Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best practice for logging

Hi All,

I would like to know if there is any best practice document for Firewall logging. This would include

1. What level of logging is ideal

2. If a log is stored in a logging server, how long is it best to store the logs and retain the logs by a backup tape etc.

This can include for various industries like IT, Banking etc.

Any document pertaining to these would be helpful. Thanks in advance.



Cisco Employee

Re: Best practice for logging


The only link that I could find on Cisco's Logging Best Practices is here:

Note - this link refers to an IOS device but many of the guidelines transfer nicely to the ASA/PIX/FWSM. The two items at this link that I feel are quite important are synchronizing the time between all of your network devices (possibly via NTP) and leverage the timestamp feature on your syslogs ('logging timestamp' in the firewall realm).

In general, depending on your main goal for logging (troubleshooting, network access logs, etc.), regardless of industry, you will inevitably need to determine the appropriate logging level for that purpose and your network. Even within a particular logging level, you will inevitably find syslogs that are NOT useful to you while finding other syslogs in lower logging levels that ARE useful.

You can customize your logging experience on the ASA/PIX/FWSM by enabling/disabling certain syslogs, escalate those syslogs that are more important (to you) than the default logging level, and create logging lists.  Also, don't forget that logging locally on the device via the "buffered" keyword will be useful for immediate troubleshooting while remote logging for historical purposes may be useful to correlate network access (ie which host went where and when).  With this being said, you will most likely have a different logging level depending on the logging destination.  The

I've provided a link below for the various 'logging' commands for ASA although many of these commands are the same on other firewall platforms:

Here is also a list of the current log messages available on ASA 8.2:

As for how long you decide to keep the logging backups, that will depend on your company's security policy and/or local laws and regulations.

Hope this helps,


New Member

Thanks Kevin for sharing the

Thanks Kevin for sharing the ASA command reference for Logging this will help focus on getting the required(important) logs to our syslog server instead of all logs.we are facing capacity problem on the Syslog server because of the number of messages per hr.