Configure Logging in Cisco IOS

Understanding the concept of Logging in Cisco IOS is a necessary skill for every network administrator. Cisco IOS offers many options for event logging. In this section, I will discuss how to configure logging in Cisco IOS devices, how to view the log and its status.

Logging can be used for fault notification, network forensics, and security auditing. Cisco IOS can handle log messages in different ways:

• Console Logging: Cisco IOS routers and switches send all log messages to its console port. Therefore, the users that are physically connected to the console port can view these messages.
• Terminal Logging: This is similar to console logging, but the log messages are send to VTY lines (telnet, SSH) instead of console.
• Buffered Logging: This type of logging uses the RAM of IOS device for storing log messages. The buffer has a fixed size to ensure that the log could not eat the complete system memory. The logging buffer is circular which means old messages are deleted from the buffer once it is full.
• Syslog Server Logging: The IOS device can use syslog to forward messages to external syslog servers for storage. Syslog is a way for network devices to send event messages to a logging server. This type of logging is not enabled by default.
• SNMP Trap Logging: The IOS device can also use SNMP traps to send log messages to an external SNMP server.

The Cisco IOS enables logging to the console, monitor, and syslog by default. But there is no syslog host configured by default, so the output goes nowhere except console. Cisco IOS also allows detailed debugging for all protocols and processes running on the system for troubleshooting purposes but the debug commands should only be used by experts, because it can have a severe performance impact.

Different severity levels can be configured on Cisco IOS device. The severity levels are as follows:

• Emergency (Severity 0) — The system is unusable
• Alert (Severity 1) — Immediate action is needed
• Critical (Severity 2) — Critical conditions
• Error (Severity 3) — Error conditions
• Warning (Severity 4) — Warning conditions
• Notification (Severity 5) — Normal but significant conditions
• Informational (Severity 6) — Informational messages
• Debugging (Severity 7) — Debugging messages

The default severity level varies by device platform but generally severity level is 7 (debugging), which means that messages at all severity levels (0 through 7) are logged.

Logging Configuration

A). Console Logging:

If console logging is enabled, the IOS device sends the messages to the console port. No matter if any user is connected to console or not, the messages are always sent to console which can cause unnecessary load on CPU. Fortunately, you can stop the console logging, using no logging console global configuration command. You can also limit the amount of messages sent to the console with the logging console level configuration command (for example, logging console notifications).

B). Buffered Logging:

You can use buffered logging to store the log messages instead of just displaying them on the console. To enable buffered logging, use logging buffered command in global configuration mode as shown below:

R1#config term
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#logging buffered debugging
R1(config)#end

Set the Log Size

R1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#logging buffered 32000
R1(config)#end

C). Terminal Logging:

Sometimes you might want the router or switch to display log messages to your telnet or SSH session. To enable logging to VTY lines, use the terminal monitor command in privileged EXEC mode.

R1>enable
R1#terminal monitor 
R1#

To disable logging to your VTY session, use terminal no monitor command as shown below:

R1>enable
R1#terminal no monitor 
R1#

D). Syslog Server Logging:

Some large scale companies use dedicated Network management Stations (NMS) to store the events logged on every device. You can configure Cisco IOS to send log messages to a remote syslog server.

Before you enable logging to syslog server, it is important that you configure your IOS device to sync the proper time from any NTP server or manually configure the time. The set clock command is used to set time manually. To use NTP server, use ntp server x.x.x.x global config mode command (where, x.x.x.x is address of NTP server).

To enable logging (with severity level 7) to Syslog Server (192.168.10.50), use the following commands:

R1#conf t
R1(config)#logging host 192.168.10.50
R1(config)#logging trap 7
R1(config)#end

To configure the interface from which syslog packets are sent, use logging source-interface configuration command.

R1#conf t
R1(config)#logging source-interface Loopback0

To enable the timestamps on log messages, use the following command:

R1#conf t
R1(config)#service timestamps log datetime [msec] [localtime] [show-timezone]

Depending on the options selected, the timestamp can include the date, time in milliseconds relative to the local time zone, and the time zone name.

E). SNMP Trap Logging:

You do not want a Cisco IOS device to send all of the SNMP traps that the device knows. Cisco IOS Software defines groups of traps that you can enable or disable. There are two global configuration commands that you use to configure SNMP traps into a Cisco IOS device:

• snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type]

  Use the snmp-server host global config mode command to specify the recipient of an SNMP notification operation.

• snmp-server enable traps [notification-type] [notification-option]

  Use the snmp-server enable traps global config mode command to enable the router to send SNMP traps.

The types of traps can be specified in both commands. You must use the snmp-server host command in order to define the Network Management Systems (NMS) where traps are to be sent. You must specify the trap types if you do not want all traps to be sent. Use multiple snmp-server enable traps commands, one for each trap types that you used in the snmp-server host command.

For example, use the following commands to make a Cisco IOS device report only the configuration, Open Shortest Path First (OSPF), and tty traps to Network Management System (NMS) 192.168.10.50:

R1(config)#snmp-server host 192.168.10.50 public config ospf tty 
R1(config)#snmp-server enable traps config 
R1(config)#snmp-server enable traps ospf
R1(config)#snmp-server enable traps tty

Working with Cisco IOS Log File

To display the state of system logging (syslog) and the contents of the standard system logging message buffer, use the show logging privileged EXEC command.

R2#show logging
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level debugging, 13153 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 13155 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled
    Trap logging: level informational, 13158 message lines logged
          
Log Buffer (4096 bytes):
:16: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up
013117: *Apr  5 00:20:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
013118: *Apr  5 00:20:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
 
[output cut] 

To clear messages from the logging buffer, use the clear logging privileged EXEC command.

R1#clear logging 
Clear logging buffer [confirm] <enter>
R1#

Always remember that many problems require some kind of historical logs to help find a solution. That is why it is important to make sure you have properly configured logging so you can use your logs to see the past and get help in future.

Back