Logging

The router can display logging messages on the terminal, store them in a buffer on the router, or send them to a log server using syslog (syslog is standard on Unix systems, and available for Windows[*]). You can control how much logging information is collected by using severity levels. For example, you can say that all messages should be sent to the log server regardless of severity, but that only critical messages should be displayed on a console.

[*] One source for syslog for Windows is Kiwi Syslog Daemon (http://www.kiwisyslog.com). Search on "syslog and Windows" at http://www.download.com to find a number of others.

16.4.1. Configuring Logging

By default, logging is disabled. If you want to log the router's activity, you must start by enabling logging:

 logging on

We can now configure the syslog server. On a Unix system, you configure syslog by editing the /etc/syslog.conf file. On Windows, the configuration process depends on the software you use. No matter what operating system you run it on, each log file is associated with a facility and a severity. For example, the syslog.conf file might contain the following entry:

 local5.debug /var/adm/local5.log

This means that messages coming from the user-defined facility local5, with a severity debug (or greater), should be saved in the file /var/adm/local5.log. Since debug is the lowest possible severity, this statement means that we will log all messages from the local5 facility. On the router, the following commands start logging:

 ! Enable timestamps for all log messages and debug with a time and date
 stamp.
 ! The localtime keyword lists the time in local time instead of UTC
 service timestamps log datetime localtime
 service timestamps debug datetime localtime
 ! Set the syslog server's IP address
 logging host 10.10.1.2
 ! Limit the log messages to informational and higher
 logging trap informational
 ! Set the facility name on the syslog server
 logging facility local5

The final two commands are the most important. The logging trap command says that we're interested in messages with a severity of informational or higher. The logging facility command says that, when the router generates a message, it should be tagged with the facility local5. The facility name you use must match one of the facilities configured on the server.

16.4.2. Severity Levels

Syslog keeps track of messages using eight severity levels , listed in Table 16-1. If you set logging to any particular level, all messages at that level and above will be logged.

Table 16-1. Severity levels

Level	Name	Syslog translation	What it means to you
0	Emergencies	LOG_EMERG	System unusable
1	Alerts	LOG_ALERT	Immediate action required
2	Critical	LOG_CRIT	Critical condition
3	Errors	LOG_ERR	Error condition
4	Warnings	LOG_WARNING	Warning
5	Notifications	LOG_NOTICE	Normal significant conditions
6	Informational	LOG_INFO	Just FYI messages
7	Debugging	LOG_DEBUG	Debugging output

 

16.4.3. Buffering Logging and Debug Output

Some other logging commands provide control over how log messages are handled. The first one we will look at is logging buffered, which gives us some control over chatty debug output. For example, if you enable debugging for EIGRP with the command debug ip eigrp, you're in for a lot of logging in the console window. However, you can disable console logging and enable buffered logging with the following commands:

 router#config terminal
 router(config)#no logging console
 router(config)#logging buffered

Now when you enable debugging, all the log messages will be stored in the logging buffer instead of scrolling past on the screen. The default size of the logging buffer is platform-specific, but you can change the size by adding a byte count to the end of the logging buffered command. The buffer size can be from 4,096 to 4,294,967,295 bytes, but sizes toward the upper end of this range are obviously impractical.

To view the buffer, use the show logging command:

 router#show logging
 Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
 Console logging: disabled
 Monitor logging: level debugging, 0 messages logged
 Buffer logging: level debugging, 65356 messages logged
 Trap logging: level informational, 86 message lines logged

 Log Buffer (4096 bytes):
 1w5d: IP: s=10.1.5.1 (local), d=224.0.0.10 (BRI0), len 60, sending
 broad/multicast
 1w5d: IP: s=10.1.5.1 (local), d=224.0.0.10 (BRI0), len 60, encapsulation
 failed
 1w5d: IP: s=10.1.3.1 (Serial0), d=224.0.0.10, len 60, rcvd 2

If the log buffer fills up with too much junk, you can clear it with the command clear logging:

 router#clear logging

This command clears the buffer, which allows you to start over.

16.4.4. XML Output of Logging Messages

Starting with IOS 12.2(15)T, syslog messages can be formatted in XML, which is convenient for parsing log messages with other software. As we have seen, our logging messages usually look like this:

 1w0d: %SYS-5-CONFIG_I: Configured from console by console

With XML formatting , our log messages look like this:

 SYS5CONFIG_I
 1w0dconsole

To enable XML logging to the buffered logs on the router, use these commands:

 Router#config terminal
 Router(config)#logging buffered xml
 Router(config)#end

We can verify the setting with the show logging xml command, which shows the logging settings and our buffered log messages. The two logging messages shown here are highlighted in bold.

 Router#show logging xml
 enableddisabled
 
 disabled
 disabled
 disabled
 disabled
 disabledenabled
 disabled
 
 
 
 
 

 

 SYS5CONFIG_I
 00:00:55console
 console
 SYS5CONFIG_I
 00:01:44console
 console

To enable XML logging to a Syslog host, just use the logging host command as you normally would with the addition of the XML option. In this example, our syslog host is 192.168.0.5 and it's prepared to handle the XML form of our logging.

 Router(config)#logging host 192.168.0.5 xml