Using a Remote Log Server

Problem

You want to send log messages to a remote syslog server.

Solution

Use the following command to send router log messages to a remote syslog server:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging 172.25.1.1
Router(config)#end 
Router#

Although configuring the router with a static IP address like this is the preferred method of configuring a syslog server, you can also specify a hostname to be resolved:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip host nms.oreilly.com 172.25.1.1
Router(config)#logging nms.oreilly.com
Router(config)#end 
Router#

With this configuration, the router will attempt to resolve the server name that is provided. If the router cannot resolve the server name via DNS or static host lookup, then the entry will fail. For more information about DNS and static host names, please see Chapter 2.

Beginning with IOS Version 12.2(15)T, logging host replaced the logging command; however, both methods are still supported:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#logging host 172.25.1.1
Router2(config)#end
Router2#

 

Discussion

Forwarding log messages to a remote syslog server has several advantages over just retaining log messages locally on the router. The primary advantage is that messages sent to the server are stored to disk. All other forms of router logging are lost upon router reload, including vital log messages that occurred just before a router crashes due to error.

Another advantage of using a remote syslog server is storage capacity. A router stores logging messages in internal system memory, which severely limits the number of logs messages that can be stored. A syslog server, on the other hand, can store days, weeks, or even months worth of log messages. It is not uncommon for an organization to retain a month or more of archived log messages for examination later.

Finally, being able to view log messages from all of your routers in a single location can be quite useful. Forwarding all router log messages to a common logfile can assist fault isolation, problem resolution, network forensics, and security investigations. In addition, parsing router logfiles by using custom scripts can provide an excellent understanding of network health. In addition, many network management software vendors now include tools to handle syslog messages.

The example below illustrates a router configured with two remote syslog servers:

Router>show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
 Console logging: level debugging, 654 messages logged
 Monitor logging: level debugging, 65 messages logged
 Buffer logging: level debugging, 2 messages logged
 Logging Exception size (4096 bytes)
 Trap logging: level informational, 658 message lines logged
 Logging to 172.25.1.1, 1 message lines logged
 Logging to 172.25.1.3, 1 message lines logged
 
Log Buffer (4096 bytes): 
Router>

The syslog protocol resides on UDP port 514, and messages are forwarded asynchronously without acknowledgements from the server. In other words, communications between the router and server flow in a single direction, with the server acting as a passive receiver.

By default, the router sends its log messages tagged with only its IP address. In some instances, it is useful to tag the log messages with the router hostname as well. This is especially true if the syslog packets pass through a NAT device. The ability to tag syslog messages was introduced in IOS Version 12.2(15)T:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#logging origin-id hostname 
Router2(config)#end
Router2#

Before hostname tagging is enabled, the syslog server captures an example log message by only its IP address. Note that if the router IP address could be resolved by the syslog server, then the IP address would be converted to the resolved hostname. Here's an example of a normal syslog message:

Jul 15 20:35:07 172.25.1.100: Jul 15 20:35:07.499 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)

After hostname tagging is enabled, the router's hostname is embedded within the log message. We've highlighted the embedded hostname:

Jul 15 20:37:05 172.25.1.100: Router2: Jul 15 20:37:05.173 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)

 

See Also

Chapter 2; Recipe 18.6; Recipe 18.9; Recipe 18.14

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net