Cisco IOS devices have the capability to log messages about system activity. These log messages can be useful in tracking system activity, errors, and notifications. Logging uses eight levels of notification messages, as summarized in Table 7-1.
Table 7-1. Cisco IOS Logging Messages
In the IOS, you set the minimum level of logging messages (in terms of severity) that you want logged. You do so by identifying the level by name in the configuration command. Emergencies (Level 0) is the severest level, while debugging (Level 7) is the least severe level. All messages at the level that you identify and at more severe levels are sent to one of four locations:
The preceding logging commands are global configuration commands that enable you to specify the level of messages sent to each logging location. A syslog server is an excellent logging location because the system normally saves messages to a disk. Also, because syslog is a general purpose utility that many different programs utilize, you can have one central source for logging messages from different devices.
The internal device buffer is a useful logging facility if you do not have a syslog server or if you want each device to keep a separate log of events. The internal device buffer has a default size of 4096 bytes. You can alter the size by using the logging buffered command. For example, you can specify a larger buffer size, such as logging buffered 8192, which specifies an internal device buffer of 8192 bytes. While useful for some situations, the internal device buffer is in the RAM of the device, so it is lost with each device reload.
Logging messages to the console or terminal lines of a device (including virtual terminal sessions) is useful for immediate notification of critical events. The four different logging locations are not mutually exclusive, and you can use multiple logging facilities at the same time.
You must use the EXEC command terminal monitor to see logging messages on a terminal line or virtual terminal session. This command can be performed in privileged mode.
You can configure messages to the syslog server via the logging trap command. To enable syslog logging in the IOS, you must use the global configuration command logging to specify the IP address of the logging host.
As mentioned previously, it is possible to log messages to more than one of the locations. For example, you may want all Level 7 and more severe level messages to be sent to the syslog server. You may want emergency messages to be sent to the device console as well because of their critical nature. In the following example, the Seoul-1 router is configured on the ZIP network for logging in the manner just described:
Seoul-1# configure Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CNTL/Z. Seoul-1(config)# logging 184.108.40.206 Seoul-1(config)# logging trap debugging Seoul-1(config)# logging console emergencies Seoul-1(config)#^ Z
The syslog utility logs system messages to a text file on UNIX and other types of workstations. To log IOS device messages to a syslog server, you must configure your syslog process. You need to be a superuser on a UNIX workstation to enable the syslog facility local7, the facility used by all IOS devices. As superuser (root access), you should add the following line to the /etc/syslog.conf file:
Next, restart the syslog daemon on the UNIX workstation, which is typically done with the following command:
% kill -HUP `cat /etc/syslog.pid'
If all works well, you are now ready for your IOS devices to log to this UNIX workstation.
If an IOS device is configured to log to an internal buffer, the log results can be viewed with the EXEC command show logging. Assuming that the Seoul-1 router is configured to log to a buffer as well as to syslog and console, the show logging output is as follows :
Seoul-1>show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 2 messages logged Monitor logging: level debugging, 2 messages logged Trap logging: level debugging, 2 message lines logged Logging to 220.127.116.11, 2 message lines logged Buffer logging: level debugging, 2 messages logged Log Buffer (4096 bytes): Mar 17 17:45:56: %LINK-3-UPDOWN: Interface Serial0, changed state to down Mar 17 18:23:10: %LINK-3-UPDOWN: Interface Serial0, changed state to up
The preceding output shows that syslog logging is enabled. It also shows the number of messages logged to the device console, to the terminal lines of the device (monitor logging), and to a syslog logging host also show the number of messages buffered. The last two lines of the output display the log buffer, with two logging messages showing link-state change messages (Level 6 messages).
Note the timestamp information in the output. The section "Basic Time Control," later in this chapter, discusses how to configure the router to maintain this information.
We recommend that you enable logging at the debug level to at least one logging location. This enables you to ensure that all error messages the IOS device sends are recorded. Most network managers tend to set logging trap debug to enable syslog to log all IOS device messages.