DiagnosticsGlobal Config

logging buffered informational

Configures the logging buffer to capture messages at the informational severity level and above for local viewing.

Overview

The 'logging buffered informational' command is used on Cisco ASA firewalls to enable local logging to an internal buffer at the informational severity level. This command is part of the ASA's syslog logging framework, which categorizes messages into eight severity levels from emergencies (0) to debugging (7). Informational (level 6) captures normal operational events such as connection establishments, teardowns, NAT translations, VPN tunnel status changes, and configuration changes. It excludes lower-severity debug messages, making it suitable for day-to-day monitoring without overwhelming the buffer.

The logging buffer is a circular memory buffer that stores the most recent syslog messages. When the buffer is full, the oldest messages are overwritten. The default buffer size is 4096 bytes on ASA, but it can be increased with the 'logging buffer-size' command. This command is typically used during troubleshooting to capture events leading up to an issue, or for routine monitoring when external syslog servers are not available. It is also useful for capturing output from 'debug' commands when debugging is enabled at informational level, though debug messages are usually at level 7.

To use this command, global logging must first be enabled with 'logging enable'. The command is entered in global configuration mode. After configuration, messages are immediately written to the buffer. To view the buffer, use 'show logging'. The output includes both the logging configuration and the buffered messages. The buffer can be cleared with 'clear logging'.

In troubleshooting workflows, 'logging buffered informational' is often used as a first step to gather baseline data. For example, if users report intermittent connectivity issues, the buffer may show failed connection attempts or NAT failures. If the buffer does not contain enough information, the severity level can be lowered to debugging (level 7) to capture more detail, but this should be done cautiously as it can impact performance and fill the buffer rapidly. The command is also useful for verifying that logging is working before configuring external syslog servers.

Syntax·Global Config
logging buffered <severity-level>

When to Use This Command

  • Troubleshooting connectivity issues by reviewing informational syslog messages in the buffer.
  • Monitoring normal operation events like NAT translations or VPN tunnel establishment.
  • Capturing debug output when debugging is enabled at informational level.
  • Reviewing recent events without sending logs to an external syslog server.

Parameters

ParameterSyntaxDescription
severity-level0-7 or keyword (emergencies, alerts, critical, errors, warnings, notifications, informational, debugging)Specifies the severity level threshold. Messages at this level and higher (lower number) are logged. For example, 'informational' logs levels 0-6. The keyword 'informational' is equivalent to level 6.

Command Examples

Enable logging buffered at informational level

logging buffered informational

This command enables logging to the internal buffer with severity level 6 (informational). No immediate output is shown; use 'show logging' to view buffered messages.

Verify logging buffer configuration

show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level informational, 1000 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled

%ASA-6-302013: Built inbound TCP connection 12345 for outside:10.0.0.1/443 (10.0.0.1/443) to inside:192.168.1.100/54321 (192.168.1.100/54321)

The output shows buffer logging is enabled at informational level. The last line is a sample syslog message showing a TCP connection built, which is an informational event.

Understanding the Output

The 'show logging' command displays the current logging configuration and the buffered messages. The configuration section shows which logging destinations are enabled and their severity levels. For buffer logging, it shows the level (e.g., informational) and the number of messages logged. The messages section lists syslog entries in chronological order. Each message includes a severity code (e.g., %ASA-6-... for informational), a message ID, and a description. Healthy operation shows normal events like connection builds, teardowns, and NAT translations. Problematic values include error messages (severity 3 or lower) or repeated failures. The buffer size is limited; older messages are overwritten when full.

Configuration Scenarios

Basic Logging Buffer Setup for Monitoring

A network administrator wants to monitor normal firewall activity without sending logs to a server.

Topology

N/A

Steps

  1. 1.Enable global logging: 'logging enable'
  2. 2.Set buffer logging to informational: 'logging buffered informational'
  3. 3.Optionally increase buffer size: 'logging buffer-size 65536'
  4. 4.View logs: 'show logging'
Configuration
!
logging enable
logging buffered informational
logging buffer-size 65536
!

Verify: Use 'show logging' to confirm buffer logging is enabled at informational level and view recent messages.

Watch out: If 'logging enable' is not configured, buffer logging will not work even if the command is accepted.

Troubleshooting with This Command

The 'logging buffered informational' command is a primary tool for troubleshooting on Cisco ASA firewalls. When an issue is reported, the first step is to check the buffer for relevant syslog messages. For example, if users cannot access a web server, look for messages like '%ASA-6-302013: Built inbound TCP connection' or '%ASA-6-302014: Teardown TCP connection' to see if connections are being established and torn down normally. If connections are being denied, look for '%ASA-4-106023: Deny tcp src outside:...' which indicates ACL drops. For VPN issues, look for '%ASA-6-713228: Group <group> User <user> IP <ip> IPv4 Address assigned' or '%ASA-6-713123: Group <group> User <user> IP <ip> Tunnel established'.

If the buffer does not contain enough information, consider lowering the severity to debugging (level 7) to capture more detail. However, be aware that debugging can generate a high volume of messages and impact firewall performance. Use 'logging buffered debugging' temporarily and then revert to informational after collecting data. Also, increase the buffer size with 'logging buffer-size' to avoid overwriting important messages.

When interpreting the output, pay attention to the severity code in each message (e.g., %ASA-6-... for informational, %ASA-4-... for warnings). Repeated error messages (severity 3 or lower) indicate persistent problems. The timestamp (if enabled with 'logging timestamp') helps correlate events with user reports. If the buffer shows no messages at all, verify that logging is enabled and that the severity level is appropriate. Also check if the buffer is empty due to a recent 'clear logging' or reload.

For advanced troubleshooting, combine buffer logging with other commands like 'show conn', 'show xlate', or 'show access-list'. The buffer provides a historical record, while these show current state. If the issue is intermittent, consider sending logs to an external syslog server for persistent storage.

CCNA Exam Tips

1.

Remember that 'logging buffered' stores messages in RAM and is cleared on reload; use 'logging history' for NVRAM storage.

2.

Know the severity levels: emergencies (0) to debugging (7); informational is level 6.

3.

On ASA, 'logging buffered' without a level defaults to debugging (level 7), which can fill the buffer quickly.

Common Mistakes

Setting the buffer level too low (e.g., debugging) causing the buffer to fill rapidly and lose important messages.

Forgetting to enable 'logging enable' globally; buffer logging will not work without it.

Assuming buffer logging persists across reboots; it is volatile and lost on power cycle.

Platform Notes

On Cisco ASA, the 'logging buffered' command behaves similarly to Cisco IOS routers and switches, but there are key differences. ASA uses a severity level range of 0-7, same as IOS, but the default buffer size is smaller (4096 bytes vs 4096 bytes on IOS, but IOS often defaults to 4096 as well). ASA also requires 'logging enable' globally, whereas IOS does not have a global enable command; logging is enabled by default. On ASA, the buffer is cleared on reload, while on IOS it is also cleared on reload unless saved to NVRAM with 'logging history'. ASA does not have a 'logging history' command; instead, use 'logging buffered' for volatile storage.

Equivalent commands on other platforms: On Cisco IOS, 'logging buffered <severity>' is identical. On Juniper SRX, the equivalent is 'set system syslog file messages any any' and 'show log messages'. On Palo Alto, use 'set shared log-settings syslog local' and view logs via the GUI or CLI.

Version differences: In ASA version 8.4(2) and later, the 'logging buffered' command supports the 'size' parameter to set buffer size in bytes. Earlier versions used 'logging buffer-size' separately. The severity keywords (e.g., informational) are consistent across versions. On ASA 9.x, the command remains unchanged.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions