Guidelines for Logging

This section includes guidelines and limitations that you should review before configuring logging.

IPv6 Guidelines

Additional Guidelines

• The syslog server must run a server program called syslogd. Windows provides a syslog server as part of its operating system.

• To view logs generated by the , you must specify a logging output destination. If you enable logging without specifying a logging output destination, the generates messages but does not save them to a location from which you can view them. You must specify each different logging output destination separately. For example, to designate more than one syslog server as an output destination, for each syslog server.

• Sending syslogs over TCP is not supported on a standby device.

• It is not possible to have two different lists or classes being assigned to different syslog servers or same locations.

• You can configure up to 16 syslog servers. However, in multiple context mode, the limitation is 4 servers per context.

• The syslog server should be reachable through the . You should configure the device to deny ICMP unreachable messages on the interface through which the syslog server is reachable and to send syslogs to the same server. Make sure that you have enabled logging for all severity levels. To prevent the syslog server from crashing, suppress the generation of syslogs 313001, 313004, and 313005.

• When you use a custom message list to match only access list hits, the access list logs are not generated for access lists that have had their logging severity level increased to debugging (level 7). The default logging severity level is set to 6 for the logging list command. This default behavior is by design. When you explicitly change the logging severity level of the access list configuration to debugging, you must also change the logging configuration itself.

  The following is sample output from the show running-config logging command that does not include access list hits, because their logging severity level has been changed to debugging:

  
  ciscoasa# show running-config logging
  logging enable
  logging timestamp
  logging list test message 106100
  logging buffered test
  
  

  The following is sample output from the show running-config logging command that does include access list hits:

  
  ciscoasa# show running-config logging
  logging enable
  logging timestamp
  logging buffered debugging
  
  

  In this case, the access list configuration does not change and the number of access list hits appears, as shown in the following example:

  
  ciscoasa(config)# access-list global line 1 extended 
  permit icmp any host 4.2.2.2 log debugging interval 1 (hitcnt=7) 0xf36b5386
  ciscoasa(config)# access-list global line 2 extended 
  permit tcp host 10.1.1.2 any eq www log informational interval 1 (hitcnt=18) 0xe7e7c3b8
  ciscoasa(config)# access-list global line 3 extended 
  permit ip any any (hitcnt=543) 0x25f9e609
  
  

• When the sends syslogs via TCP, the connection takes about one minute to initiate after the syslogd service restarts.