Cisco PIX Firewall Logging
Enable or disable syslog and SNMP logging. (Configuration mode.)
[no] logging on[no] logging facility facility
[no] logging host [in_if_name] ip_address [protocol/port]
logging [no] message syslog_id
clear logging disabled
show logging disabled
logging queue queue_size
show logging queue
[no] logging standby
[no] logging timestamp
[no] logging trap level
show logging
clear logging
Syntax Description
on Start sending syslog messages to all output locations. Stop all logging with the no logging on command. buffered Send syslog messages to an internal buffer that can be viewed with the show logging command. Use the clear logging command to clear the message buffer. New messages append to the end of the buffer. level Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are:
0 emergencies System unusable messages 1 alerts Take immediate action 2 critical Critical condition 3 errors Error message 4 warnings Warning message 5 notifications Normal but significant condition 6 informational Information message 7 debugging Debug messages. Log FTP commands and WWW URLs console Specify that syslog messages appear on the firewall console as each message occurs. You can limit the types of messages that appear on the console with level. We recommend that you do not use this command in production mode because its use degrades firewall performance. facility Specify the syslog facility. The default is 20. facility Eight facilities LOCAL0(16) through LOCAL7(23); the default is LOCAL4(20). Hosts file the messages based on the facility number in the message. history Set the SNMP message level for sending syslog traps. host Specify a syslog server that will receive the messages sent from the firewall. You can use multiple logging host commands to specify additional servers that would all receive the syslog messages. However a server can only be specified to receive either UDP or TCP, not both. firewall only sends TCP syslog messages to the firewall Syslog Server. in_if_name Interface on which the syslog server resides. ip_address Syslog server's IP address. protocol The protocol over which the syslog message is sent; either tcp or udp. firewall only sends TCP syslog messages to the firewall Syslog Server. You can only view the port and protocol values you previously entered by using the write terminal command and finding the command in the listing—the TCP protocol is listed as 6 and the UDP protocol is listed as 17. port The port from which the firewall sends either UDP or TCP syslog messages. This must be same port at which the syslog server listens. For the UDP port, the default is 514 and the allowable range for changing the value is 1025 through 65535. For the TCP port, the default is 1470, and the allowable range is 1025 through 65535. TCP ports only work with the firewall Syslog Server. message Specify a message to be allowed. Use the no logging message command to suppress a syslog message. Use the clear logging disabled command to reset the disallowed messages to the original set. Use the show message disabled command to list the suppressed messages. All syslog messages are permitted unless explicitly disallowed. The "PIX Startup begin" message cannot be blocked and neither can more than one message per command statement. syslog_id Specify a message number to disallow or allow. If a message is listed in syslog as%PIX-1-101001, use "101001" as the syslog_id. disabled Clear or display suppressed messages. You can suppress messages with the no logging message command. monitor Specify that syslog messages appear on Telnet sessions to the firewall console. queue queue_size Specifies the size of the queue for storing syslog messages. Use this parameter before the syslog messages are processed. The queue parameter defaults to 512 messages, 0 (zero) indicates unlimited (subject to available block memory), and the minimum is one message. Use the show logging queue command to determine the current number of messages in the queue, highest number recorded, and number of messages discarded because block memory was not available to process them. standby Let the firewall standby unit also send syslog messages. This option is disabled by default. You can enable it to ensure that the standby unit's syslog messages stay synchronized should failover occur. However, this option causes twice as much traffic on the syslog server. Disable with the no logging standby command. timestamp Specify that syslog messages sent to the syslog server should have a time stamp value on each message. trap Set logging level only for syslog messages. clear Clear the buffer for use with the logging buffered command. show List which logging options are enabled. If the logging buffered command is in use, the show logging command lists the current message buffer.
Usage Guidelines
The logging command lets you enable or disable sending informational messages to the console, to a syslog server, or to an SNMP management station. Set the SNMP message level with the logging history command, and set the syslog message level with the logging trap command.
The logging queue command lets you specify the size of the syslog message queue for the messages waiting to be processed. When traffic is heavy, messages may be discarded.
The show logging queue command lists:
- Number of messages in the queue
- Highest number of messages recorded in the queue
- Number of messages discarded because block memory was not available to process them
The logging standby command lets the failover standby unit send syslog messages. This option is disabled by default. You can enable it to ensure that the standby unit's syslog messages stay synchronized should failover occur. However, this option causes twice as much traffic on the syslog server. Disable with the no logging standby command.
Use show logging disabled to view suppressed syslog messages.
Do not use the logging console command when the firewall is in production mode because it degrades system performance. By default, this command is disabled. Instead, use the logging buffered command to start logging, the show logging command to view the messages, and the clear logging command to clear the buffer to make viewing the most current messages easier.
The firewall provides more information in messages sent to a syslog server than at the console, but the console provides enough information to permit effective troubleshooting.
The logging timestamp command requires that the clock command be set.
The no logging message command cannot block the "%PIX-6-199002: PIX startup completed. Beginning operation." syslog message.
The aaa authentication enable console command causes syslog messages to be sent (at syslog level 4) each time the configuration is changed from the serial console.
Examples
The following example shows how to start console logging and view the results:
logging buffered debugging
show logging
Syslog logging: enabled
Timestamp logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 37 messages logged
Trap logging: disabled
305001: Portmapped translation built for gaddr 209.165.201.5/0 laddr 192.168.1.2/256
...
The line of output starting with 305001 shows a translation to a PAT global through global address 209.165.201.5 from a host at 192.168.1.2. The "305001" identifies a syslog message for creating a translation through a PAT global.
The next example lists the output of the logging queue and show logging queue commands:
logging queue 0
show logging queue
Logging Queue length limit : Unlimited
Current 5 msg on queue, 3513 msgs most on queue, 1 msg discard.In this example, the logging queue command is set to 0, which means you want an unlimited number of messages; in other words, all syslog messages, to be processed. The show logging queue command shows that 5 messages are queued, 3513 messages was the greatest number of messages in the queue at one time since the firewall was last booted, and that 1 message was discarded. Even though set for unlimited, should the amount of block memory be exhausted, messages can still be discarded.