Table Of Contents

logging asdm through logout message Commands

logging ftp-server

logging buffered

logging device-id

logging trap

logging rate-limit

logging flow-export-syslogs enable | disable

logging facility

logging emblem

logging history

logging recipient-address

logging savelog

logging timestamp

logging enable

logging mail

logging host

logging facility

logging from-address

logging from-address

logging flash-minimum-free

logging standby

logging class

logging asdm-buffer-size

logging message

logging permit-hostdown

logging asdm

logging debug-trace

logging buffer-size

logging flash-maximum-allocation

logging list

logging console

logging flash-bufferwrap

login

login-button

login-message

login-title

logo

logout

logout-message

logging asdm through logout message Commands

---

logging ftp-server

To specify details about the FTP server that the security appliance sends log buffer data to when the logging ftp-bufferwrap command is enabled, use the logging ftp-server command in global configuration mode. To remove all details about an FTP server, use the no form of this command.

logging ftp-server ftp-server ftp_server path username password

no logging ftp-server ftp-server ftp_server path username password

Syntax Description

ftp-server	External FTP server IP address or hostname. Note If you specify a hostname, be sure DNS is operating correctly on your network.
password	The password for the username specified.
path	Directory path on the FTP server where the log buffer data is to be saved. This path is relative to the FTP root directory. For example: /security_appliances/syslogs/appliance107
username	A username that is valid for logging in to the FTP server.

Defaults

No FTP server is specified by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

You can only specify one FTP server. If a logging FTP server is already specified, using the logging ftp-server command replaces that FTP server configuration with the new one you enter.

The security appliance does not verify the FTP server information that you specify. If you misconfigure any of the details, the security appliance fails to send log buffer data to the FTP server.

Examples

The following example shows how to enable logging, enable the log buffer, specify an FTP server, and enable the security appliance to write the log buffer to an FTP server. This example specifies an FTP server whose hostname is logserver-352. The server can be accessed with the username, logsupervisor and password, 1luvMy10gs. Log files must be stored in the /syslogs directory.

hostname(config)# logging enable

hostname(config)# logging buffered

hostname(config)# logging ftp-server logserver-352 /syslogs logsupervisor 1luvMy10gs

hostname(config)# logging ftp-bufferwrap

hostname(config)#

Related Commands

Command	Description
clear logging buffer	Clears the log buffer of all syslog messages that it contains.
logging buffered	Enables logging to the log buffer.
logging buffer-size	Specifies log buffer size.
logging enable	Enables logging.
logging ftp-bufferwrap	Sends the log buffer to an FTP server when the log buffer is full.

logging buffered

To enable the security appliance to send syslog messages to the log buffer, use the logging buffered command in global configuration mode. To disable logging to the log buffer, use the no form of this command.

logging buffered [logging_list | level]

no logging buffered [logging_list | level]

Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the security appliance generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts—Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only.

logging_list

Specifies the list that identifies the messages to send to the log buffer. For information about creating lists, see the logging list command.

Defaults

The defaults are as follows:

•Logging to the buffer is disabled.

•Buffer size is 4 KB.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Before any messages are sent to the log buffer, you must enable logging using the logging enable command.

New messages append to the end of the buffer. When the buffer fills up, the security appliance clears it and continues adding messages to it. When the log buffer is full, the security appliance deletes the oldest message to make room in the buffer for new messages. You can have buffer contents automatically saved each time the contents of the buffer have "wrapped," which means that all the messages since the last save have been replaced by new messages. For more information, see the logging flash-bufferwrap and logging ftp-bufferwrap commands.

At any time, you can save the contents of the buffer to flash memory. For more information, see the logging savelog command.

You can view syslog messages sent to the buffer with the show logging command.

Examples

The following example configures logging to the buffer for severity level 0 and 1 events:

hostname(config)# logging buffered alerts

hostname(config)#

The following example creates a list named notif-list with a maximum severity level of 7 and configures logging to the buffer for syslog messages that are identified by the notif-list list.

hostname(config)# logging list notif-list level 7

hostname(config)# logging buffered notif-list

hostname(config)#

Related Commands

Command	Description
clear logging buffer	Clears the log buffer of all syslog messages.
logging buffer-size	Specifies log buffer size.
logging enable	Enables logging.
logging flash-bufferwrap	Writes the log buffer to flash memory when the log buffer is full.
logging ftp-bufferwrap	Sends the log buffer to an FTP server when the log buffer is full.
logging list	Creates a reusable list of message selection criteria.

logging device-id

To configure the security appliance to include a device ID in non-EMBLEM-format syslog messages, use the logging device-id command in global configuration mode. To disable the use of a device ID, use the no form of this command.

logging device-id {context-name | hostname | ipaddress interface_name | string text}

no logging device-id {context-name | hostname | ipaddress interface_name | string text}

Syntax Description

context-name	Specifies the name of the current context as the device ID.
hostname	Specifies the hostname of the security appliance as the device ID.
ipaddress interface_name	Specifies the device ID or the IP address of the interface in interface_name. If you use the ipaddress keyword, syslog messages that are sent to an external server contain the IP address of the interface specified, regardless of which interface the security appliance uses to send the log data to the external server.
string text	Specifies the characters contained in text as the device ID, which can be up to 16 characters long. You cannot use white space characters or any of the following special characters: •&—ampersand •'—single quote •"—double quote •<—less than •>—greater than •?—question mark

Defaults

No default device ID is used in syslog messages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

If you use the ipaddress keyword, the device ID becomes the specified security appliance interface IP address, regardless of the interface from which the message is sent. This keyword provides a single, consistent device ID for all messages that are sent from the device.

Examples

The following example shows how to configure a host named secappl-1:

hostname(config)# logging device-id hostname

hostname(config)# show logging

Syslog logging: disabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level informational, 991 messages logged

Trap logging: disabled

History logging: disabled

Device ID: hostname "secappl-1"

The hostname appears at the beginning of syslog messages, as shown in the following message:

secappl-1 %PIX-5-111008: User 'enable_15' executed the 'logging buffer-size 4096' command.

Related Commands

Command	Description
logging enable	Enables logging.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging trap

To specify which syslog messages the security appliance sends to a syslog server, use the logging trap command in global configuration mode. To remove this command from the configuration, use the no form of this command.

logging trap [logging_list | level]

no logging trap [logging_list | level]

Syntax Description

level

Sets the maximum level for syslog messages. For example, if you set the level to 3, then the security appliance generates syslog messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts—Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only.

logging_list

Specifies the list that identifies the messages to send to the syslog server. For information about creating lists, see the logging list command.

Defaults

No default beavior or values.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

If you are using TCP as the logging transport protocol, the security appliance denies new network access sessions as a security measure if the security appliance is unable to reach the syslog server, if the syslog server is misconfigured, or if the disk is full.

UDP-based logging does not prevent the security appliance from passing traffic if the syslog server fails.

Examples

The following example shows how to send syslog messages of severity levels 0, 1, 2, and 3 to a syslog server that resides on the inside interface and uses the default protocol and port number.

hostname(config)# logging enable

hostname(config)# logging host inside 10.2.2.3

hostname(config)# logging trap errors

hostname(config)# 

Related Commands

Command	Description
logging enable	Enables logging.
logging host	Defines a syslog server.
logging list	Creates a reusable list of message selection criteria.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging rate-limit

To limit the rate at which syslog messages are generated, use the logging rate-limit command in privileged EXEC mode. To disable rate limiting, use the no form of this command.

logging rate-limit {unlimited | {num [interval]}} message syslog_id | level severity_level

[no] logging rate-limit [unlimited | {num [interval]}} message syslog_id ] level severity_level

Syntax Description

interval	(Optional) Specifies the time interval (in seconds) to use for measuring the rate at which messages are generated. The valid range of values for interval is 1 through 2147483647.
level severity_level	Applies the set rate limits on all syslog messages that belong to a certain severity level. All syslog messages at a specified severity level are rate-limited individually. The valid range for severity_level is 1 through 7.
message	Suppresses reporting of this syslog message.
num	Indicates the number of syslog messages that can be generated during the specified time interval. The valid range of values for num is 1 through 2147483647.
syslog_id	Identifies the ID of the syslog message to be suppressed. The valid range of values is 100000-999999.
unlimited	Disables rate limiting, which means that there is no limit on the logging rate.

Defaults

The default setting for interval is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(4)	This command was introduced.

Usage Guidelines

The system message severity levels are as follows:

·0—System is unusable

·1—Immediate action needed

·2—Critical Conditions

·3—Error Conditions

·4—Warning Conditions

·5—Normal but significant conditions

·6—Informational messages only

·7—Debugging messages only

Examples

To limit the rate of syslog message generation, you can enter a specific message ID. The following example shows how to limit the rate of syslog message generation using a specific message ID and time interval:

hostname(config)# logging rate-limit 100 600 message 302020

The following example suppresses syslog message 302020 from being sent to the host after the rate limit of 100 is reached in the specified interval of 600 seconds.

To limit the rate of syslog message generation, you can enter a specific severity level. The following example shows how to limit the rate of syslog message generation using a specific severity level and time interval.

hostname(config)# logging rate-limit 1000 600 level 6

The following example suppresses all syslog messages in severity level 6 to the specified rate limit of 1000 in the specified time interval of 600 seconds. Each syslog message in severity level 6 has a rate limit of 1000.

Related Commands

Command	Description
clear running-config logging rate-limit	Resets the logging rate limit setting to its default.
show logging	Shows the messages currently in the internal buffer or logging configuration settings.
show running-config logging rate-limit	Shows the current logging rate limit setting.

logging flow-export-syslogs enable | disable

To enable all of the syslog messages that NetFlow captures, use the logging flow-export-syslogs enable command in global configuration mode. To disable all of the syslog messages that NetFlow captures, use the logging flow-export-syslogs disable command in global configuration mode.

logging flow-export-syslogs {enable | disable}

Syntax Description

This command has no arguments or keywords.

Defaults

By default, all syslogs that are captured by NetFlow are enabled.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
8.1(1)	This command was introduced.

Usage Guidelines

If the security appliance is configured to export NetFlow data, to improve performance, we recommend that you disable redundant syslog messages (those also captured by NetFlow) by entering the logging flow-export-syslogs disable command. The syslog messages that will be disabled are as follows:

Syslog Message	Description
106015	A TCP flow was denied because the first packet was not a SYN packet.
106023	A flow that is denied by an ingress ACL or an egress ACL that is attached to an interface through the access-group command.
106100	A flow that is permitted or denied by an ACL.
302013 and 302014	A TCP connection and deletion.
302015 and 302016	A UDP connection and deletion.
302017 and 302018	A GRE connection and deletion.
302020 and 302021	An ICMP connection and deletion.
313001	An ICMP packet to the security appliance was denied.
313008	An ICMPv6 packet to the security appliance was denied.
710003	An attempt to connect to the security appliance was denied.

---

Note Although this is a configuration mode command, it is not stored in the configuration. Only the no logging message xxxxxx commands are stored in the configuration.

---

Examples

The following example shows how to disable redundant syslog messages that NetFlow captures and the sample output that appears:

hostname(config)# logging flow-export-syslogs disable

hostname(config)# show running-config logging

no logging message xxxxx1

no logging message xxxxx2

where the xxxxx1 and xxxxx2 are syslog messages that are redundant, because the same information has been captured through NetFlow. This command is like a command alias, and will convert to a batch of no logging message xxxxxx commands. After you have disabled the syslog messages, you can enable them individually with the logging message xxxxxx command, where xxxxxx is the specific syslog message number.

Related Commands

Commands	Description
flow-export destination interface-name ipv4-address | hostname udp-port	Specifies the IP address or hostname of the NetFlow collector, and the UDP port on which the NetFlow collector is listening.
flow-export template timeout-rate minutes	Controls the interval at which the template information is sent to the NetFlow collector.
show flow-export counters	Displays a set of runtime counters for NetFlow.

logging facility

To specify the logging facility used for messages sent to syslog servers, use the logging facility command in global configuration mode. To reset the logging facility to its default of 20, use the no form of this command.

logging facility  facility

no logging facility 

Syntax Description

facility

Specifies the logging facility; valid values are 16 through 23.

Defaults

The default facility is 20 (LOCAL4).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Syslog servers file messages based on the facility number in the message. There are eight possible logging facilities: 16 (LOCAL0) through 23 (LOCAL7).

Examples

The following example shows how to define that the security appliance specify the logging facility as 16 in syslog messages. The output of the show logging command includes the facility being used by the security appliance.

hostname(config)# logging facility 16

hostname(config)# show logging

Syslog logging: enabled

    Facility: 16

    Timestamp logging: disabled

    Standby logging: disabled

    Deny Conn when Queue Full: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: level errors, facility 16, 3607 messages logged

        Logging to infrastructure 10.1.2.3

    History logging: disabled

    Device ID: 'inside' interface IP address "10.1.1.1"

    Mail logging: disabled

    ASDM logging: disabled

Related Commands

Command	Description
logging enable	Enables logging.
logging host	Defines a syslog server.
logging trap	Enables logging to syslog servers.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging emblem

To use the EMBLEM format for syslog messages that are sent to destinations other than a syslog server, use the logging emblem command in global configuration mode. To disable the use of EMBLEM format, use the no form of this command.

logging emblem

no logging emblem

Syntax Description

This command has no arguments or keywords.

Defaults

By default, the security appliance does not use EMBLEM format for syslog messages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was changed to be independent of the logging host command.

Usage Guidelines

The logging emblem command lets you enable EMBLEM-format logging for all logging destinations other than syslog servers. If you also enable the logging timestamp keyword, the messages with a time stamp are sent.

To enable EMBLEM-format logging for syslog servers, use the format emblem option with the logging host command.

Examples

The following example shows how to enable logging and enable the use of EMBLEM-format for logging to all logging destinations except syslog servers:

hostname(config)# logging enable

hostname(config)# logging emblem

hostname(config)# 

Related Commands

Command	Description
logging enable	Enables logging.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging history

To enable SNMP logging and specify which messages are to be sent to SNMP servers, use the logging history command in global configuration mode. To disable SNMP logging, use the no form of this command.

logging history [logging_list | level]

no logging history

Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the security appliance generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts—Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only.

logging_list

Specifies the list that identifies the messages to send to the SNMP server. For information about creating lists, see the logging list command.

Defaults

The security appliance does not log to SNMP servers by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The logging history command allows you to enable logging to an SNMP server and to set the SNMP message level or event list.

Examples

Th efollowing example shows how to enable SNMP logging and specify that messages of severity levels 0, 1, 2, and 3 are sent to the SNMP server configured:

hostname(config)# logging enable

hostname(config)# snmp-server host infrastructure 10.2.3.7 trap community gam327

hostname(config)# snmp-server enable traps syslog

hostname(config)# logging history errors

hostname(config)# 

Related Commands

Command	Description
logging enable	Enables logging.
logging list	Creates a reusable list of message selection criteria.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.
snmp-server	Specifies SNMP server details.

logging recipient-address

To specify the receiving e-mail address for syslog messages sent by the security appliance, use the logging recipient-address command in global configuration mode. To remove the receiving e-mail address, use the no form of this command. You can configure up to five recipient addresses. For each recipient address, you can assign a different message level than that specified by the logging mail command.

logging recipient-address address [level level]

no logging recipient-address address [level level]

Syntax Description

address	Specifies recipient e-mail address when sending syslog messages by e-mail.
level	Indicates that a severity level follows.
level	Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the security appliance generates syslog messages for levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts—Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only, Note We do not recommend using a severity level greater than 3 with the logging recipient-address command. Higher severity levels are likely to cause dropped syslog messages because of buffer overflow. The message level specified by a logging recipient-address command overrides the message level specified by the logging mail command. For example, if a logging recipient-address command specifies a severity level of 7, but the logging mail command specifies a severity level of 3, the security appliance sends all messages to the recipient, including those of severity levels 4, 5, 6, and 7.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Sending syslog messages by e-mail is enabled by the logging mail command.

You can configure up to five e-mail recipients with the logging recipient-address command. Each command can specify a different severity level than the other commands. Use this command when you want more urgent messages to go to a larger number of recipients than less urgent messages are sent to.

Examples

To set up the security appliance to send syslog messages by e-mail, use the following criteria:

•Send messages that are critical, alerts, or emergencies.

•Send messages using ciscosecurityappliance@example.com as the sender address.

•Send messages to admin@example.com.

•Send messages using SMTP, the primary server pri-smtp-host, and secondary server sec-smtp-host.

Then enter the following commands:

hostname(config)# logging mail critical

hostname(config)# logging from-address ciscosecurityappliance@example.com

hostname(config)# logging recipient-address admin@example.com

hostname(config)# smtp-server pri-smtp-host sec-smtp-host

Related Commands

Command	Description
logging enable	Enables logging.
logging from-address	Specifies the e-mail address from which syslog messages appear to come.
logging mail	Enables the security appliance to send syslog messages by e-mail and determines which messages are sent by e-mail.
smtp-server	Configures an SMTP server.
show logging	Displays the enabled logging options.

logging savelog

To save the log buffer to flash memory, use the logging savelog command in privileged EXEC mode.

logging savelog [savefile]

Syntax Description

savefile

(Optional) Saved flash memory file name. If you do not specify the file name, the security appliance saves the log file using a default time-stamp format, as follows: LOG-YYYY-MM-DD-HHMMSS.TXT where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.

Defaults

The defaults are as follows:

•The buffer size is 4 KB.

•The minimum free flash memory is 3 MB.

•The maximum flash memory allocation for buffer logging is 1 MB.

•The default log filename is described in the "Syntax Description" section.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Before you can save the log buffer to flash memory, you must enable logging to the buffer; otherwise, the log buffer never has data to be saved to flash memory. To enable logging to the buffer, use the logging buffered command.

---

Note The logging savelog command does not clear the buffer. To clear the buffer, use the clear logging buffer command.

---

Examples

The following example enables logging and the log buffer, exits global configuration mode, and saves the log buffer to flash memory, using the file name, latest-logfile.txt:

hostname(config)# logging enable

hostname(config)# logging buffered

hostname(config)# exit

hostname# logging savelog latest-logfile.txt

hostname#

Related Commands

Command	Description
clear logging buffer	Clears the log buffer of all syslog messages that it contains.
copy	Copies a file from one location to another, including to a TFTP or FTP server.
delete	Deletes a file from the disk partition, such as saved log files.
logging buffered	Enables logging to the log buffer.
logging enable	Enables logging.
show logging	Displays the enabled logging options.

logging timestamp

To specify that syslog messages should include the date and time that the messages was generated, use the logging timestamp command in global configuration mode. To remove the date and time from syslog messages, use the no form of this command.

logging timestamp

no logging timestamp

Syntax Description

This command has no arguments or keywords.

Defaults

By default, syslog messages do not include the date and time.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The logging timestamp command enables the security appliance to include a timestamp in all syslog messages.

Examples

The following example enables the inclusion of timestamp information in all syslog messages:

hostname(config)# logging enable

hostname(config)# logging timestamp

hostname(config)# 

Related Commands

Command	Description
logging enable	Enables logging.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging enable

To enable logging for all configured output locations, use the logging enable command in global configuration mode. To disable logging, use the no form of this command.

logging enable

no logging enable

Syntax Description

This command has no arguments or keywords.

Defaults

Logging is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was changed from the logging on command.

Usage Guidelines

The logging enable command allows you to enable or disable the transmission of syslog messages to any of the supported logging destinations. You can stop all logging with the no logging enable command.

You can enable logging to individual logging destinations with the following commands:

•logging asdm

•logging buffered

•logging console

•logging history

•logging mail

•logging monitor

•logging trap

Examples

The following example shows how to enable logging. The output of the show logging command shows that each possible logging destination must be enabled separately.

hostname(config)# logging enable

hostname(config)# show logging

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: disabled

    Deny Conn when Queue Full: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: disabled

Related Commands

Command	Description
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging mail

To enable the security appliance to send syslog messages by e-mail and to determine which messages are sent by e-mail, use the logging mail command in global configuration mode. To disable e-mailing of syslog messages, use the no form of this command.

logging mail [logging_list | level]

no logging mail [logging_list | level]

Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the security appliance generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts—Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only.

logging_list

Specifies the list that identifies the messages to send to the e-mail recipient. For information about creating lists, see the logging list command.

Defaults

Logging to e-mail is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

E-mailed syslog messages appear in the subject line of the e-mails sent.

Examples

To set up the security appliance to send syslog messages by e-mail, use the following criteria:

•Send messages that are critical, alerts, or emergencies.

•Send messages using ciscosecurityappliance@example.com as the sender address.

•Send messages to admin@example.com.

•Send messages using SMTP, the primary server pri-smtp-host, and secondary server sec-smtp-host.

Then enter the following commands:

hostname(config)# logging mail critical

hostname(config)# logging from-address ciscosecurityappliance@example.com

hostname(config)# logging recipient-address admin@example.com

hostname(config)# smtp-server pri-smtp-host sec-smtp-host

Related Commands

Command	Description
logging enable	Enables logging.
logging from-address	Specifies the e-mail address from which syslog messages appear to come.
logging list	Creates a reusable list of message selection criteria.
logging recipient-address	Specifies the e-mail address to which syslog messages are sent.
smtp-server	Configures an SMTP server.
show logging	Displays the enabled logging options.
show running-config logging	Displays the currently running logging configuration.

logging host

To define a syslog server, use the logging host command in global configuration mode. To remove a syslog server definition, use the no form of this command.

logging host interface_name syslog_ip [tcp/port | udp/port] [format emblem] [secure]

logging host interface_name syslog_ip

[no] logging host interface_name syslog_ip [tcp/port | udp/port] [format emblem] [secure]

[no] logging host interface_name syslog_ip

Syntax Description

format emblem	(Optional) Enables EMBLEM format logging for the syslog server.
interface_name	Specifies the interface on which the syslog server resides.
port	Indicates the port that the syslog server listens to for messages. Valid port values are 1025 through 65535 for either protocol.
secure	Specifies that the connection to the remote logging host should use SSL/TLS. This option is valid only if the protocol selected is TCP. Note A secure logging connection can only be established with a SSL/TLS- capable syslog server. If a SSL/TLS connection cannot be established, all new connections will be denied. You may change this default behavior by entering the logging permit-hostdown command.
syslog_ip	Specifies the IP address of the syslog server.
tcp	Specifies that the adaptive security appliance should use TCP to send messages to the syslog server.
udp	Specifies that the adaptive security appliance should use UDP to send messages to the syslog server.

Defaults

The default protocol is UDP.

The default port numbers are as follows:

•UDP—514

•TCP —1470

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
8.0(2)	The secure keyword was added.

Usage Guidelines

The logging host ip_address format emblem command allows you to enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for UDP syslog messages only. If you enable EMBLEM-format logging for a particular syslog server, then the messages are sent to that server. If you also enable the logging timestamp keyword, the messages with a time stamp are sent.

You can use multiple logging host commands to specify additional servers that would all receive the syslog messages. However, you can only specify a server to receive either UDP or TCP syslog messages, not both.

---

Note When the tcp option is used in the logging host command, the adaptive security appliance will drop connections across the firewall if the syslog server is unreachable.

---

You can display only the port and protocol values that you previously entered by using the show running-config logging command and finding the command in the listing—TCP is listed as 6 and UDP is listed as 17. TCP ports work only with the syslog server. The port must be the same port on which the syslog server listens.

---

Note An error message occurs if you try to use the logging host command and the secure keyword with UDP.

---

The followinbg example shows how to send syslog messages of severity levels 0, 1, 2, and 3 to a syslog server on the inside interface that uses the default protocol and port number.

hostname(config)# logging enable

hostname(config)# logging host inside 10.2.2.3

hostname(config)# logging trap errors

hostname(config)# 

Related Commands

Command	Description
logging enable	Enables logging.
logging trap	Enables logging to syslog servers.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging facility

To specify the logging facility used for messages sent to syslog servers, use the logging facility command in global configuration mode. To reset the logging facility to its default of 20, use the no form of this command.

logging facility  facility

no logging facility 

Syntax Description

facility

Specifies the logging facility; valid values are 16 through 23.

Defaults

The default facility is 20 (LOCAL4).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Syslog servers file messages based on the facility number in the message. There are eight possible logging facilities: 16 (LOCAL0) through 23 (LOCAL7).

Examples

The following example shows how to define that the security appliance specify the logging facility as 16 in syslog messages. The output of the show logging command includes the facility being used by the security appliance.

hostname(config)# logging facility 16

hostname(config)# show logging

Syslog logging: enabled

    Facility: 16

    Timestamp logging: disabled

    Standby logging: disabled

    Deny Conn when Queue Full: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: level errors, facility 16, 3607 messages logged

        Logging to infrastructure 10.1.2.3

    History logging: disabled

    Device ID: 'inside' interface IP address "10.1.1.1"

    Mail logging: disabled

    ASDM logging: disabled

Related Commands

Command	Description
logging enable	Enables logging.
logging host	Defines a syslog server.
logging trap	Enables logging to syslog servers.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging from-address

To specify the sender e-mail address for syslog messages sent by the security appliance, use the logging from-address command in global configuration mode. All sent syslog messages appear to come from the address that you specify. To remove the sender e-mail address, use the no form of this command.

logging from-address from-email-address

no logging from-address from-email-address

Syntax Description

from-email-address

Source e-mail address, that is, the e-mail address that syslog messages appear to come from (for example, cdb@example.com).

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Sending syslog messages by e-mail is enabled by the logging mail command.

The address specified with this command need not correspond to an existing e-mail account.

Examples

To enable logging and set up the security appliance to send syslog messages by e-mail, use the following criteria:

•Send messages that are critical, alerts, or emergencies.

•Send messages using ciscosecurityappliance@example.com as the sender address.

•Send messages to admin@example.com.

•Send messages using SMTP, the primary server pri-smtp-host, and secondary server sec-smtp-host.

Then enter the following commands:

hostname(config)# logging enable

hostname(config)# logging mail critical

hostname(config)# logging from-address ciscosecurityappliance@example.com

hostname(config)# logging recipient-address admin@example.com

hostname(config)# smtp-server pri-smtp-host sec-smtp-host

Related Commands

Command	Description
logging enable	Enables logging.
logging mail	Enables the security appliance to send syslog messages by e-mail and determines which messages are sent by e-mail.
logging recipient-address	Specifies the e-mail address to which syslog messages are sent.
smtp-server	Configures an SMTP server.
show logging	Displays the enabled logging options.

logging from-address

To specify the sender e-mail address for syslog messages sent by the security appliance, use the logging from-address command in global configuration mode. All sent syslog messages appear to come from the address that you specify. To remove the sender e-mail address, use the no form of this command.

logging from-address from-email-address

no logging from-address from-email-address

Syntax Description

from-email-address

Source e-mail address, that is, the e-mail address that syslog messages appear to come from (for example, cdb@example.com).

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Sending syslog messages by e-mail is enabled by the logging mail command.

The address specified with this command need not correspond to an existing e-mail account.

Examples

To enable logging and set up the security appliance to send syslog messages by e-mail, use the following criteria:

•Send messages that are critical, alerts, or emergencies.

•Send messages using ciscosecurityappliance@example.com as the sender address.

•Send messages to admin@example.com.

•Send messages using SMTP, the primary server pri-smtp-host, and secondary server sec-smtp-host.

Then enter the following commands:

hostname(config)# logging enable

hostname(config)# logging mail critical

hostname(config)# logging from-address ciscosecurityappliance@example.com

hostname(config)# logging recipient-address admin@example.com

hostname(config)# smtp-server pri-smtp-host sec-smtp-host

Related Commands

Command	Description
logging enable	Enables logging.
logging mail	Enables the security appliance to send syslog messages by e-mail and determines which messages are sent by e-mail.
logging recipient-address	Specifies the e-mail address to which syslog messages are sent.
smtp-server	Configures an SMTP server.
show logging	Displays the enabled logging options.

logging flash-minimum-free

To specify the minimum amount of free flash memory that must exist before the security appliance saves a new log file, use the logging flash-minimum-free command in global configuration mode. This command affects how much free flash memory must exist before the security appliance saves log files created by the logging savelog and logging flash-bufferwrap commands. To reset the minimum required amount of free flash memory to its default size of 3 MB, use the no form of this command.

logging flash-minimum-free kbytes

no logging flash-minimum-free kbytes

Syntax Description

kbytes

The minimum amount of flash memory, in kilobytes, that must be available before the security appliance saves a new log file.

Defaults

The default minimum free flash memory is 3 MB.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The logging flash-minimum-free command specifies how much flash memory the logging savelog and logging flash-bufferwrap commands must preserve at all times.

If a log file to be saved by logging savelog or logging flash-bufferwrap would cause the amount of free flash memory to fall below the limit specified by the logging flash-minimum-free command, the security appliance deletes the oldest log files to ensure that the minimum amount of memory remains free after saving the new log file. If there are no files to delete or if, after all old files are deleted, free memory would still be below the limit, the security appliance fails to save the new log file.

Examples

The following example shows how to enable logging, enable the log buffer, enable the security appliance to write the log buffer to flash memory, and specifies that the minimum amount of free flash memory must be 4000 KB:

hostname(config)# logging enable

hostname(config)# logging buffered

hostname(config)# logging flash-bufferwrap

hostname(config)# logging flash-minimum-free 4000

hostname(config)# 

Related Commands

Command	Description
clear logging buffer	Clears the log buffer of all syslog messages.
logging buffered	Enables logging to the log buffer.
logging enable	Enables logging.
logging flash-bufferwrap	Writes the log buffer to flash memory when the log buffer is full.
logging flash-maximum- allocation	Specifies the maximum amount of flash memory that can be used for writing log buffer contents.

logging standby

To enable the failover standby security appliance to send the syslog messages of this security appliance to logging destinations, use the logging standby command in global configuration mode. To disable syslog messaging and SNMP logging, use the no form of this command.

logging standby

no logging standby

Syntax Description

This command has no arguments or keywords.

Defaults

The logging standby command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

You can enable this command to ensure that syslog messages of the failover standby security appliance stay synchronized if failover occurs.

---

Note Using the logging standby command causes twice as much traffic on shared logging destinations, such as syslog servers, SNMP servers, and FTP servers.

---

Examples

The following example enables the security appliance to send syslog messages to the failover standby security appliance. The output of the show logging command indicates that this feature is enabled.

hostname(config)# logging standby

hostname(config)# show logging

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: enabled

    Deny Conn when Queue Full: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: disabled

    History logging: disabled

    Device ID: 'inside' interface IP address "10.1.1.1"

    Mail logging: disabled

    ASDM logging: disabled

Related Commands

Command	Description
failover	Enables the failover feature.
logging enable	Enables logging.
logging host	Defines a syslog server.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging class

To configure the maximum severity level per logging destination for a message class, use the logging class command in global configuration mode. To remove a message class severity level configuration, use the no form of the command.

logging class class destination level [destination level . . .]

no logging class class

Syntax Description

class	Specifies the message class for destination. For valid values of class, see the "Usage Guidelines" section that follows.
destination	Specifies a logging destination for class. For the destination, the level determines the maximum severity level sent to destination. For valid values of destination, see the "Usage Guidelines" section that follows.
level	Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the security appliance generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts—Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only.

Defaults

By default, the security appliance does not apply severity levels on a logging destination and message class basis. Instead, each enabled logging destination receives messages for all classes at the severity level determined by the logging list or the severity levelthat is specified when you enabled the logging destination.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.
8.0(2)	Added eigrp to valid class values.

Usage Guidelines

Valid values for class include the following:

•auth—User authentication.

•bridge—Transparent firewall.

•ca—PKI certificate authority.

•config—Command interface.

•eap—Extensible Authentication Protocol (EAP). Logs the following types of events to support Network Admission Control: EAP session state changes, EAP status query events, and a hexadecimal dump of EAP header and packet contents.

•eapoudp—Extensible Authentication Protocol (EAP) over UDP. Logs EAP over UDP events to support Network Admission Control, and generates a complete record of EAPoUDP header and packet contents.

•eigrp—EIGRP routing.

•email—Email proxy.

•ha—Failover.

•ids—Intrusion detection system.

•ip—IP stack.

•nac—Network Admission Control. Logs the following types of events: initializations, exception list matches, ACS transactions, clientless authentications, default ACL applications, and revalidations.

•np—Network processor.

•ospf—OSPF routing.

•rip—RIP routing.

•session—User session.

•snmp—SNMP.

•sys—System.

•vpn—IKE and IPsec.

•vpnc—VPN client.

•vpnfo—VPN failover.

•vpnlb—VPN load balancing.

Valid logging destinations are as follows:

•asdm—To learn about this destination, see the logging asdm command.

•buffered—To learn about this destination, see the logging buffered command.

•console—To learn about this destination, see the logging console command.

•history—To learn about this destination, see the logging history command.

•mail—To learn about this destination, see the logging mail command.

•monitor—To learn about this destination, see the logging monitor command.

•trap—To learn about this destination, see the logging trap command.

Examples

The following example specifies that, for failover-related messages, the maximum severity level for the ASDM log buffer is 2 and the maximum severity level for the syslog buffer is 7:

hostname(config)# logging class ha asdm 2 buffered 7

hostname(config)# 

Related Commands

Command	Description
logging enable	Enables logging.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging asdm-buffer-size

To specify the number of syslog messages retained in the ASDM log buffer, use the logging asdm-buffer-size command in global configuration mode. To reset the ASDM log buffer to its default size of 100 messages, use the no form of this command.

logging asdm-buffer-size num_of_msgs

no logging asdm-buffer-size num_of_msgs

Syntax Description

num_of_msgs

Specifies the number of syslog messages that the security appliance retains in the ASDM log buffer.

Defaults

The default ASDM syslog message buffer size is 100 messages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

When the ASDM log buffer is full, the security appliance deletes the oldest message to make room in the buffer for new messages. To control whether logging to the ASDM log buffer is enabled or to control the kind of syslog messages retained in the ASDM log buffer, use the logging asdm command.

The ASDM log buffer is a different buffer than the log buffer that is enabled by the logging buffered command.

Examples

The following example shows how to enable logging, send messages of severity levels 0, 1, and 2 to the ASDM log buffer, and how to set the ASDM log buffer size to 200 messages.

hostname(config)# logging enable

hostname(config)# logging asdm 2

hostname(config)# logging asdm-buffer-size 200

hostname(config)# show logging

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: disabled

    Deny Conn when Queue Full: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level critical, 48 messages logged

Related Commands

Command	Description
clear logging asdm	Clears the ASDM log buffer of all messages.
logging asdm	Enables logging to the ASDM log buffer.
logging enable	Enables logging.
show logging	Displays the enabled logging options.
show running-config logging	Displays the currently running logging configuration.

logging message

To specify the severity level of a syslog message, use the logging message command with the level keyword in global configuration mode. To reset the severity level of a message to its default level, use the no form of this command. To prevent the security appliance from generating a particular syslog message, use the no form of the logging message command (without the level keyword) in global configuration mode. To let the security appliance generate a particular syslog message, use the logging message command (without the level keyword). You can use these two versions of the logging message command in parallel. See the "Examples" section for more information.

logging message syslog_id level level

no logging message syslog_id level level

logging message syslog_id

no logging message syslog_id

Syntax Description

level level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the security appliance generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts— Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only.

syslog_id

Indicates the ID of the syslog message that you want to enable or disable or whose severity level you want to modify. To look up the default level of a message, use the show logging command or see the Cisco Security Appliance System Log Messages.

Defaults

By default, all syslog messages are enabled and the severity levels of all messages are set to their default levels.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

You can use the logging message command to perform the following two actions:

•Control whether a message is enabled or disabled.

•Control the severity level of a message.

You can use the show logging command to determine the severity level currently assigned to a message and whether or not the message is enabled.

Examples

The series of commands in the following example show the use of the logging message command to control both whether a message is enabled and the severity level of messages:

hostname(config)# show logging message 403503

syslog 403503: default-level errors (enabled)

hostname(config)# logging message 403503 level 1

hostname(config)# show logging message 403503

syslog 403503: default-level errors, current-level alerts (enabled)

hostname(config)# no logging message 403503

hostname(config)# show logging message 403503

syslog 403503: default-level errors, current-level alerts (disabled)

hostname(config)# logging message 403503

hostname(config)# show logging message 403503

syslog 403503: default-level errors, current-level alerts (enabled)

hostname(config)# no logging message 403503 level 3

hostname(config)# show logging message 403503

syslog 403503: default-level errors (enabled)

Related Commands

Command	Description
clear configure logging	Clears all logging configuration or message configuration only.
logging enable	Enables logging.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging permit-hostdown

To make the status of a TCP-based syslog server irrelevant to new user sessions, use the logging permit-hostdown command in global configuration mode. To cause the security appliance to deny new user sessions when a TCP-based syslog server is unavailable, use the no form of this command.

logging permit-hostdown

no logging permit-hostdown

Syntax Description

This command has no arguments or keywords.

Defaults

By default, if you have enabled logging to a syslog server that uses a TCP connection, the security appliance does not allow new network access sessions when the syslog server is unavailable for any reason.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

If you are using TCP as the logging transport protocol for sending messages to a syslog server, the security appliance denies new network access sessions as a security measure if the security appliance is unable to reach the syslog server. You can use the logging permit-hostdown command to remove this restriction.

Examples

The following example makes the status of TCP-based syslog servers irrelevant to whether or not the security appliance permits new sessions. When the logging permit-hostdown command includes in its output the show running-config logging command, the status of TCP-based syslog servers is irrelevant to new network access sessions.

hostname(config)# logging permit-hostdown

hostname(config)# show running-config logging

logging enable

logging trap errors

logging host infrastructure 10.1.2.3 6/1470

logging permit-hostdown

hostname(config)# 

Related Commands

Command	Description
logging enable	Enables logging.
logging host	Defines a syslog server.
logging trap	Enables logging to syslog servers.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging asdm

To send syslog messages to the ASDM log buffer, use the logging asdm command in global configuration mode. To disable logging to the ASDM log buffer, use the no form of this command.

logging asdm [logging_list | level]

no logging asdm [logging_list | level]

Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the security appliance generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts—Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only.

logging_list

Specifies the list that identifies syslog messages to send to the ASDM log buffer. For information about creating lists, see the logging list command.

Defaults

ASDM logging is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Before any messages are sent to the ASDM log buffer, you must enable logging using the logging enable command.

When the ASDM log buffer is full, the security appliance deletes the oldest message to make room in the buffer for new messages. To control the number of syslog messages retained in the ASDM log buffer, use the logging asdm-buffer-size command.

The ASDM log buffer is a different buffer than the log buffer that is enabled by the logging buffered command.

Examples

The following example shows how to enable logging, send messages of severity levels 0, 1, and 2 to the ASDM log buffer, and how to set the ASDM log buffer size to 200 messages.

hostname(config)# logging enable

hostname(config)# logging asdm 2

hostname(config)# logging asdm-buffer-size 200

hostname(config)# show logging

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: disabled

    Deny Conn when Queue Full: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level critical, 48 messages logged

Related Commands

Command	Description
clear logging asdm	Clears the ASDM log buffer of all messages.
logging asdm-buffer-size	Specifies the number of ASDM messages retained in the ASDM log buffer
logging enable	Enables logging.
logging list	Creates a reusable list of message selection criteria.
show logging	Displays the enabled logging options.

logging debug-trace

To redirect debugging messages to logs as syslog message 711001 issued at severity level 7, use the logging debug-trace command in global configuration mode. To stop sending debugging messages to logs, use the no form of this command.

logging debug-trace

no logging debug-trace

Syntax Description

This command has no arguments or keywords.

Defaults

By default, the security appliance does not include debug output in syslog messages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Debugging messages are generated as severity level 7 messages. They appear in logs with the syslog message number 711001, but do not appear in any monitoring session.

Examples

The following example shows how to enable logging, send log messages to the syslog buffer, redirect debugging output to logs, and turn on debugging disk activity.

hostname(config)# logging enable

hostname(config)# logging buffered

hostname(config)# logging debug-trace

hostname(config)# debug disk filesystem

The following example shows a debugging message that could appear in the logs:

%ASA-7-711001: IFS: Read: fd 3, bytes 4096

Related Commands

Command	Description
logging enable	Enables logging.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging buffer-size

To specify the size of the log buffer, use the logging buffer-size command in global configuration mode. To reset the log buffer to its default size of 4 KB of memory, use the no form of this command.

logging buffer-size bytes

no logging buffer-size bytes

Syntax Description

bytes

Sets the amount of memory used for the log buffer, in bytes. For example, if you specify 8192, the security appliance uses 8 KB of memory for the log buffer.

Defaults

The default log buffer size is 4 KB of memory.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

To see whether the security appliance is using a log buffer size other than the default, use the show running-config logging command. If the logging buffer-size command is not shown, then the security appliance uses a log buffer of 4 KB.

For more information about how the security appliance uses the buffer, see the logging buffered command.

Examples

The following example enables logging and the logging buffer, and specifies that the security appliance uses 16 KB of memory for the log buffer:

hostname(config)# logging enable

hostname(config)# logging buffered

hostname(config)# logging buffer-size 16384

hostname(config)# 

Related Commands

Command	Description
clear logging buffer	Clears the log buffer of all syslog messages.
logging buffered	Enables logging to the log buffer.
logging enable	Enables logging.
logging flash-bufferwrap	Writes the log buffer to flash memory when the log buffer is full.
logging savelog	Saves the contents of the log buffer to flash memory.

logging flash-maximum-allocation

To specify the maximum amount of flash memory that the security appliance uses to store log data, use the logging flash-maximum-allocation command in global configuration mode. To reset the maximum amount of flash memory used for this purpose to its default size of 1 MB, use the no form of this command.

logging flash-maximum-allocation kbytes

no logging flash-maximum-allocation kbytes

Syntax Description

kbytes

The largest amount of flash memory, in kilobytes, that the security appliance can use to save log buffer data.

Defaults

The default maximum flash memory allocation for log data is 1 MB.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

This command determines how much flash memory is available for the logging savelog and logging flash-bufferwrap commands.

If a log file to be saved by logging savelog or logging flash-bufferwrap causes flash memory use for log files to exceed the maximum amount specified by the logging flash-maximum-allocation command, the security appliance deletes the oldest log files to free sufficient memory for the new log file. If there are no files to delete or if, after all old files are deleted, free memory is too small for the new log file, the security appliance fails to save the new log file.

To see whether the security appliance has a maximum flash memory allocation of a size different than the default size, use the show running-config logging command. If the logging flash-maximum-allocation command is not shown, then the security appliance uses a maximum of 1 MB for saved log buffer data. The memory allocated is used for both the logging savelog and logging flash-bufferwrap commands.

For more information about how the security appliance uses the log buffer, see the logging buffered command.

Examples

The following example shows how to enable logging, enable the log buffer, enable the security appliance to write the log buffer to flash memory, with the maximum amount of flash memory used for writing log files set to approximately 1.2 MB of memory:

hostname(config)# logging enable

hostname(config)# logging buffered

hostname(config)# logging flash-bufferwrap

hostname(config)# logging flash-maximum-allocation 1200

hostname(config)# 

Related Commands

Command	Description
clear logging buffer	Clears the log buffer of all syslog messages that it contains.
logging buffered	Enables logging to the log buffer.
logging enable	Enables logging.
logging flash-bufferwrap	Writes the log buffer to flash memory when the log buffer is full.
logging flash-minimum- free	Specifies the minimum amount of flash memory that must be available to allow the security appliance to write the log buffer to flash memory.

logging list

To create a logging list to use in other commands to specify messages by various criteria (logging level, event class, and message IDs), use the logging list command in global configuration mode. To remove the list, use the no form of this command.

logging list name {level level [class event_class] | message start_id[-end_id]}

no logging list name

Syntax Description

class event_class	(Optional) Sets the class of events for syslog messages. For the level specified, only syslog messages of the class specified are identified by the command. See the "Usage Guidelines" section for a list of classes.
level level	Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the security appliance generates syslog messages for severity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts—Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only.
message start_id[-end_id]	Specifies a message ID or range of IDs. To look up the default level of a message, use the show logging command or see the Cisco Security Appliance System Log Messages.
name	Sets the logging list name.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

Logging commands that can use lists are the following:

•logging asdm

•logging buffered

•logging console

•logging history

•logging mail

•logging monitor

•logging trap

Possible values for the event_class include the following:

•auth—User authentication.

•bridge—Transparent firewall.

•ca—PKI certificate authority.

•config—Command interface.

•eap—Extensible Authentication Protocol (EAP). Logs the following types of events to support Network Admission Control: EAP session state changes, EAP status query events, and a hexadecimal dump of EAP header and packet contents.

•eapoudp—Extensible Authentication Protocol (EAP) over UDP. Logs EAPoUDP events to support Network Admission Control, and generates a complete record of EAPoUDP header and packet contents.

•email—E-mail proxy.

•ha—Failover.

•ids—Intrusion detection system.

•ip—IP stack.

•nac—Network Admission Control. Logs the following types of events: initializations, exception list matches, ACS transactions, clientless authentications, default ACL applications, and revalidations.

•np—Network processor.

•ospf—OSPF routing.

•rip—RIP routing.

•session—User session.

•snmp—SNMP.

•sys—System.

•vpn—IKE and IPsec.

•vpnc—VPN client.

•vpnfo—VPN failover.

•vpnlb—VPN load balancing.

Examples

The following example shows how to use the logging list command:

hostname(config)# logging list my-list 100100-100110

hostname(config)# logging list my-list level critical

hostname(config)# logging list my-list level warning class vpn

hostname(config)# logging buffered my-list

The preceding example states that syslog messages that match the criteria specified will be sent to the logging buffer. The criteria specified in this example are the following:

•Syslog message IDs that fall in the range of 100100 to 100110

•All syslog messages with critical level or higher (emergency, alert, or critical)

•All VPN class syslog messages with a warning level or higher (emergency, alert, critical, error, or warning)

If a syslog message satisfies any one of these conditions, it is logged to the buffer.

---

Note When you design list criteria, they can specify overlapping sets of messages. Syslog messages matching more than one set of criteria are logged normally.

---

Related Commands

Command	Description
logging enable	Enables logging.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging console

To enable the security appliance to display syslog messages in console sessions, use the logging console command in global configuration mode. To disable the display of syslog messages in console sessions, use the no form of this command.

logging console [logging_list | level]

no logging console

---

Note We recommend that you do not use this command, because it may cause many syslog messages to be dropped due to buffer overflow. For more information, see the "Usage Guidelines" section that follows.

---

Syntax Description

level

Sets the maximum severity level for syslog messages. For example, if you set the severity level to 3, then the security appliance generates syslog messages forseverity levels 3, 2, 1, and 0. You can specify either the number or the name, as follows: •0 or emergencies—System is unusable. •1 or alerts—Immediate action needed. •2 or critical—Critical conditions. •3 or errors—Error conditions. •4 or warnings—Warning conditions. •5 or notifications—Normal but significant conditions. •6 or informational—Informational messages only. •7 or debugging—Debugging messages only.

logging_list

Specifies the list that identifies the messages to send to the console session. For information about creating lists, see the logging list command.

Defaults

The security appliance does not display syslog messages in console sessions by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Before any messages are sent to the console, you must enable logging using the logging enable command.

---

Caution Using the logging console command could significantly degrade system performance. Instead, use the logging buffered command to start logging and the show logging command to view syslog messages. To make viewing the most current syslog messages easier, use the clear logging buffer command to clear the buffer.

---

Examples

The following example shows how to enable syslog messages of severity levels 0, 1, 2, and 3 to appear in console sessions:

hostname(config)# logging enable

hostname(config)# logging console errors

hostname(config)# 

Related Commands

Command	Description
logging enable	Enables logging.
logging list	Creates a reusable list of message selection criteria.
show logging	Displays the enabled logging options.
show running-config logging	Displays the logging-related portion of the running configuration.

logging flash-bufferwrap

To enable the security appliance to write the log buffer to flash memory each time the buffer is full of messages that have never been saved, use the logging flash-bufferwrap command in global configuration mode. To disable writing of the log buffer to flash memory, use the no form of this command.

logging flash-bufferwrap

no logging flash-bufferwrap

Syntax Description

This command has no arguments or keywords.

Defaults

The defaults are as follows:

•Logging to the buffer is disabled.

•Writing the log buffer to flash memory is disabled.

•The buffer size is 4 KB.

•The minimum free flash memory is 3 MB.

•The maximum flash memory allocation for buffer logging is 1 MB.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

For the security appliance to write the log buffer to flash memory, you must enable logging to the buffer; otherwise, the log buffer never has data to write to flash memory. To enable logging to the buffer, use the logging buffered command.

While the security appliance writes log buffer contents to flash memory, it continues storing any new event messages to the log buffer.

The security appliance creates log files with names that use a default time-stamp format, as follows:

LOG-YYYY-MM-DD-HHMMSS.TXT

where YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.

The availability of flash memory affects how the security appliance saves syslog messages using the logging flash-bufferwrap command. For more information, see the logging flash-maximum-allocation and the logging flash-minimum-free commands.

Examples

The following example shows how to enable logging, enable the log buffer, and enable the security appliance to write the log buffer to flash memory:

hostname(config)# logging enable

hostname(config)# logging buffered

hostname(config)# logging flash-bufferwrap

hostname(config)#

Related Commands

Command	Description
clear logging buffer	Clears the log buffer of all syslog messages.
copy	Copies a file from one location to another, including to a TFTP or FTP server.
delete	Deletes a file from the disk partition, such as saved log files.
logging buffered	Enables logging to the log buffer.
logging buffer-size	Specifies log buffer size.

login

To log into privileged EXEC mode using the local user database (see the username command) or to change user names, use the login command in user EXEC mode.

login

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

From user EXEC mode, you can log in to privileged EXEC mode as any username in the local database using the login command. The login command is similar to the enable command when you have enable authentication turned on (see the aaa authentication console command). Unlike enable authentication, the login command can only use the local username database, and authentication is always required with this command. You can also change users using the login command from any CLI mode.

To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the aaa authorization command for more information.

---

Caution If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged EXEC mode, you should configure command authorization. Without command authorization, users can access privileged EXEC mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+ authentication, or you can set all local users to level 1 so you can control who can use the system enable password to access privileged EXEC mode.

---

Examples

The following example shows the prompt after you enter the login command:

hostname> login

Username:

Related Commands

Command	Description
aaa authorization command	Enables command authorization for CLI access.
aaa authentication console	Requires authentication for console, Telnet, HTTP, SSH, or enable command access.
logout	Logs out of the CLI.
username	Adds a user to the local database.

login-button

To customize the Login button of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the login-button command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

login-button {text | style} value

[no] login-button {text | style} value

Syntax Description

style	Specifies you are changing the style.
text	Specifies you are changing the text.
value	The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

Defaults

The default login button text is "Login".

The default login button style is:

border: 1px solid black;background-color:white;font-weight:bold; font-size:80%

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
WebVPN customization configuration	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

•You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

•RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

•HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

---

Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

---

Examples

The following example customizes the Login button with the text "OK":

F1-asa1(config)# webvpn

F1-asa1(config-webvpn)# customization cisco

F1-asa1(config-webvpn-custom)# login-button text OK

Related Commands

Command	Description
login-title	Customizes the title of the WebVPN page login box.
group-prompt	Customizes the group prompt of the WebVPN page login box.
password-prompt	Customizes the password prompt of the WebVPN page login box.
username-prompt	Customizes the username prompt of the WebVPN page login box.

login-message

To customize the login message of the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the login-message command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

login-message {text | style} value

[no] login-message {text | style} value

Syntax Description

text	Specifies you are changing the text.
style	Specifies you are changing the style.
value	The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

Defaults

The default login message is "Please enter your username and password".

The default login message style is background-color:#CCCCCC;color:black.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
WebVPN customization configuration	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

•You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

•RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

•HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

---

Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

---

Examples

In the following example, the login message text is set to "username and password":

F1-asa1(config)# webvpn

F1-asa1(config-webvpn)# customization cisco

F1-asa1(config-webvpn-custom)# login-message text username and password

Related Commands

Command	Description
login-title	Customizes the title of the login box on the WebVPN page.
username-prompt	Customizes the username prompt of the WebVPN page login.
password-prompt	Customizes the password prompt of the WebVPN page login.
group-prompt	Customizes the group prompt of the WebVPN page login.

login-title

To customize the title of the login box on the WebVPN page displayed to WebVPN users, use the login-title command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

login-title {text | style} value

[no] login-title {text | style} value

Syntax Description

text	Specifies you are changing the text.
style	Specifies you are changing the HTML style.
value	The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

Defaults

The default login text is "Login".

The default HTML style of the login title is background-color: #666666; color: white.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
WebVPN customization configuration	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

•You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

•RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

•HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

---

Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

---

Examples

The following example configures the login title style:

F1-asa1(config)# webvpn

F1-asa1(config-webvpn)# customization cisco

F1-asa1(config-webvpn-custom)# login-title style background-color: rgb(51,51,255);color: 
rgb(51,51,255); font-family: Algerian; font-size: 12pt; font-style: italic; font-weight: 
bold

Related Commands

Command	Description
login-message	Customizes the login message of the WebVPN login page.
username-prompt	Customizes the username prompt of the WebVPN login page.
password-prompt	Customizes the password prompt of the WebVPN login page.
group-prompt	Customizes the group prompt of the WebVPN login page.

logo

To customize the logo on the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the logo command from webvpn customization mode. To remove a logo from the configuration and reset the default (the Cisco logo), use the no form of this command.

logo {none | file {path value}}

[no] logo {none | file {path value}}

Syntax Description

file	Indicates you are supplying a file containing a logo.
none	Indicates that there is no logo. Sets a null value, thereby disallowing a logo. Prevents inheriting a logo.
path	The path of the filename. The possible paths are disk0:, disk1:, or flash:
value	Specifies the filename of the logo. Maximum length is 255 characters, with no spaces. File type must be JPG, PNG, or GIF, and must be less than 100 KB.

Defaults

The default logo is the Cisco logo.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
WebVPN customization configuration	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

If the filename you specify does not exist, an error message displays. If you remove a logo file but the configuration still points to it, no logo displays.

The filename cannot contain spaces.

Examples

In the following example, the file cisco_logo.gif contains a custom logo:

F1-asa1(config)# webvpn

F1-asa1(config-webvpn)# customization cisco

F1-asa1(config-webvpn-custom)#logo file disk0:cisco_logo.gif

Related Commands

Command	Description
title	Customizes the title of the WebVPN page.
page style	Customizes the WebVPN page using Cascading Style Sheet (CSS) parameters.

logout

To exit from the CLI, use the logout command in user EXEC mode.

logout

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The logout command lets you log out of the security appliance. You can use the exit or quit commands to go back to unprivileged mode.

Examples

The following example shows how to log out of the security appliance:

hostname> logout

Related Commands

Command	Description
login	Initiates the log-in prompt.
exit	Exits an access mode.
quit	Exits configuration or privileged mode.

logout-message

To customize the logout message of the WebVPN logout screen that is displayed to WebVPN users when they logout from WebVPN service, use the logout-message command from webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

logout-message {text | style} value

[no] logout-message {text | style} value

Syntax Description

style	Specifies you are changing the style.
text	Specifies you are changing the text.
value	The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

Defaults

The default logout message text is "Goodbye".

The default logout message style is background-color:#999999;color:black.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
WebVPN customization configuration	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

•You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

•RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

•HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

---

Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

---

Examples

The following example configures the logout message style:

F1-asa1(config)# webvpn

F1-asa1(config-webvpn)# customization cisco

F1-asa1(config-webvpn-custom)# logout-message style background-color: 
rgb(51,51,255);color: rgb(51,51,255); font-family: Algerian; font-size: 12pt; font-style: 
italic; font-weight: bold

Related Commands

Command	Description
logout-title	Customizes the logout title of the WebVPN page.
group-prompt	Customizes the group prompt of the WebVPN page login box.
password-prompt	Customizes the password prompt of the WebVPN page login box.
username-prompt	Customizes the username prompt of the WebVPN page login box.