Setting Up Logging

Setting up logging is probably one of the least-implemented and least-appreciated best practices, yet it is very important. Logging on Cisco devices is probably one of the most valuable tools for managing a network aside from SNMP (perhaps). Logging is synonymous with syslog messaging. Log messages on Cisco devices originate from the processor when some event happens on the device, such as an interface going down or a configuration changing. The only external requirement for logging and tracking these messages is a syslog server running somewhere in the network so the router can send the messages to it.

NOTE

Some Network managers may prefer to use the syslog delivery mechanism to send SNMP traps as well instead of a separate utility. This requires the option syslog at the end of the snmp-server host command.

We'll start with the basics of setting up logging on the Cisco devices and then fine-tune its functionality by identifying three configuration best practices that make this message-logging a lot easier to manage.

Essentially, the basic steps and best practices are as follows:

Enable Logging on the Cisco device

Enable logging on the Cisco device by directing the messages to a syslog server IP address ideally, one server and not multiple servers:

On a router, use the following configuration:

 logging host 

On a Catalyst switch:

 set logging enable set logging server ip_address 

Now it's time to fine-tune.

Timestamp the Log Messages

If you've already set up NTP, all devices should have their times and dates synchronized. Now, by applying timestamps to the log messages, correlation between events throughout the network becomes a lot easier.

To set up timestamps on log messages you need to configure the following on a router:

 service timestamps debug datetime service timestamps log datetime 

On a Catalyst switch, the configuration is:

 set logging timestamp enable 

Source All Messages from the Loopback0 Interface's IP Address

This step applies only to routers. Catalyst switches have only one IP address associated to the whole switch versus multiple IP addresses to multiple interfaces. By default, syslog messages use the outgoing physical interface's IP address for the source of the log messages. Tracking only one IP address source is easier than tracking many IP addresses from a common host. Network management software can sometimes make mistakes when trying to correlate the source IP address with other database information and may not be smart enough to realize that one router has multiple IP addresses assigned to it. To set up the logging source, configure the following on the router:

 logging source-interface Loopback0 

Buffer the Log Messages on the Cisco Device

Depending on how much memory is available on a Cisco device, you can log a lot of syslog messages to the buffer or memory of the device, viewable from executing the CLI command show logging. By logging messages in the memory buffer, you can view what went on in a device if connectivity is lost to the device or to the syslog server.

Logging messages to the console port of the router or switch is not advised due to the 9600-baud interface. For each character outputted to the console port basically performs an interrupt on the processor. By having console logging enabled, it produces unnecessary processing cycles on the device to send out the messages on that port. To disable console logging, execute the following CLI configuration command: on a router, no logging console and on a Catalyst switch, set logging console disable. You can always view the log messages when on the console port by typing the command show logging or executing the commands term monitor.

The router can store anywhere from 4096 bytes to 4 GB. The default buffer size varies depending on the router platform. The Catalyst switch can store anywhere from 1 to 500 messages, with the default being 500. If you want to limit the type of messages that are stored in the log, you can restrict the logging to a particular logging level, which will display only messages with the defined severity or higher. For example, if you set the logging level to debugging you will get all messages with a priority of 7 or higher, with 1 being the highest. If you set the logging level to warnings, you'll get only messages with a priority of 4 or higher. The logging level is defined with the logging command. Refer to the documentation for more details on the logging levels.

To set up buffer logging, use the following CLI configuration command on the router:

 logging buffered [size] 

And on the Catalyst switch, use the following:

 set logging buffer [number_of_messages] 

If you want to view the real-time log messages being reported in the Cisco device while you are Telnetted to the device, you can execute the following CLI commands: For a router, terminal monitor and for a Catalyst switch, set logging session enable. By default, the messages go only to the console port of the device. If you want the messages to be seen from a vty session, these commands need to be executed. These commands affect only the vty session you are actively in. By timestamping the log messages, viewing them in the log makes it easier to correlate outages or events because the log will show the timestamp as well.