Using a Remote Log Server

Problem

You want to send log messages to a remote syslog server.

Solution

Use the following command to send router log messages to a remote syslog server:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#logging 172.25.1.1 Router(config)#end Router#

Although configuring the router with a static IP address like this is the preferred method of configuring a syslog server, you can also specify a hostname to be resolved:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip host nms.oreilly.com 172.25.1.1 Router(config)#logging nms.oreilly.com Router(config)#end Router#

With this configuration, the router will attempt to resolve the server name that is provided. If the router cannot resolve the server name via DNS or static host lookup, then the entry will fail. For more information about DNS and static host names, please see Chapter 2.

Beginning with IOS Version 12.2(15)T, logging host replaced the logging command; however, both methods are still supported:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#logging host 172.25.1.1 Router2(config)#end Router2#

 

Discussion

Forwarding log messages to a remote syslog server has several advantages over just retaining log messages locally on the router. The primary advantage is that messages sent to the server are stored to disk. All other forms of router logging are lost upon router reload, including vital log messages that occurred just before a router crashes due to error.

Another advantage of using a remote syslog server is storage capacity. A router stores logging messages in internal system memory, which severely limits the number of logs messages that can be stored. A syslog server, on the other hand, can store days, weeks, or even months worth of log messages. It is not uncommon for an organization to retain a month or more of archived log messages for examination later.

Finally, being able to view log messages from all of your routers in a single location can be quite useful. Forwarding all router log messages to a common logfile can assist fault isolation, problem resolution, network forensics, and security investigations. In addition, parsing router logfiles by using custom scripts can provide an excellent understanding of network health. In addition, many network management software vendors now include tools to handle syslog messages.

The example below illustrates a router configured with two remote syslog servers:

Router>show logging Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 654 messages logged Monitor logging: level debugging, 65 messages logged Buffer logging: level debugging, 2 messages logged Logging Exception size (4096 bytes) Trap logging: level informational, 658 message lines logged Logging to 172.25.1.1, 1 message lines logged Logging to 172.25.1.3, 1 message lines logged Log Buffer (4096 bytes): Router>

The syslog protocol resides on UDP port 514, and messages are forwarded asynchronously without acknowledgements from the server. In other words, communications between the router and server flow in a single direction, with the server acting as a passive receiver.

By default, the router sends its log messages tagged with only its IP address. In some instances, it is useful to tag the log messages with the router hostname as well. This is especially true if the syslog packets pass through a NAT device. The ability to tag syslog messages was introduced in IOS Version 12.2(15)T:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#logging origin-id hostname Router2(config)#end Router2#

Before hostname tagging is enabled, the syslog server captures an example log message by only its IP address. Note that if the router IP address could be resolved by the syslog server, then the IP address would be converted to the resolved hostname. Here's an example of a normal syslog message:

Jul 15 20:35:07 172.25.1.100: Jul 15 20:35:07.499 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)

After hostname tagging is enabled, the router's hostname is embedded within the log message. We've highlighted the embedded hostname:

Jul 15 20:37:05 172.25.1.100: Router2: Jul 15 20:37:05.173 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)

 

See Also

Chapter 2; Recipe 18.6; Recipe 18.9; Recipe 18.14

Категории