12-1. Logging Logging is used by the switch to send system messages to a logging facility. Logging messages can be sent to any of four different facilities: the switch console, a file on the switch, Telnet sessions, or a syslog server. Logging history can be maintained in a file to ensure that a record of the messages being sent to Simple Network Management Protocol (SNMP) or syslog servers are kept in case a packet is lost or dropped. Logging displays all error and debug messages by default. The logging level can be set to determine which messages should be sent to each of the facilities. Time stamping logging messages or setting the syslog source address can help in real-time debugging and management. If the time and date are set on a switch, the switch can provide time stamps with each syslog message. The clocks in all switches can be synchronized so that it becomes easier to correlate syslog messages from several devices. System messages are logged with the following format: timestamp %function-severity-MNEMONIC:description where the timestamp denotes the time of the event, %function is the switch function (also called facility) generating the event, severity is the severity level (0 to 7, lower is more severe) of the event, and MNEMONIC is a text string that briefly describes the event. A more detailed description text string completes the message. An example of a severity level 3 Supervisor IOS system message is as follows: 11w1d: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up An example of a severity level 5 Catalyst OS system message is as follows: 2001 Dec 20 11:44:19 %DTP-5-NONTRUNKPORTON:Port 5/4 has become non-trunk
NOTE Logging to a syslog server uses UDP port 514.
Configuration 1. | (Optional) Enable or disable logging:
COS | N/A | IOS | (global) [no] logging on
|
Logging is enabled by default. Use the no keyword to disable all logging on the switch, except for logging to the console.
| 2. | (Optional) Log messages to a syslog server.
- a. Identify the syslog server:
COS | set logging server syslog-host
| IOS | (global) logging syslog-host
|
Text messages are sent to the syslog server at syslog-host (host name or IP address). The messages are captured and can be reviewed on the syslog server.
- b. Send messages to a syslog facility:
COS | set logging server facility facility-type
| IOS | (global) logging facility facility-type
|
When the syslog server receives a message, it forwards the message to a log file or destination based on the originating system facility. In this fashion, syslog servers can collect and organize messages by using the facility as service area or type. All syslog messages from switches can be collected together, if the facility is set identically in each switch.
Syslog servers are based around UNIX operating system concepts and have facility types that are named after various system services. The facility used in switch syslog messages is defined as facility-type, given as one of local0, local1, local2, local3, local4, local5, local6, local7 (the default), which all represent locally defined services. Usually, one or more local facilities are used for messages from network devices.
The Supervisor IOS also allows these additional facility types: auth (user authentication services), cron (job scheduling services), daemon (system background or daemon services), kern (system kernel services), lpr (line printer spooler services), mail (system mail services), news (Usenet newsgroup services), syslog (syslog services), sys9, sys10, sys11, sys12, sys13, sys14 (all reserved for system services), user (system user processes), or uucp (UNIX-to-UNIX copy file transfer services).
- c. Limit the severity of the logged messages:
COS | set logging server severity level
| IOS | (global) logging trap level
|
System messages are assigned a severity level based on the type and importance of the error condition. Only messages that are less than or equal to (at least as severe as) the severity level are sent to the syslog server. The level is a number (0 to 7, default 6) defined in Table 12-1.
Table 12-1. System Message Severity LevelsLevel | Name | Description |
|---|
0 | emergencies | System is unusable. | 1 | alerts | Immediate action is needed. | 2 | critical | Critical conditions. | 3 | errors | Error conditions. | 4 | warnings | Warning conditions. | 5 | notifications | Normal but significant conditions. | 6 | informational | Informational messages. | 7 | debugging | Debugging messages. |
The Supervisor IOS also enables you to enter the level as a name. Most physical state transitions (ports and modules up or down) are logged at level 5, whereas hardware or software malfunctions are reported at level 3.
- d. (Optional; IOS only) Use a specific source address for syslog messages:
COS | N/A | IOS | (global) logging source-interface type number
|
An IOS switch can use the IP address of a specific interface as the source address in syslog packets. This can be useful if there are many interfaces, but you want to see all syslog messages from a switch appear as a single switch address. (A COS switch always uses the sc0 interface address for this purpose.)
- e. (COS only) Start logging to the syslog server:
COS | set logging server enable
| IOS | N/A |
- f. (Optional; IOS only) Limit the messages logged to the SNMP history table:
COS | N/A | IOS | (global) logging history level (global) logging history size number
|
Messages sent as traps to an SNMP management station can be lost. Therefore, messages that are less than or equal to the specified severity level can also be saved to a history table for future review. The level is a number (0 to 7) defined in Table 12-1. By default, only one message is kept in the history table. You can change this by specifying the size keyword with the number of message entries (1 to 500).
| 3. | (Optional) Log messages to the switch buffer:
COS | set logging buffer size
| IOS | (global) logging buffered [size]
|
All system messages are saved in a section of switch memory. The message buffer remains intact until the switch is powered off or the buffer is cleared with the clear logging command. The maximum buffer size can be given as size (COS: 1 to 500 messages, default 500; Supervisor IOS: 4096 to 2,147,483,647 bytes, default 4096 bytes).
CAUTION The buffer size varies between Catalyst switch platforms. By logging to a buffer on a Supervisor IOS switch, you are using system resources that can also be needed for the operational aspects of the switch. Be prudent when setting the maximum buffer size so that you don't waste system memory. | 4. | (Optional; IOS only) Log messages to a file on the switch:
COS | N/A | IOS | (global) logging file [flash:]filename [max-file-size] [min-file-size] level
|
System messages are stored to a file named filename (text string) located on the system flash: device. The file can be constrained to a maximum size max-file-size (4096 to 2,147,483,647 bytes, default 4096) and a minimum size min-file-size (1024 to 2,147,483,647 bytes, default 2048). Messages with a severity level less than or equal to level (0 to 7 or a name from Table 12-1, default 7 or debugging) are appended to the file.
| 5. | (Optional) Log messages to terminal sessions.
- a. (Optional) Log messages to the switch console:
COS | set logging console {enable | disable}
| IOS | (global) logging console level
|
By default, system messages are logged to the console. You can disable logging with the disable keyword. On an IOS switch, only messages with a severity level less than or equal to level (0 to 7 or a name from Table 12-1, default 7 or debugging) are sent to the console.
- b. (Optional) Log messages to a Telnet or line session:
COS | set logging telnet {enable | disable}
| IOS | (global) logging monitor level
|
By default system messages are logged to all Telnet and terminal line sessions. On a COS switch, you can also disable logging, but only for the current session, by using the set logging session disable command. On an IOS switch, only messages with a severity level less than or equal to level (0 to 7 or a name from Table 12-1, default 7 or debugging) are sent to the session.
NOTE To view system messages during a Telnet session to a vty line on an IOS switch, you must issue the terminal monitor EXEC command. - c. (Optional; IOS only) Control the output of messages to terminal sessions:
COS | N/A | IOS | [View full width] (line) logging synchronous [level level | all]  [limit buffers]
|
When synchronous logging is enabled, logging messages are queued until solicited output (regular output from show or configuration commands, for example) is displayed. When a command prompt is displayed, logging output will be displayed. Synchronization can be used on messages at or below a specific severity level (0 to 7 or a name from Table 12-1; default 2) or all levels. With the limit keyword, the switch can queue up to buffers (default 20) messages before they are dropped from the queue.
TIP Although synchronous logging keeps switch messages from interfering with your typing or reading other displayed text, it can also be confusing. When synchronous logging is enabled on the switch console line and no one is currently logged in to the switch, for example, the switch will queue all messages until the next person logs in. That person will see a flurry of messages scroll bypossibly from hours or days before.
| 6. | (Optional) Record a time stamp with each system message:
COS | set logging timestamp {enable | disable}
| IOS | (global) service timestamps log {uptime | datetime}
|
By default a COS switch records a date and time time stamp with system messages, whereas an IOS switch records the system uptime. To use the date and time, use the datetime keyword. This can prove useful if you need to reference an error condition to the actual time that it occurred.
TIP You should configure and set the correct time, date, and time zone on the switch before relying on the message logging time stamps. Refer to section "3-8: Time and Calendar" for further information. | 7. | (Optional; IOS only) Control the rate of system message generation:
COS | N/A | IOS | [View full width] (global) logging rate-limit number [all | console] [except level]
|
To avoid flooding system messages to a logging destination, you can limit the rate that the messages are sent to number (1 to 10,000 messages per second, no default). The all keyword rate limits all messages, whereas the console keyword rate limits only messages that are sent to the console. You can use the except keyword to rate-limit messages at or below the specified level (0 to 7 as given in Table 12-1).
| 8. | (Optional; COS only) Set the severity level for specific switch functions:
COS | set logging level {all | function} level [default]
| IOS | N/A |
System messages can be logged if they have a severity level that is at or below a configured level. You can also tune the severity level for predefined switch functions to determine whether and when they will be logged. You can use the keyword all to set all switch functions to the same level (0 to 7 or a name, as defined in Table 12-1).
Otherwise, a level can be assigned to one of the following functions: acl (access control lists), cdp (Cisco Discovery Protocol, CDP), cops (Common Open Policy Server, COPS), dtp (Dynamic Trunking Protocol, DTP), dvlan (Dynamic VLAN), earl (Enhanced Address Recognition Logic, EARL), filesys (file system), gvrp (GARP VLAN Registration Protocol, GVRP), ip (Internet Protocol, IP), kernel (switch kernel), ld (Accelerated Server Load Balancing, ASLB), mcast (multicast), mgmt (management), mls (MultiLayer Switching, MLS), pagp (Port Aggregation Protocol, PAgP), protfilt (protocol filtering), pruning (VLAN pruning), privatevlan (private VLANs), qos (Quality of Service, QoS), radius (Remote Access Dial-In User Service, RADIUS), rsvp (Resource Reservation Protocol, RSVP), security (security), snmp (Simple Network Management Protocol, SNMP), spantree (Spanning Tree Protocol, STP), sys (system), tac (Terminal Access Controller, TAC), tcp (Transmission Control Protocol, TCP), telnet (Terminal Emulation Protocol, Telnet), tftp (Trivial File Transfer Protocol, TFTP), udld (Unidirectional Link Detection, UDLD), vmps (VLAN Membership Policy Server, VMPS), or vtp (VLAN Trunking Protocol, VTP). COS switches have these functions and severity levels set as a default: sys (5), dtp (5), pagp (5), mgmt (5), mls (5), cdp (4), udld (4), ip (3), qos (3), and all other functions (2).
Severity levels set are modified only for the current session. To modify the levels for all sessions, use the default keyword.
|
Logging Example A switch is configured for logging to a syslog server at 192.168.254.91. By default, the local7 facility is used, with messages that are at level 6, or informational, or less. The COS switch is also configured to log up to 500 messages to its internal buffer, whereas the IOS switch buffers up to 64 Kb characters of message text. On the COS switch, system messages are disabled on the current Telnet session. The switch prepends date and time time stamps to each logged message. The COS switch has an additional tweak: VTP messages are logged if they are at or below severity level 5 (notifications): COS | set logging server 192.168.254.91 set logging server enable set logging buffer 500 set logging session disable set logging timestamp enable set logging level vtp 5 default
| IOS | (global) logging 192.168.254.91 (global) logging buffered 65536 (global) service timestamps log datetime
|
Displaying Information About Logging Table 12-2 lists some switch commands that you can use to display helpful information about system logging. Table 12-2. Switch Commands to Display System Logging InformationDisplay Function | Switch OS | Command |
|---|
Logging configuration | COS | show logging [noalias]
| IOS | (exec) show logging
| System messages | COS | show logging buffer [-] [number-of-messages]
| IOS | (exec) show logging
|
|
