Rate-Limiting Syslog Traffic

Problem

You wish to rate-limit the syslog traffic to your server.

Solution

Use the logging rate-limit configuration command to limit the number of syslog packets sent to your server:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#logging host 172.25.1.1 Router(config)#logging rate-limit 30 except warnings Router(config)#end Router#

To rate limit the number of log messages sent to the console port, use the following command:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#logging rate-limit console 25 except warnings Router(config)#end Router#

This feature became available starting in IOS Version 12.1(3)T.

Discussion

By default, a router that is configured for remote logging will forward all log messages to the syslog server as they are created, regardless of how many there are. The rate-limit command will throttle the number of packets to ensure that router won't flood the network or syslog server. It is particularly useful to throttle syslog messages when forwarding debug traces or if the network is congested.

Cisco provides the option to throttle log messages sent to the console port, as well. This feature is important, since all messages written to the console port cause CPU interrupts. If a large number of log messages are being sent to the console port, then the router can suffer noticeable service degradation. Being able to rate-limit messages is an effective alternative to completely disabling them.

The syntax for rate limiting includes several options. The examples above limit the rate of syslog messages to 30 messages per second. The valid limits for this option are 1 to 10,000 messages per second. Since log messages vary in length, it is difficult to calculate a meaningful number in terms of bytes per second. However, a typical average size for a log message is between 150 and 170 bytes. So we can roughly estimate that 30 messages per second will correspond to 36,000 to 40,800 bits per second, which is a good limit for serial lines.

Both examples in this section use the optional keyword except. Use this keyword to ensure that only non-critical messages become rate-limited. For example, to rate-limit all messages at a warning severity level or lower, and to allow all other severity messages to be sent, use the except warning keywords. The examples in this section rate-limit only those messages set at a warning severity level or below. Note that the keyword all is equivalent to setting the except option at the debug level, meaning all messages are rate-limited.

Категории