You can use the following command on the ASA to verify the different logging level:
ASA2(config)# logging console ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
WORD Specify the name of logging list
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
The higher the logging level is higher the amount of logs generated by the ASA. So debugging level should only be used for troubleshooting purpose, since it generates a lot of logs and might affect the cpu and memory usage on the ASA.
Initial configuration for enabling logging on ASA:
ASA2(config)# logging enable -------------------> Enable logging on ASA
ASA2(config)# logging monitor informational -------------------> If you want to enable logging on the terminal monitor
ASA2(config)# logging buffered informational ------------------> Stores the logs in the logging buffer, it follows FIFO, so old logs would purge once buffer is full.
ASA2(config)# logging timestamp -------------------> Important as it enables timestamp with logs
IMP:- If you enable monitor logging, and use the command terminal monitor, all the logs would come onto the terminal monitor, to stop the logging you would need to use "term no mon" really fast.
How to enable logs to be sent on a syslog server:
Lets assume you have setup a syslog server on the inside interface on the ASA, first try pinging the server from ASA, it should be pingable, then on the ASA:
ASA2(config)# logging trap informational
ASA2(config)# logging host inside 10.1.1.1
The first commad decides what level logs needs to be sent to the syslog server and the next command decides, where is the syslog server located in the network.
IMP:- By default syslogs uses UDP port 514, but you can enable them on TCP ports as well:
ASA2(config)# logging host inside 10.1.1.1 6/1470
By default, if you have enabled logging to a syslog server that uses a TCP connection, the adaptive security appliance does not allow new network access sessions when the syslog server is unavailable for any reason.
To prevent this you need to use the command "logging permit-hostdown".
How to configure Logging to be sent to ASDM:
ASA2(config)# logging asdm informational
How to enable Logging List on ASA:
To create a logging list to use in other commands to specify messages by various criteria (logging level, event class, and message IDs), use the
logging list command in global configuration mode.
ASA2(config)# logging list my-list 100100-100110
ASA2(config)# logging list my-list level critical
ASA2(config)# logging list my-list level warning class vpn
ASA2(config)# logging buffered my-list
This logging list would generate logs for messages falling into the syslog id's 100100-100110 with critical level or higher. It would generate VPN class syslogs of warning level or higher (alert,emergency, critical,error).