Syslog is what turns the Cisco ASA from a black box into something you can troubleshoot, audit, and SIEM. The configuration is small (six lines for a sane production setup), but the message format and the severity model both have ASA-specific quirks worth knowing before you point a log collector at the box. This article walks the syslog destinations, the eight severity levels, message lists for filtering, and how to read the %ASA-X-XXXXXX format using real lab logs from Sessions 3 and 4 (PSK-mismatch IKEv2 failures and OUTSIDE_IN ACL denies).
This is a Cisco ASA Fundamentals article. The companion logging-side topics are common outage scenarios (where the same syslog patterns confirm the diagnosis) and ACL troubleshooting (where the deny-and-log pattern is the diagnostic technique).
The Eight Severity Levels
The ASA uses the standard syslog severity model, 0-7, with smaller numbers meaning more urgent.
| Level | Name | What lives here |
|---|---|---|
| 0 | emergencies | System unusable. Catastrophic platform failures. |
| 1 | alerts | Immediate action required. Failover events, environmental alarms. |
| 2 | critical | Critical conditions. Tunnel-mgr "failed to establish L2L SA," interface down on a critical link. |
| 3 | errors | Error conditions. Most VPN auth failures, NAT pool exhaustion, ACL drops with high frequency. |
| 4 | warnings | Warning conditions. ACL denies, bad-cert presented, IPsec proposal mismatches. |
| 5 | notifications | Normal but significant. Config changes, SSH login allowed, IKEv2 SA established. |
| 6 | informational | Informational. Most accept-flow logs, AAA accept, conn create/teardown if logged. |
| 7 | debugging | Debug-only. Internal state machine traces. |
Each destination on the ASA is configured with a maximum severity. Setting a destination to informational (level 6) means you receive everything from level 0 through level 6; level 7 (debugging) is still excluded. The standard production setup is informational to a remote syslog collector and warnings or notifications to the buffered log.
Logging Destinations
The ASA can log to seven destinations independently. The four you actually care about:
| Destination | Configured with | When to use |
|---|---|---|
| Console | logging console SEVERITY | Almost never. Console logging at any high rate slows the CLI to a crawl. |
| Buffered (RAM) | logging buffered SEVERITY | Always. The most-recent-N log lines kept in RAM, readable with show logging. Survives until reload or a clear. |
| Trap (remote syslog server) | logging trap SEVERITY + logging host ... | Always. UDP/514 to your SIEM or syslog collector. |
| SSH/Telnet sessions ("monitor") | logging monitor SEVERITY + terminal monitor | Ad-hoc, during a debug session. Not for production. |
Two more destinations exist (e-mail and ASDM) but they are rarely the right answer for production at scale.
Minimum-Viable Config
Six lines:
ASA-PERIM(config)# logging enable
ASA-PERIM(config)# logging timestamp
ASA-PERIM(config)# logging buffer-size 1048576
ASA-PERIM(config)# logging buffered informational
ASA-PERIM(config)# logging trap informational
ASA-PERIM(config)# logging host inside 10.10.0.30 17/514
What each does:
logging enable: master switch. Without this, none of the others do anything.logging timestamp: prepend timestamps to every message. Default is no timestamp, which makes correlation between the ASA and other devices much harder.logging buffer-size 1048576: 1 MB ring buffer (default 4 KB, which fills in seconds on a busy box).logging buffered informational: keep level 6 and above in the buffer.logging trap informational: send level 6 and above to the syslog server.logging host inside 10.10.0.30 17/514: send to10.10.0.30over the inside interface, UDP/514. The17/514is "protocol 17 (UDP), port 514."
For TCP syslog (some collectors prefer it), use 6/1470 or whatever the collector listens on. TCP gives you delivery guarantees but introduces backpressure: if the collector dies, the ASA's TCP send queue fills and logging stalls. Most production sites use UDP for the ASA and accept the rare lost packet.
Reading the Message Format
Every ASA syslog has the same shape: %ASA-LEVEL-MESSAGEID: free-form text. From the lab's Session 3 PSK-mismatch failure on the IKEv2 site-to-site to ASA-PARTNER:
%ASA-4-750003: Local:203.0.113.2:500 Remote:203.0.113.6:500 Username:203.0.113.6 IKEv2 Negotiation aborted due to ERROR: Failed to authenticate the IKE SA
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= OUTSIDE-MAP. Map Sequence Number = 10.
Walk through %ASA-4-750003:
%ASA-: the platform prefix. Always there.4: severity 4 (warnings).-750003: the message ID. Unique. Look it up in the Cisco docs (show logging message 750003on the ASA also helps) for the official explanation.:separator.- Free-form text describing what happened.
Once you internalize the format, you can scan a log dump and pick out the level and the message ID at a glance, even when the free-form text varies. The two messages above show the textbook IKEv2 PSK-failure pattern: a 750003 (auth failed) immediately followed by a 752015 (tunnel mgr gives up). See troubleshoot IPsec phases for the full PSK-failure walk.
And from the lab's Session 4 OUTSIDE_IN ACL deny, when something hit line 5 (the explicit catch-all):
%ASA-4-106023: Deny tcp src outside:8.8.8.8/56321 dst dmz:192.168.50.10/8080 by access-group "OUTSIDE_IN"
%ASA-4-106023 is the canonical "ACL deny" message ID. The text gives you the source interface, source IP+port, destination interface, destination IP+port, and the ACL name. That single line is enough to confirm a denial and start working out which ACL line to add. The companion message ID %ASA-6-106100 is the matching permit log line if you have log on a permit ACE.
Message Lists: Filter Per Destination
Sometimes you want a different filter per destination. Send everything to the central SIEM but only the headlines to a paging system.
ASA-PERIM(config)# logging list HEADLINES level critical
ASA-PERIM(config)# logging list HEADLINES message 106023 ! ACL deny
ASA-PERIM(config)# logging list HEADLINES message 750003 ! IKEv2 auth failed
ASA-PERIM(config)# logging list HEADLINES message 752015 ! Tunnel mgr give-up
!
ASA-PERIM(config)# logging trap HEADLINES
ASA-PERIM(config)# logging host inside 10.10.0.40 17/514
The list HEADLINES includes everything at level critical or above, plus three specific message IDs regardless of level. You then bind that list to logging trap, and only matching messages go to the host on the next line.
You can also include or exclude classes of messages (logging class vpn, logging class auth, etc.). The class names map to subsystem groupings. show logging class lists every class.
Rate Limiting
The ASA has a per-message rate limiter. By default it is enabled with sane values, but a noisy message ID can still spam the buffer and the collector. Tune it for known-noisy IDs:
ASA-PERIM(config)# logging rate-limit 10 60 message 106023
That caps message 106023 (ACL deny) to 10 occurrences per 60 seconds. Anything beyond that is suppressed (and accounted for in show logging rate-limit). Useful when a security scanner is hammering your perimeter and you do not want a million identical deny logs filling your SIEM.
Reading the Buffer with show logging
ASA-PERIM# show logging | tail
%ASA-6-302013: Built outbound TCP connection 1234 for outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.10.0.50/53412 (203.0.113.2/53412)
%ASA-4-106023: Deny tcp src outside:198.51.100.99/52891 dst dmz:192.168.50.10/443 by access-group "OUTSIDE_IN"
%ASA-6-302014: Teardown TCP connection 1232 for outside:8.8.8.8/443 to inside:10.10.0.50/53411 duration 0:00:14 bytes 8421 TCP FINs from inside
Useful filters when the buffer is huge:
| Command | Use |
|---|---|
show logging | include 106023 | Just the ACL denies. |
show logging | include 192.168.50.10 | Anything mentioning the DMZ web server. |
show logging | include vpn | Filter by free-form keyword. |
show logging asdm | Just the ASDM-specific log buffer (separate from the main). |
show logging queue | Counters: total messages, queued, dropped. |
show logging rate-limit | Which message IDs are being rate-limited. |
Clear the buffer with clear logging buffer. The remote syslog stream is unaffected; the buffer is local-only.
Message IDs Worth Memorizing
A short list of message IDs that come up so often it is faster to learn them than to look them up.
| Message ID | Severity | Event |
|---|---|---|
| 106023 | 4 | ACL deny |
| 106100 | 6 | ACL permit (when log keyword set) |
| 302013/302014 | 6 | TCP conn build / teardown |
| 302015/302016 | 6 | UDP conn build / teardown |
| 305011/305012 | 6 | NAT translation built / teardown |
| 305009 | 6 | Static NAT built |
| 113004/113005 | 6 | AAA authentication accepted / rejected |
| 113019 | 4 | VPN session disconnected (with reason) |
| 605004/605005 | 6 | SSH login allowed / session started |
| 713903 / 713904 / 713905 / 713906 | 5/7 | IKEv1 / IKEv2 packet receive and phase tracking |
| 750001-750003 | 5/4 | IKEv2 SA negotiation, success and failure |
| 752015 | 3 | Tunnel Manager failed to establish L2L SA |
| 111007/111008 | 5 | Config command issued (full audit trail) |
| 199002/199003 | 5/3 | Failover unit role change |
SIEM rules built around the right message IDs are an order of magnitude more useful than rules built on free-text matching. The IDs are stable across versions; the free-form text occasionally changes between releases.
Worked Example: PSK-Mismatch IKEv2 Tunnel
From the lab. PSK on ASA-PERIM was deliberately set wrong. Traffic that should have triggered the S2S tunnel produced this sequence in the buffered log:
%ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = OUTSIDE-MAP. Map Sequence Number = 10.
%ASA-5-750001: Local:203.0.113.2:500 Remote:203.0.113.6:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel...
%ASA-7-713906: IKE Receiver: Packet received on 203.0.113.2:500 from 203.0.113.6:500
%ASA-7-713906: IKE Receiver: Packet received on 203.0.113.2:500 from 203.0.113.6:500
%ASA-4-750003: Local:203.0.113.2:500 Remote:203.0.113.6:500 Username:203.0.113.6 IKEv2 Negotiation aborted due to ERROR: Failed to authenticate the IKE SA
%ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = OUTSIDE-MAP. Map Sequence Number = 10.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= OUTSIDE-MAP. Map Sequence Number = 10.
%ASA-7-752002: Tunnel Manager Removed entry. Map Tag = OUTSIDE-MAP. Map Sequence Number = 10.
Reading the IDs and severities top to bottom: 752003 (kicked off), 750001 (got the request), 713906 x2 (received packets), 750003 (auth failed - severity 4, the first warning), 752012 (gave up at IKEv2 layer), 752015 (gave up at Tunnel Mgr layer - severity 3, critical), 752002 (cleaned up). The pattern of auth failed -> tunnel mgr give-up within milliseconds is the classic PSK-mismatch fingerprint. See IPsec phase troubleshooting for the response.
Always Set Time
The logging timestamp command prepends a timestamp, but only as accurate as the ASA's clock. NTP-synced and authenticated time is mandatory before logs are useful for correlation:
ASA-PERIM(config)# clock timezone UTC 0
ASA-PERIM(config)# ntp authenticate
ASA-PERIM(config)# ntp authentication-key 1 md5 NTP-Key
ASA-PERIM(config)# ntp trusted-key 1
ASA-PERIM(config)# ntp server 10.10.0.10 key 1 source inside prefer
UTC for everything network-side. Your SIEM can localize to operator time zones at display.
Verify the Pipeline
Three checks after configuring logging:
ASA-PERIM# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 8423 messages logged
Trap logging: level informational, 8421 messages logged to host inside:10.10.0.30
History logging: disabled
Device ID: hostname "ASA-PERIM"
Mail logging: disabled
ASDM logging: disabled
"Buffer logging" and "Trap logging" should both have non-zero counts climbing. If the trap count is zero, the host line is misconfigured or the collector is unreachable. Verify with a packet capture on the inside interface filtering UDP/514 (see packet capture for the syntax).
Key Takeaways
Cisco ASA syslog is small to configure and high-leverage to operate. Six lines get you a 1 MB local buffer plus a remote syslog stream at level informational. The %ASA-LEVEL-MESSAGEID: format is consistent across every message, so your SIEM should match on message IDs (which are stable) rather than free-form text (which is not).
Enable logging timestamp and pin the ASA to authenticated NTP before you depend on logs for correlation. Rate-limit known-noisy IDs (106023 ACL deny is the classic) so a security scanner does not bury the rest of your log stream.
For the operational uses of these logs, see ACL troubleshooting (which uses 106023 deny logs as the diagnostic) and common outages (which uses message IDs to fingerprint different failure modes). The full reading order is on the Cisco ASA pillar.
