-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 4.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show debug -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config logging -- show running-config vpn-sessiondb
-
show service-policy -- show xlate
-
shun -- sysopt uauth allow-http-cache
-
- T through Z Commands
-
Feedback
Table Of Contents
logging asdm through logout Commands
logging flash-maximum-allocation
logging asdm through logout Commands
logging asdm
To send syslog messages to ASDM, use the logging asdm command in global configuration mode. To disable logging to ASDM, use the no form of this command.
logging asdm [message_list | level]
no logging asdm [message_list | level]
Syntax Description
Defaults
ASDM logging is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Before any messages are sent to ASDM, you must enable system logging using the logging enable command.
When the ASDM log buffer is full, the FWSM deletes the oldest message to make room in the buffer for new messages. To control the number of syslog messages retained in the ASDM log buffer, use the logging asdm-buffer-size command.
The ASDM log buffer is a different buffer than the internal log buffer enabled by the logging buffered command. The FWSM only places messages in the ASDM log buffer if they are destined to be sent to ASDM.
Examples
The following example shows how to enable logging and send to the ASDM log buffer messages of severity levels 0, 1, and 2. It also shows how to set the ASDM log buffer size to 200 messages.
hostname(config)# logging enablehostname(config)# logging asdm 2hostname(config)# logging asdm-buffer-size 200hostname(config)# show loggingSyslog logging: enabledFacility: 20Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: disabledHistory logging: disabledDevice ID: disabledMail logging: disabledASDM logging: level critical, 48 messages loggedRelated Commands
logging asdm-buffer-size
To specify the number of syslog messages retained in the ASDM log buffer, use the logging asdm-buffer-size command in global configuration mode. To reset the ASDM log buffer to its default size of 100 messages, use the no form of this command.
logging asdm-buffer-size num_of_msgs
no logging asdm-buffer-size num_of_msgs
Syntax Description
Defaults
The default ASDM syslog buffer size is 100 messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When the ASDM log buffer is full, FWSM deletes the oldest message to make room in the buffer for new messages. To control whether logging to the ASDM log buffer is enabled or to control the kind of syslog messages retained in the ASDM log buffer, use the logging asdm command.
The ASDM log buffer is a different buffer than the internal log buffer enabled by the logging buffered command. The FWSM only places messages in the ASDM log buffer if they are destined to be sent to ASDM.
Examples
The following example shows how enable logging and send to the ASDM log buffer messages of severity levels 0, 1, and 2. It also shows how to set the ASDM log buffer size to 200 messages.
hostname(config)# logging enablehostname(config)# logging asdm 2hostname(config)# logging asdm-buffer-size 200hostname(config)# show loggingSyslog logging: enabledFacility: 20Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: disabledHistory logging: disabledDevice ID: disabledMail logging: disabledASDM logging: level critical, 48 messages loggedRelated Commands
logging buffered
To enable the FWSM to save syslog messages in the log buffer, use the logging buffered command in global configuration mode. To disable logging to the log buffer, use the no form of this command.
logging buffered [message_list | level]
no logging buffered [message_list | level]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
For the FWSM to generate syslog messages, you must enable logging using the logging enable command. Use the logging buffered command to specify the internal log buffer as an output destination.
The FWSM appends new messages to the end of the log buffer. When the log buffer is full, it "wraps" to the first message in the buffer. Unless configured otherwise, the FWSM writes over messages, oldest message first, when new messages are generated.
You can configure the FWSM so that the log buffer content is automatically saved each time the buffer wraps. For more information, see the logging flash-bufferwrap and logging ftp-bufferwrap commands.
In addition, you can you can save the buffer contents at any time to internal flash memory. For more information, see the logging savelog command.
Syslog messages in the internal buffer can be viewed with the show logging command.
Examples
The following example configures logging to the buffer for level 0 and level 1 events:
hostname(config)# logging buffered alertshostname(config)#The following example creates a list named notif-list with a maximum logging level of 7 and configures logging to the buffer for syslog messages identified by the notif-list message list that you created.
hostname(config)# logging list notif-list level 7hostname(config)# logging buffered notif-listhostname(config)#Related Commands
logging buffer-size
To specify the size of the system log buffer, use the logging buffer-size command in global configuration mode. To reset the system log buffer to its default size of 4 KB of memory, use the no form of this command.
logging buffer-size bytes
no logging buffer-size bytes
Syntax Description
bytes
Sets the amount of memory used for the log buffer, in bytes. For example, if you specify 8192, the FWSM uses 8 KB of memory for the log buffer.
Defaults
The log buffer size is 4 KB of memory.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
To see whether the FWSM is using a log buffer of a size other than the default buffer size, use the show running-config logging command. If the logging buffer size is not shown, then the FWSM uses a log buffer size of 4 KB.
For more information about how the FWSM uses the system log buffer, see the logging buffered command.
Examples
The following example enables system logging, enables the system log buffer as a log output destination, and specifies that the FWSM uses 16 KB of memory for the log buffer:
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging buffer-size 16384hostname(config)#Related Commands
logging class
To specify an output destination for an entire class of messages, use the logging class command in global configuration mode. To remove the output destination for a messages class, use the no form of the command.
logging class message_class output_destination [severity_level]
no logging class class
Syntax Description
Defaults
By default, the FWSM does not apply logging levels on a logging destination and message class basis. Instead, each enabled logging destination receives messages for all classes at the logging level determined by the logging list or level specified when you enabled the logging destination.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Valid values for class are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Valid logging destinations are as follows:
•
•
•
•
•
•
•
Examples
The following example specifies that, for failover-related messages, the maximum logging level for the ASDM log buffer is 2 and the maximum logging level for the syslog buffer is 7:
hostname(config)# logging class ha asdm 2 buffered 7hostname(config)#Related Commands
logging enable
Enables logging.
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging console
To enable the FWSM to display syslog messages in console sessions, use the logging console command in global configuration mode. To disable the display of syslog messages in console sessions, use the no form of this command.
logging console [message_list | level]
no logging console
Note
Syntax Description
Defaults
The FWSM does not display syslog messages in console sessions by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Before any messages are sent to the console, you must enable system logging using the logging enable command.
Caution
Examples
The following example shows how to enable syslog messages of severity levels 0, 1, 2, and 3 to appears in console sessions:
hostname(config)# logging enablehostname(config)# logging console errorshostname(config)#Related Commands
logging debug-trace
To redirect debugging messages to logs such as syslog message 711011 issued at severity level 7, use the logging debug-trace command in global configuration mode. To stop sending debugging messages to logs, use the no form of this command.
logging debug-trace
no logging debug-trace
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the FWSM does not include debugging output in syslog messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Debugging messages are generated as severity level 7 messages. They appear in logs with the syslog message number 711011.
Examples
The following example shows how to enable logging, send log messages to the log buffer, redirect debugging output to logs, and turn on debugging disk activity.
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging debug-tracehostname(config)# debug disk filesystemAn example of a debug message that could appear in the logs follows:
%FWSM-7-711001: IFS: Read: fd 3, bytes 4096Related Commands
logging deny-conn-queue-full
To prevent the creation of new transit connections through the FWSM when the logging queue is full, use the logging deny-conn-queue-full command in global configuration mode. To allow the creation of new transit connections through the FWSM when the logging queue is full, use the no form of this command.
logging deny-conn-queue-full
no logging deny-conn-queue-full
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When traffic is so heavy that the logging queue fills up, the FWSM might discard messages. You can prevent the creation of new transit connections through the FWSM to avoid discarding messages.
Examples
The following example shows how to display the output of the logging deny-conn-queue-full and show logging queue commands:
hostname(config)# logging deny-conn-queue-fullhostname(config)# show logging queueLogging Queue length limit: Unlimited1 msg(s) discarded due to queue overflowCurrent 5 msgs on queue, 3513 msgs most on queueIn this example, the logging deny-conn-queue-full command prevents the creation of new transit connections through the FWSM when the logging queue is full. The syslog messages currently in the queue are processed by the FWSM in the manner specified by the current logging configuration, such as sending syslog messages to e-mail recipients, saving buffer overflows to internal flash memory, and so on. The logging queue does not discard any messages.
The sample output of the show logging queue command shows the following:
•
•
•
Even though the queue length was set for unlimited, a message was discarded because no block memory was available to add the message to the queue.
Related Commands
logging device-id
To configure the FWSM to include a device ID in non-EMBLEM-format syslog messages, use the logging device-id command in global configuration mode. To disable the inclusion of a device ID in messages, use the no form of this command.
logging device-id {context-name | hostname | ipaddress interface_name | string text}
no logging device-id {context-name | hostname | ipaddress interface_name | string text}
Syntax Description
Defaults
No default device ID is used in syslog messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
If you use the ipaddress keyword, the device ID becomes the specified FWSM interface IP address, regardless of the interface from which the message is sent. This keyword provides a single, consistent device ID for all messages that are sent from the device.
Examples
The following example shows how to specify a device ID of secappl-1 and the output from the show logging command:
hostname(config)# logging device-id secappl1hostname(config)# show loggingSyslog logging: disabledFacility: 20Timestamp logging: disabledStandby logging: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: level informational, 991 messages loggedTrap logging: disabledHistory logging: disabledDevice ID: hostname "secappl-1"In syslog messages, the hostname secappl-1 appears at the beginning of the message, such as the following:
secappl-1 %FWSM-5-111008: User 'enable_15' executed the 'logging buffer-size 4096' command.Related Commands
logging emblem
To use the EMBLEM format for syslog messages that are sent to output destinations other than a syslog server, use the logging emblem command in global configuration mode. To disable the use of the EMBLEM format, use the no form of this command.
logging emblem
no logging emblem
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the FWSM does not use EMBLEM format for syslog messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The logging emblem command enables you to configure the FWSM to use the EMBLEM-format for all messages being sent to output destinations other than to syslog servers; specifically, messages sent to one or more e-mail addresses, the internal log buffer, ASDM, a Telnet session, or an SNMP management station use the EMBLEM-format. If you also enable the logging timestamp keyword, the messages also include a timestamp.
To enable EMBLEM-format logging for syslog servers, use the format emblem option with the logging host command.
Examples
The following example shows how to enable logging and enable the use of EMBLEM-format for logging to all logging destinations except syslog servers:
hostname(config)# logging enablehostname(config)# logging emblemhostname(config)#Related Commands
logging enable
Enables logging.
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging device-id
To configure the FWSM to include a device ID in non-EMBLEM-format syslog messages, use the logging device-id command in global configuration mode. To disable the inclusion of a device ID in messages, use the no form of this command.
logging device-id {context-name | hostname | ipaddress interface_name | string text}
no logging device-id {context-name | hostname | ipaddress interface_name | string text}
Syntax Description
Defaults
No default device ID is used in syslog messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
If you use the ipaddress keyword, the device ID becomes the specified FWSM interface IP address, regardless of the interface from which the message is sent. This keyword provides a single, consistent device ID for all messages that are sent from the device.
Examples
The following example shows how to specify a device ID of secappl-1 and the output from the show logging command:
hostname(config)# logging device-id secappl1hostname(config)# show loggingSyslog logging: disabledFacility: 20Timestamp logging: disabledStandby logging: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: level informational, 991 messages loggedTrap logging: disabledHistory logging: disabledDevice ID: hostname "secappl-1"In syslog messages, the hostname secappl-1 appears at the beginning of the message, such as the following:
secappl-1 %FWSM-5-111008: User 'enable_15' executed the 'logging buffer-size 4096' command.Related Commands
logging facility
To specify the logging facility used for messages sent to system message servers, use the logging facility command in global configuration mode. To reset the logging facility to its default of 20, use the no form of this command.
logging facility facility
no logging facility
Syntax Description
Defaults
The default facility is 20 (LOCAL4).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
System log servers file messages based on the facility number in the message. There are eight possible facilities, 16 (LOCAL0) through 23 (LOCAL7).
Examples
The following example shows how to set the logging facility as 16. The output of the show logging command includes the facility being used by the FWSM in syslog messages.
hostname(config)# logging facility 16hostname(config)# show loggingSyslog logging: enabledFacility: 16Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: level errors, facility 16, 3607 messages loggedLogging to infrastructure 10.1.2.3History logging: disabledDevice ID: 'inside' interface IP address "10.1.1.1"Mail logging: disabledASDM logging: disabledRelated Commands
logging flash-bufferwrap
To configure the FWSM to write the contents of the log buffer to internal flash memory every time the buffer wraps, use the logging flash-bufferwrap command in global configuration mode. To disable writing the contents of the log buffer to internal flash memory, use the no form of this command.
logging flash-bufferwrap
no logging flash-bufferwrap
Syntax Description
This command has no arguments or keywords.
Defaults
The defaults are as follows:
•
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
For the FWSM to write the log buffer contents to internal flash memory when the buffer wraps, you must first configure the log buffer as an output destination; otherwise, the log buffer remains empty. To configure the log buffer as an output destination, use the logging buffered command.
While the FWSM writes the log buffer contents to internal flash memory, it continues storing to the log buffer any new event messages.
The FWSM creates log files with names that use a default time-stamp format, as follows:
LOG-YYYY-MM-DD-HHMMSS.TXTwhere YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.
The availability of internal flash memory affects how the FWSM saves logs using the logging flash-bufferwrap command. For more information, see the logging flash-maximum-allocation and the logging flash-minimum-free commands.
Examples
The following example shows how to enable system logging, specify the log buffer as an output destination, and enable the FWSM to write the log buffer contents to internal flash memory when the buffer wraps:
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging flash-bufferwraphostname(config)#
Related Commands
logging flash-maximum-allocation
To specify the maximum amount of internal flash memory that the FWSM uses to store log data, use the logging flash-maximum-allocation command in global configuration mode. To reset the maximum amount of internal flash memory used for this purpose to its default size of 1 MB, use the no form of this command.
logging flash-maximum-allocation kbytes
no logging flash-maximum-allocation kbytes
Syntax Description
kbytes
The largest amount of internal flash memory, in kilobytes, that the FWSM can use to save log buffer data.
Defaults
The default maximum internal flash memory allocation for log data is 1 MB.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
This command determines how much internal flash memory is available for the logging savelog and logging flash-bufferwrap commands.
If a log file to be saved by logging savelog or logging flash-bufferwrap requires more internal flash memory than the maximum amount specified by the logging flash-maximum-allocation command, the FWSM deletes the oldest log files to free sufficient memory for the new log file. If there are no files to delete or if, after all old files are deleted, free memory is too small for the new log file, the FWSM fails to save the new log file.
To determine whether the FWSM has a maximum internal flash memory allocation of a size different than the default size, use the show running-config logging command. If the logging flash-maximum-allocation command is not shown, then the FWSM uses a maximum of 1 MB for log buffer data. The memory allocated is used for both the logging savelog and logging flash-bufferwrap commands.
For more information about how the FWSM uses the log buffer, see the logging buffered command.
Examples
The following example shows how to enable logging, specify the log buffer as an output destination, enable the FWSM to write the log buffer contents to internal flash memory, with the maximum amount of internal flash memory used for log data set to approximately 1.2 MB of memory:
hostname(config)# logging enablehostname(config)# logging bufferedhostname(config)# logging flash-bufferwraphostname(config)# logging flash-maximum-allocation 1200hostname(config)#Related Commands
logging flash-minimum-free
To specify the minimum amount of free internal flash memory that must exist before the FWSM saves a new log file, use the logging flash-minimum-free command in global configuration mode. To reset the minimum required amount of free internal flash memory to its default size of 3 MB, use the no form of this command.
logging flash-minimum-free kbytes
no logging flash-minimum-free kbytes
Syntax Description
kbytes
The minimum amount of internal flash memory, in kilobytes, that must be available before the FWSM saves a new log file.
Defaults
The default minimum free internal flash memory is 3 MB.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
This command affects how much free internal flash memory must exist before the FWSM saves log files created by the logging savelog and logging flash-bufferwrap commands.
The logging flash-minimum-free command specifies how much internal flash memory the logging savelog and logging flash-bufferwrap commands must preserve at all times.
If a log file to be saved by logging savelog or logging flash-bufferwrap would cause the amount of free internal flash memory to fall below the limit specified by the logging flash-minimum-free command, the FWSM deletes the oldest log files to ensure that the minimum amount of memory remains free after saving the new log file. If there are no files to delete or if, after all old files are deleted, free memory would still be below the limit, the FWSM fails to save the new log file.
Examples
The following example shows how to specify that the minimum amount of free internal flash memory must be 4000 KB:
hostname(config)# logging flash-minimum-free 4000hostname(config)#Related Commands
logging from-address
To specify the source e-mail address for syslog messages e-mailed by the FWSM, use the logging from-address command in global configuration mode. This e-mail address appears in the From: line of all e-mailed syslog messages. To remove the source e-mail address, use the no form of this command.
logging from-address from-email-address
no logging from-address from-email-address
Syntax Description
from-email-address
Source e-mail address, that is, the e-mail address that appears in the From: line of each e-mailed syslog message.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Sending syslog messages by e-mail is enabled by the logging mail command.
The address specified with this command need not correspond to an existing e-mail account.
Examples
The following example shows how set up the FWSM to send a limited number of syslog messages by e-mail. The example commands are based on the following example criteria:
•
•
•
•
To enable the FWSM to e-mail system messages according to the example criteria, enter the following commands:
hostname(config)#logging mail criticalhostname(config)#logging from-address ciscosecurityappliance@example.comhostname(config)#logging recipient-address admin@example.comhostname(config)#smtp-server pri-smtp-host sec-smtp-hostRelated Commands
logging ftp-bufferwrap
To enable the FWSM to write the contents of the log buffer to an FTP server every time the buffer wraps, use the logging ftp-bufferwrap command in global configuration mode. To disable writing the contents of the log buffer to an FTP server, use the no form of this command.
logging ftp-bufferwrap
no logging ftp-bufferwrap
Syntax Description
This command has no arguments or keywords.
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When you enable logging ftp-bufferwrap, the FWSM sends log buffer data to the FTP server every time the log buffer wraps. You specify the FTP server to be sent the log buffer data with the logging ftp-server command.
For the FWSM to send the log buffer contents to the FTP server when the buffer wraps, you must first configure the log buffer as an output destination; otherwise, the log buffer remains empty. To configure the log buffer as an output destination, use the logging buffered command.
While the FWSM sends log data to the FTP server, it continues storing new messages to the log buffer.
The FWSM creates log files with names that use a default time-stamp format, as follows:
LOG-YYYY-MM-DD-HHMMSS.TXTwhere YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.
Examples
The following example shows how to enable the log buffer, specify an FTP server, and enable the FWSM to write the log buffer contents to an FTP server each time the buffer wraps. This example specifies an FTP server whose hostname is logserver-352. The server can be accessed with the username logsupervisor and password 1luvMy10gs. Log files are to be stored in the /syslogs directory.
hostname(config)# logging bufferedhostname(config)# logging ftp-server logserver-352 /syslogs logsupervisor 1luvMy10gshostname(config)# logging ftp-bufferwraphostname(config)#Related Commands
logging ftp-server
To specify details about the FTP server the FWSM sends log buffer data to when logging ftp-bufferwrap is enabled, use the logging ftp-server command in global configuration mode. To remove all details about an FTP server, use the no form of this command.
logging ftp-server ftp-server ftp_server path username password
no logging ftp-server ftp-server ftp_server path username password
Syntax Description
Defaults
No FTP server is specified by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can only specify one FTP server. If a logging FTP server is already specified, using the logging ftp-server command replaces that FTP server configuration with the new one you enter.
The FWSM does not verify the FTP server information you specify. If you misconfigure any of the details, the FWSM fails to send log buffer data to the FTP server.
Examples
The following example shows how to specify an FTP server and enable the FWSM to write the contents of the log buffer to an FTP server. This example specifies an FTP server whose hostname is logserver-352. The server can be accessed with the username logsupervisor and password 1luvMy10gs. Log files are to be stored in the /syslogs directory.
hostname(config)# logging ftp-server logserver-352 /syslogs logsupervisor 1luvMy10gshostname(config)# logging ftp-bufferwraphostname(config)#Related Commands
logging history
To enable SNMP logging and specify which messages are to be sent to SNMP servers, use the logging history command in global configuration mode. To disable SNMP logging, use the no form of this command.
logging history [message_list | level]
no logging history
Syntax Description
Defaults
The FWSM does not log to SNMP servers by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The logging history command lets you enable logging to an SNMP server and set the SNMP message level or event list. You must also configure the FWSM for SNMP.
Examples
The following example shows how to enable SNMP logging and specify that messages of severity levels 0, 1, 2, and 3 are sent to the SNMP server:
hostname(config)# snmp-server host infrastructure 10.2.3.7 trap community gam327hostname(config)# snmp-server enable traps sysloghostname(config)# logging history errorshostname(config)#Related Commands
logging host
To define a syslog server as a log output destination, use the logging host command in global configuration mode. To remove a syslog server definition, use the no form of this command.
logging host interface_name server_ip [tcp/port | udp/port] [format emblem] [permit-hostdown]
no logging host interface_name server_ip
Syntax Description
Defaults
The default values are as follows:
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
7.2(2)
The permit-hostdown keyword was added.
Usage Guidelines
The logging host ip_address format emblem command lets you enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for UDP syslog messages only. If you enable EMBLEM-format logging for a particular syslog server, then the messages are sent to that server in the EMBLEM format. If you also enable the logging timestamp keyword, messages sent to that server include a time stamp.
You can use multiple logging host commands to specify additional servers that would all receive the syslog messages. For each server, you specify whether the server should receive messages using either the TCP or UDP protocol. You cannot specify a server to receive messages using both TCP and UDP.
To display port and protocol values that you entered previously, use the show running-config logging command and finding the command in the listing—the TCP protocol is listed as 6 and the UDP protocol is listed as 17. TCP ports work only with the FWSM syslog server. The port must be the same port on which the syslog server listens.
Note
Examples
The following example shows how to send syslog messages of severity levels 0, 1, 2, and 3 to a syslog server that resides on the inside interface and uses the default protocol and port number:
hostname(config)# logging host inside 10.2.2.3hostname(config)# logging trap errorshostname(config)#Related Commands
logging list
To create a list of message selection criteria to be used by other commands to specify which messages are sent to a particular output destination, use the logging list command in global configuration mode. To remove the list, use the no form of this command.
logging list name {level level [class message_class] | message start_id[-end_id]}
no logging list name
Syntax Description
class message_class
(Optional) Specifies a class of syslog messages to be included in the list.
See "Usage Guidelines" for a list of classes.
level level
Sets the maximum level for syslog messages. For example, if you set the level to 3, then the FWSM generates syslog messages for level 3, 2, 1, and 0. You can specify either the number or the name, as follows:
•
•
•
•
•
•
•
•
To look up the default level of a message, use the show logging command or see the Catalyst 6500 Series Switch and Cisco 7600 Series Internet Router Firewall Services Module System Message Guide.
message start_id[-end_id]
Specifies a message ID or range of message IDs.
name
Specifies the message list name.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
When you enable a log output destination, you can also specify which syslog messages should be sent to that destination. The message list enables you to specify one or more sets of criteria that the FWSM uses to select messages to be sent to a single output destination.
Criteria you can specify for message selection include severity level, message class, a message ID, or a range of message IDs.
You can specify more than one set of criteria for a single message list. To add a new set of criteria, reissue the command specifying the list name and the new criteria. The new criteria is appended to the existing message list.
Logging commands with which you can use message lists are as follows:
•
•
•
•
•
•
•
Possible values for the message_class include the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Examples
The following example shows how to use the logging list command to create a new message list, append additional message selection criteria to the list, and specify that all messages matching the list criteria should be sent to the internal log buffer.
hostname(config)# logging list my-list 100100-100110hostname(config)# logging list my-list level criticalhostname(config)# logging list my-list level warning class vpnhostname(config)# logging buffered my-listThe message selection criteria specified in this example are:
1.
2.
3.
If a syslog message satisfies any one of these conditions, it is logged to the internal log buffer.
Note
Related Commands
show running-config logging
Displays the logging-related portion of the running configuration.
logging mail
To enable the FWSM to send syslog messages by e-mail and to determine which messages are sent by e-mail, use the logging mail command in global configuration mode. To disable e-mailing syslog messages, use the no form of this command.
logging mail [message_list | level]
no logging mail [message_list | level]
Syntax Description
Defaults
Logging to e-mail is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
E-mailed syslog messages appear in the subject line of the e-mails sent.
Examples
The following example shows how to enable e-mail as an output destination, enabling syslog messages to be sent by e-mail. The example commands are based on the following example criteria:
•
•
•
•
To enable the FWSM to e-mail system messages according the example criteria, enter the following commands:
hostname(config)#logging mail criticalhostname(config)#logging from-address ciscosecurityappliance@example.comhostname(config)#logging recipient-address admin@example.comhostname(config)#smtp-server pri-smtp-host sec-smtp-hostRelated Commands
logging message
To change the severity level of a syslog message, use the logging message command with the level keyword in global configuration mode. To reset the logging level of a message to its default level, use the no form of this command.
logging message syslog_id level level
no logging message syslog_id level level
logging message syslog_id
no logging message syslog_id
Syntax Description
Defaults
By default, all syslog messages are enabled and the severity levels of all messages are set to their default levels.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
To prevent the FWSM from generating a particular syslog message, use the no form of the logging message command (without the level keyword) in global configuration mode. To let the FWSM generate a particular syslog message, use the logging message command (without the level keyword). These two purposes of the logging message command can be used in parallel. See the "Examples" section that follows.
You can use the logging message command for two purposes:
•
•
You can use the show logging command to determine the severity level currently assigned to a message and whether the message is enabled.
Examples
The series of commands in the following example illustrates the use of the logging message command to enable and disable messages and change the severity level of messages:
hostname(config)# show logging message 403503syslog 403503: default-level errors (enabled)hostname(config)# logging message 403503 level 1hostname(config)# show logging message 403503syslog 403503: default-level errors, current-level alerts (enabled)hostname(config)# no logging message 403503hostname(config)# show logging message 403503syslog 403503: default-level errors, current-level alerts (disabled)hostname(config)# logging message 403503hostname(config)# show logging message 403503syslog 403503: default-level errors, current-level alerts (enabled)hostname(config)# no logging message 403503 level 3hostname(config)# show logging message 403503syslog 403503: default-level errors (enabled)Related Commands
logging monitor
To enable the FWSM to display syslog messages in SSH and Telnet sessions, use the logging monitor command in global configuration mode. To disable the display of syslog messages in SSH and Telnet sessions, use the no form of this command.
logging monitor [logging_list | level]
no logging monitor
Syntax Description
Defaults
The FWSM does not display syslog messages in SSH and Telnet sessions by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The logging monitor command enables syslog messages for all sessions in the current context; however, in each session, the terminal command controls whether syslog messages appear in that session.
Examples
The following example shows how to enable the display of syslog messages in console sessions. The use of the errors keyword indicates that messages of severity levels 0, 1, 2, and 3 should be shown in SSH and Telnet sessions. The terminal command enables the messages to appear in the current session.
hostname(config)# logging enablehostname(config)# logging monitor errorshostname(config)# terminal monitorhostname(config)#Related Commands
logging permit-hostdown
To specify that the FWSM should allow new network access sessions for a TCP-based syslog server that is not operational, use the logging permit-hostdown command in global configuration mode. To specify that the FWSM should deny new user sessions when a TCP-based syslog server is unavailable, use the no form of this command.
logging permit-hostdown
no logging permit-hostdown
Syntax Description
This command has no arguments or keywords.
Defaults
By default, if you have enabled logging to a syslog server that uses a TCP connection, the FWSM does not allow new network access sessions when the syslog server is unavailable for any reason.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you are using TCP as the logging transport protocol for sending messages to a syslog server, the FWSM denies new network access sessions as a security measure if the FWSM is unable to reach the syslog server. You can use the logging permit-hostdown command to remove this restriction.
Examples
The following example makes the status of TCP-based syslog servers irrelevant to whether the FWSM permits new sessions. When the logging permit-hostdown command includes in its output the show running-config logging command, the status of TCP-based syslog servers is irrelevant to new network access sessions.
hostname(config)# logging permit-hostdownhostname(config)# show running-config logginglogging enablelogging trap errorslogging host infrastructure 10.1.2.3 6/1470logging permit-hostdownhostname(config)#Related Commands
logging host
Specifies a syslog server as an output destination.
logging trap
Enables logging to specified syslog servers.
logging queue
To specify how many syslog messages the FWSM can hold in its system log queue prior to processing them according to the current logging configuration, use the logging queue command in global configuration mode. To reset the logging queue size to the default of 512 messages, use the no form of this command.
logging queue queue_size
no logging queue queue_size
Syntax Description
Defaults
The default queue size is 512 messages.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
When traffic is so heavy that the queue fills up, the FWSM might discard messages.
Examples
The following example shows how to display the output of the logging queue and show logging queue commands:
hostname(config)# logging queue 0hostname(config)# show logging queueLogging Queue length limit : UnlimitedCurrent 5 msg on queue, 3513 msgs most on queue, 1 msg discard.In this example, the logging queue command is set to zero, which means that the queue is set to the maximum of 8192. The syslog messages in the queue are processed by the FWSM in the manner dictated by the current logging configuration, such as sending syslog messages to e-mail recipients, saving buffer overflows to internal flash memory, and so forth.
The sample output of the show logging queue command shows that five messages are queued, 3513 messages was the largest number of messages in the queue at one time because the FWSM was last booted, and that one message was discarded. Even though the queue was set for unlimited, the messages was discarded because no block memory was available to add the message to the queue.
Related Commands
show logging
Displays the enabled logging options.
show running-config logging
Displays the logging-related portion of the running configuration.
logging rate-limit
To limit the rate at which syslog messages are generated, use the logging rate-limit command in privileged EXEC mode. To disable rate limiting, use the no form of this command.
logging rate-limit {unlimited | {num [interval]}} message syslog_id | level severity_level
[no] logging rate-limit [unlimited | {num [interval]}} message syslog_id ] level severity_level
Syntax Description
Defaults
The default setting for interval is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The system message severity levels are as follows:
·0—System Unusable
·1—Take Immediate Action
·2—Critical Condition
·3—Error Message
·4—Warning Message
·5—Normal but significant condition
·6—Informational
·7—Debug Message
Examples
The following example shows how to limit the rate of syslog message generation using a specific message ID and time interval:
fwsm(config)# logging rate-limit 100 600 message 302020This example suppresses syslog message 302020 from being sent to the host after the rate-limit of 100 is reached in the specified interval of 600 seconds.
The following example shows how to limit the rate of syslog message generation using a specific severity level and time interval. To limit the rate of syslog message generation, you can enter a specific severity level:
fwsm(config)# logging rate-limit 1000 600 level 6This example suppresses all syslog messages under severity level 6 to the specified rate-limit of 1000 in the specified time interval of 600 seconds. Each syslog message in severity level 6 has a rate-limit of 1000.
Related Commands
logging recipient-address
To specify the receiving e-mail address for syslog messages e-mailed by the FWSM, use the logging recipient-address command in global configuration mode. To remove the receiving e-mail address, use the no form of this command.
logging recipient-address email_address [level level]
no logging recipient-address email_address [level level]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can configure up to five recipient addresses. You can choose to specify a different message level for each recipient address. The message level specified with this command takes precedence over the message level specified by the logging mail command.
Sending syslog messages by e-mail is enabled by the logging mail command.
You can configure up to five e-mail addresses to receive syslog messages from the FWSM. Enter a new command for each recipient you want to specify. Each recipient can have a different logging level than the others. This is useful when you want more urgent messages to go to a larger number of recipients than less urgent messages.
Examples
The following example shows how to set up the FWSM to send a limited number of syslog messages by e-mail. The example commands are based on the following example criteria:
•
•
•
•
To enable the FWSM to e-mail system messages according to the example criteria, enter the following commands:
hostname(config)#logging mail criticalhostname(config)#logging from-address ciscosecurityappliance@example.comhostname(config)#logging recipient-address admin@example.comhostname(config)#smtp-server pri-smtp-host sec-smtp-hostRelated Commands
logging savelog
To save the current contents of the log buffer to internal flash memory, use the logging savelog command in privileged EXEC mode.
logging savelog [savefile]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Before you can save the contents of the log buffer to internal flash memory, you must enable logging to the buffer; if logging to the buffer is not enabled, the FWSM does not save syslog messages to the buffer, and therefore the buffer is empty. To enable logging to the buffer, use the logging buffered command.
Note
Examples
The following example enables the log buffer as an output destination, exits global configuration mode, and saves the log buffer to internal flash memory, using the file name latest-logfile.txt:
hostname(config)# logging bufferedhostname(config)# exithostname# logging savelog latest-logfile.txthostname#Related Commands
logging standby
To enable the failover standby FWSM to send the syslog messages of this FWSM to configured logging destinations, use the logging standby command in global configuration mode. To disable system log and SNMP logging, use the no form of this command.
logging standby
no logging standby
Syntax Description
This command has no arguments or keywords.
Defaults
The logging standby command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
You can enable logging standby to ensure that the syslog messages of the failover standby FWSM stay synchronized if failover occurs.
Note
Examples
The following example enables the FWSM to send syslog messages to the failover standby FWSM. The output of the show logging command reveals that this feature is enabled.
hostname(config)# logging standbyhostname(config)# show loggingSyslog logging: enabledFacility: 20Timestamp logging: disabledStandby logging: enabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: disabledHistory logging: disabledDevice ID: 'inside' interface IP address "10.1.1.1"Mail logging: disabledASDM logging: disabledRelated Commands
failover
Enables the failover feature.
logging host
Defines a syslog server.
show running-config logging
Displays the logging-related portion of the running configuration.
logging timestamp
To specify that syslog messages should include the date and time that the messages was generated, use the logging timestamp command in global configuration mode. To remove the date and time from syslog messages, use the no form of this command.
logging timestamp
no logging timestamp
Syntax Description
This command has no arguments or keywords.
Defaults
The FWSM does not include the date and time in syslog messages by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The logging timestamp command causes the FWSM to include a timestamp in all syslog messages.
Examples
The following example enables the inclusion of timestamp information in all syslog messages:
hostname(config)# logging enablehostname(config)# logging timestamphostname(config)#Related Commands
login
To log in to privileged EXEC mode using the local user database (see the username command) or to change usernames, use the login command in user EXEC mode.
login
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
From user EXEC mode, you can log in to privileged EXEC mode as any username in the local database using the login command. The login command is similar to the enable command when you have enable authentication turned on (see the aaa authentication console command). Unlike enable authentication, the login command can only use the local username database, and authentication is always required with this command. You can only use the login command in user EXEC mode. If you are already in privileged EXEC mode, you need to enter the disable command to go back to user EXEC mode where you can enter the login command.
To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the aaa authorization command for more information.
When you use the login command in the system execution space, the FWSM uses the username database in the admin context. You cannot enter the username command directly in the system execution space.
Caution
Examples
The following example shows the prompt after you enter the login command:
hostname> loginUsername:Related Commands
logout
To exit from the CLI, use the logout command in user EXEC mode.
logout
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors of values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The logout command lets you log out of the FWSM. You can use the exit or quit commands to go back to user EXEC mode.
Examples
The following example shows how to log out of the FWSM:
hostname> logoutRelated Commands
login
Initiates the log-in prompt.
exit
Exits an access mode.
quit
Exits configuration or privileged mode.
