Sunday, June 18, 2017

A Note on Syslog Logging System of Cisco IOS Devices

Network Devices generate messages when something happens. The logging system of these messages is called "Syslog". These messages can help to identify what is happening for troubleshooting or what has happened in the network device for later root cause analysis.

You can view Syslog messages on Cisco CLI using following commands

On Console Line;
R(config)#logging console

On Terminal VTY (SSH, Telnet);
R#terminal monitor

Full Syslog message format in Cisco IOS is as following..

seq no:timestamp: %facility-severity-MNEMONIC: event

Seq No: 
A sequence number to identify the message as by order.
This is useful because some times the output can be out of order on the screen.
You will not see this often because it is disabled by default.
Following command will enable the Seq no,
R(config)#service sequence-numbers

Date and time of the message or event.
Time stamps are also disabled by default. But you would see it enabled almost all systems because it is very important to identify the time which the events triggered.
Following command will enable the Timestamp,
R(config)#service timestamps log datetime

This tells the protocol, module, or process that generated the message.
Following are the common facilities you may encounter.
SYS for the operating system
IF for an interface
LINK for physical links
LINEPROTO for line protocol

A number from 0 to 7 designating the importance of the action reported.
The levels are:

Levels 0 through 4 are for events that could seriously impact the device, whereas levels 5 through 7 are for less-important events.
By default, Syslog servers receive informational messages (level 6).

To change the minimum severity level that is shown on the console, use the following command.
R(config)#logging console <severity level>

To change the minimum severity level that is shown on the termial, use the following command.
R(config)#logging monitor <severity level>

If you specify a level, that level and all the higher levels will be displayed.
For example, by using the logging console warnings command, all the logging of emergencies, alerts, critical, errors, warnings will be displayed.

A string that describes the message in short.

A plain-text description of the event that triggered the Syslog message.

Now let's analyze a typical Syslog message
*Jun 16 16:41:14.958: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up

Seq No: none (not configured)
Timestamp: Jun 16 16:41:14.958
SEVERITY level: 3 (errors)
Event: Interface Ethernet0/0, changed state to up

Storing Syslog Data

By default any Cisco IOS device will store it's Syslog messages in it's internal buffer of 4 Mb.
You can increase the buffer size by the following command.
R(config)#logging buffered <size>

Or you can configure a dedicated Syslog server to store Syslog data and give it's IP by following command;
Router(config)#logging <ip address of the syslog server>

To change the minimum severity level that is sent to the server, use the following command.
Router(config)#logging trap <severity level>

Server must use a Syslog software to capture the Syslog messages sent to this server.

0 comments to “A Note on Syslog Logging System of Cisco IOS Devices”

Post a Comment