Showing results for 
Search instead for 
Did you mean: 

Logging VPN events on Cisco IOS and ASA


System logging is a method of collecting messages from devices to a server or  local on the device (logging buffer)


ASA VPN Logging

Logging class commands help us to segregate the specific logs we want to trap , they could be sent to the ASDM , Console , buffered , monitor , or to an external server.

Logging timestamp: Add a timestamp  on the logs.

Logging class ca: Useful for certificate authentication problems on Site-to-Site and Anyconnect.

Logging class csd: Logs the events  related to the Cisco Secure Desktop and Hostscan.

Logging class DAP: Logs the events related to the Dynamic Access Policy for the VPN client.

Logging class svc: Logs events related  to Anyconnect connections.
Logging class vpdn: Logs events related to PPTP and L2TP.

Logging class vpn: Logs events related to the isakmp and ipsec process.

Logging class vpnc: Logs events related to the VPN IPSEC client.

Logging class vpnfo: Logs events related to the VPN in a failover environment.

Logging class vpnlb: Logs events related to the VPN in a load balance environment.

Logging class webfo: Logs events related to the webvpn in a failover environment.

Logging class webvpn: Logs events related to the webvpn process.

Logging class auth: Useful to check the AAA logs  of the VPN clients.

Example of the use of the command:

ciscoasa(config)# logging class csd asdm  ?

configure mode commands/options:
  <0-7>          Enter syslog level (0 - 7)
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)

Router VPN logging:

service timestamps debug datetime msec: Add a timestamp in microseconds to the debugs

service timestamps log datetime msec: Add a timestamp in microseconds to the logs.

Logging dmvpn:  Logs events related to  DMVPN .

Crypto logging ezvpn: Logs events related to the EZVPN connections.

Crypto logging  ikev2:  Logs events related to the IKEV2 sessions.

Crypto logging session: Logs events related to up/down  status of the ipsec tunnels.


If you need more information on the router you can enable the following debugs:


  •         debug crypto isakmp
  •         debug crypto isakmp error
  •         debug crypto isakmp ha          
  •         debug crypto ipsec      
  •         debug crypto ipsec error         
  •         debug crypto routing       
  •         debug crypto ha        
  •         debug crypto engine error      
  •         debug crypto engine packet


Hope it helps

- Randy -


I am having issues with consistent field extraction using the cisco:asa sourcetype. The fields are very inconsistently parsed, many times making 4 or 5 events out of a single event, even separating a line in the middle of a word.

I am currently accepting syslog for these devices using rsyslog, and I am monitoring the file generated for the specific device on the local filesystem. I am running version 3.2.0 of the Splunk Add-on for Cisco ASA. I am running version 3.0.3 of Cisco Security Suite. Am I missing something? VPN is Express

Recognize Your Peers
Content for Community-Ad