DiagnosticsGlobal Config

logging on

Enables logging on the Cisco ASA Firewall to capture system messages and debug output.

Overview

The 'logging on' command is a fundamental command on Cisco ASA Firewalls that activates the logging subsystem. Without this command, no syslog messages are generated or sent, regardless of other logging configurations. Logging is essential for security monitoring, troubleshooting, and compliance. The ASA supports multiple logging destinations: console, monitor (for SSH/Telnet sessions), buffer (internal memory), and syslog servers (via UDP or TCP). The command is simple but critical; it must be issued in global configuration mode. Once enabled, the ASA will start generating messages based on the configured severity levels. This command fits into troubleshooting workflows as the first step to capture events. It is platform-specific to ASA; on IOS devices, logging is enabled by default. The command has no parameters and no output, making it easy to overlook. Best practice is to always include 'logging on' in the initial configuration.

Syntax·Global Config
logging on

When to Use This Command

  • Enable logging to capture security events during an incident investigation.
  • Activate logging before configuring syslog servers to ensure messages are sent.
  • Turn on logging to monitor VPN connection attempts and failures.
  • Enable logging for troubleshooting network connectivity issues.

Parameters

ParameterSyntaxDescription
nonelogging onThe command has no parameters. It simply enables the logging process.

Command Examples

Enable Logging

logging on

No output is displayed; logging is enabled silently.

Verify Logging Status

show logging
Syslog logging: enabled
  Facility: 20
  Timestamp logging: disabled
  Hide Username logging: disabled
  Standby logging: disabled
  Debug-trace logging: disabled
  Console logging: disabled
  Monitor logging: disabled
  Buffer logging: level errors, 0 messages logged
  Trap logging: level informational, facility 20, 0 messages logged
  Logging to 'inside' 10.1.1.1: protocol UDP, port 514
    statistics: 0 messages sent, 0 messages received
  Logging to 'outside' 203.0.113.1: protocol UDP, port 514
    statistics: 0 messages sent, 0 messages received

The output shows that syslog logging is enabled, with various logging destinations and their statuses. The buffer and trap logging levels are set, and syslog servers are configured.

Understanding the Output

The 'show logging' command displays the current logging configuration. The first line indicates whether logging is enabled or disabled. The subsequent lines show the facility code, timestamp settings, and various logging destinations (console, monitor, buffer, trap). For each destination, the logging level and number of messages logged are shown. For syslog servers, the IP address, protocol, port, and statistics are displayed. A healthy state shows logging enabled with appropriate levels and active syslog servers. Problem values include logging disabled, high error counts, or unreachable syslog servers.

Configuration Scenarios

Basic Logging Setup

A network administrator needs to enable logging and send messages to a syslog server.

Topology

ASA (inside) --- 10.1.1.0/24 ASA (outside) --- 203.0.113.0/24 Syslog server at 10.1.1.100

Steps

  1. 1.Enter global configuration mode.
  2. 2.Enable logging with 'logging on'.
  3. 3.Configure syslog server: 'logging host inside 10.1.1.100'.
  4. 4.Set trap level: 'logging trap informational'.
Configuration
!
logging on
logging host inside 10.1.1.100
logging trap informational
!

Verify: Use 'show logging' to verify logging is enabled and syslog server is listed.

Watch out: If 'logging on' is not issued, no messages will be sent even if the syslog server is configured.

Troubleshooting with This Command

When troubleshooting logging issues on Cisco ASA, start by verifying that 'logging on' is configured. Use 'show logging' to confirm the status. If logging is enabled but messages are not reaching the syslog server, check connectivity and ensure the syslog server IP is reachable. Also verify that the logging level is set appropriately; for example, if the level is 'errors', informational messages will not be sent. Use 'debug logging' to see real-time messages on the console. Common issues include missing 'logging on', incorrect syslog server IP, or firewall rules blocking UDP port 514. The 'show logging' command also displays statistics for each syslog server, showing how many messages were sent and received. If the sent count is zero, the ASA is not generating messages or the server is unreachable. Remember that 'logging on' must be issued before any logging occurs; it is a common oversight.

CCNA Exam Tips

1.

Remember that 'logging on' is required before any logging will occur, even if other logging commands are configured.

2.

Know that the default logging level is 'debugging' for console and 'informational' for syslog traps.

3.

Be aware that 'logging on' does not affect existing logging configurations; it simply activates the logging process.

Common Mistakes

Forgetting to issue 'logging on' after configuring syslog servers, resulting in no messages being sent.

Assuming 'logging on' enables all logging destinations; each destination must be individually enabled.

Confusing 'logging on' with 'logging enable' (which is not a valid command on ASA).

Platform Notes

On Cisco ASA, the 'logging on' command is required to activate logging. This differs from Cisco IOS, where logging is enabled by default. On ASA, logging is disabled until explicitly enabled. The command is identical across ASA versions (8.x, 9.x). There is no equivalent command on other platforms like Juniper SRX, where logging is typically enabled via a different mechanism. On ASA, the command is simple but crucial. Version differences are minimal; the command has remained unchanged. For ASA, remember that 'logging on' must be configured in global config mode and is saved to the running configuration.

Related Commands

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions