Logging
The router can display logging messages on the terminal, store them in a buffer on the router, or send them to a log server using syslog (syslog is standard on Unix systems, and available for Windows[*]). You can control how much logging information is collected by using severity levels. For example, you can say that all messages should be sent to the log server regardless of severity, but that only critical messages should be displayed on a console.
[*] One source for syslog for Windows is Kiwi Syslog Daemon (http://www.kiwisyslog.com). Search on "syslog and Windows" at http://www.download.com to find a number of others.
16.4.1. Configuring Logging
By default, logging is disabled. If you want to log the router's activity, you must start by enabling logging:
logging on
We can now configure the syslog server. On a Unix system, you configure syslog by editing the /etc/syslog.conf file. On Windows, the configuration process depends on the software you use. No matter what operating system you run it on, each log file is associated with a facility and a severity. For example, the syslog.conf file might contain the following entry:
local5.debug /var/adm/local5.log
This means that messages coming from the user-defined facility local5, with a severity debug (or greater), should be saved in the file /var/adm/local5.log. Since debug is the lowest possible severity, this statement means that we will log all messages from the local5 facility. On the router, the following commands start logging:
! Enable timestamps for all log messages and debug with a time and date stamp. ! The localtime keyword lists the time in local time instead of UTC service timestamps log datetime localtime service timestamps debug datetime localtime ! Set the syslog server's IP address logging host 10.10.1.2 ! Limit the log messages to informational and higher logging trap informational ! Set the facility name on the syslog server logging facility local5
The final two commands are the most important. The logging trap command says that we're interested in messages with a severity of informational or higher. The logging facility command says that, when the router generates a message, it should be tagged with the facility local5. The facility name you use must match one of the facilities configured on the server.
16.4.2. Severity Levels
Syslog keeps track of messages using eight severity levels , listed in Table 16-1. If you set logging to any particular level, all messages at that level and above will be logged.
|
Level |
Name |
Syslog translation |
What it means to you |
|---|---|---|---|
|
0 |
Emergencies |
LOG_EMERG |
System unusable |
|
1 |
Alerts |
LOG_ALERT |
Immediate action required |
|
2 |
Critical |
LOG_CRIT |
Critical condition |
|
3 |
Errors |
LOG_ERR |
Error condition |
|
4 |
Warnings |
LOG_WARNING |
Warning |
|
5 |
Notifications |
LOG_NOTICE |
Normal significant conditions |
|
6 |
Informational |
LOG_INFO |
Just FYI messages |
|
7 |
Debugging |
LOG_DEBUG |
Debugging output |
16.4.3. Buffering Logging and Debug Output
Some other logging commands provide control over how log messages are handled. The first one we will look at is logging buffered, which gives us some control over chatty debug output. For example, if you enable debugging for EIGRP with the command debug ip eigrp, you're in for a lot of logging in the console window. However, you can disable console logging and enable buffered logging with the following commands:
router#config terminal router(config)#no logging console router(config)#logging buffered
Now when you enable debugging, all the log messages will be stored in the logging buffer instead of scrolling past on the screen. The default size of the logging buffer is platform-specific, but you can change the size by adding a byte count to the end of the logging buffered command. The buffer size can be from 4,096 to 4,294,967,295 bytes, but sizes toward the upper end of this range are obviously impractical.
To view the buffer, use the show logging command:
router#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: disabled Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 65356 messages logged Trap logging: level informational, 86 message lines logged Log Buffer (4096 bytes): 1w5d: IP: s=10.1.5.1 (local), d=224.0.0.10 (BRI0), len 60, sending broad/multicast 1w5d: IP: s=10.1.5.1 (local), d=224.0.0.10 (BRI0), len 60, encapsulation failed 1w5d: IP: s=10.1.3.1 (Serial0), d=224.0.0.10, len 60, rcvd 2
If the log buffer fills up with too much junk, you can clear it with the command clear logging:
router#clear logging
This command clears the buffer, which allows you to start over.
16.4.4. XML Output of Logging Messages
Starting with IOS 12.2(15)T, syslog messages can be formatted in XML, which is convenient for parsing log messages with other software. As we have seen, our logging messages usually look like this:
1w0d: %SYS-5-CONFIG_I: Configured from console by console
With XML formatting , our log messages look like this:
SYS5CONFIG_I 1w0dconsole
To enable XML logging to the buffered logs on the router, use these commands:
Router#config terminal Router(config)#logging buffered xml Router(config)#end
We can verify the setting with the show logging xml command, which shows the logging settings and our buffered log messages. The two logging messages shown here are highlighted in bold.
Router#show logging xml enableddisabled disabled disabled disabled disabled disabledenabled disabled SYS5CONFIG_I 00:00:55console console SYS5CONFIG_I 00:01:44console console
To enable XML logging to a Syslog host, just use the logging host command as you normally would with the addition of the XML option. In this example, our syslog host is 192.168.0.5 and it's prepared to handle the XML form of our logging.
Router(config)#logging host 192.168.0.5 xml