization configuration
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example configures the login title style:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# login-title style background-color: rgb(51,51,255);color: rgb(51,51,255); font-family: Algerian; font-size: 12pt; font-style: italic; font-weight: boldRelated Commands
logo
To customize the logo on the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the logo command from webvpn customization mode. To remove a logo from the configuration and reset the default (the Cisco logo), use the no form of this command.
logo {none | file {path value}}
[no] logo {none | file {path value}}
Syntax Description
Defaults
The default logo is the Cisco logo.
Command Modes
The following table shows the modes in which you can enter the command:
WebVPN customization configuration
•
—
•
—
—
Command History
Usage Guidelines
If the filename you specify does not exist, an error message displays. If you remove a logo file but the configuration still points to it, no logo displays.
The filename cannot contain spaces.
Examples
In the following example, the file cisco_logo.gif contains a custom logo:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)#logo file disk0:cisco_logo.gifRelated Commands
title
Customizes the title of the WebVPN page.
page style
Customizes the WebVPN page using Cascading Style Sheet (CSS) parameters.
logout
To exit from the CLI, use the logout command in user EXEC mode.
logout
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The logout command lets you log out of the security appliance. You can use the exit or quit commands to go back to unprivileged mode.
Examples
The following example shows how to log out of the security appliance:
hostname> logoutRelated Commands
login
Initiates the log-in prompt.
exit
Exits an access mode.
quit
Exits configuration or privileged mode.
logout-message
To customize the logout message of the WebVPN logout screen that is displayed to WebVPN users when they logout from WebVPN service, use the logout-message command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
logout-message {text | style} value
[no] logout-message {text | style} value
Syntax Description
Defaults
The default logout message text is "Goodbye".
The default logout message style is background-color:#999999;color:black.
Command Modes
The following table shows the modes in which you can enter the command:
WebVPN customization configuration
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example configures the logout message style:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# logout-message style background-color: rgb(51,51,255);color: rgb(51,51,255); font-family: Algerian; font-size: 12pt; font-style: italic; font-weight: boldRelated Commands
