Cisco-log

Source: Internet
Author: User

Label:

Each log message is associated with a severity level that is used to classify the severity of the message: the lower the number, the more severe the message. The severity level ranges from 0 (highest) to 7 (lowest).
The severity level of the log message, using the logging command to specify the severity with a number or name.
Parameter level system Log description description
Emergencies 0 Log_emerg System not available
Alerts 1 Log_alert is required for immediate operation under the port
Critical 2 A critical state exists on the Log_crit router
Errors 3 An error state exists on the Log_err router
Warnings 4 A warning state exists on the log_warning router
Notifications 5 a common but important event occurred on the Log_notice router
Informational 6 An informational event occurred on the Log_info router
Debugging 7 Log_debug output from the DEBUG command

By default, the console, monitor, and buffer logging are set to the debugging level, while the logging of the Trap (syslog) server is set to informational
If the log keyword is used in an ACL statement, the output is displayed on the console only if the severity level is set to 6 or 7 o'clock.
One option that can be controlled for logging functionality is which messages are logged to 4 destinations. For example, on the console, you can limit log messages that have a severity level of 4 (that is, messages that show from 0 to 4);
However, the Syslog server can be set to 6 (0 to 6).
Log messages typically refer to system error messages in Cisco IOS. Each of these error messages is assigned a severity level, accompanied by a severity analysis of only the problem or event.
Cisco iOS sends log messages (including the output of the debug command) to the logging process.
By default, only sent to the console interface, logs can be logged to the router's internal cache, terminal lines, syslog servers, and SNMP management stations.

One, the log message format
In Cisco IOS devices, log messages are in the following format:
%<facility>-<severity>-<mnemonic>:<message_text>

The following is a simple example:
%link-5-changed:interface ethernet1,changed state to administratively down
Assuming that the log message has a timestamp and serial number enabled, for the log message, you will see the following information, first the serial number, followed by the timestamp, and then the message:
000022:jan 15:42:11.048:%link-5-changed:interface ethernet0,changed State to administratively

Second, the basic log record configuration
When you set up logging, you need to complete two basic tasks: Turn on logging and control the display of logs on the line.

1. Open Log Record
By default, logging is turned on only on the console line of the router, and logging is done elsewhere, and logging must be turned on and configured accordingly. Use the following command to turn on logging:
Router (config) #logging on
With the logging on command, you can open other configured destinations, such as the internal cache of a syslog server or router, for logging. The command must be executed before the system message is logged to another location except the console port, but with other logging commands, you can control which procedure will receive the log message separately.
For example, a command has been configured to log messages to the Syslog server, but the logging on command is not executed, and Cisco IOS logs messages only to console lines.

2. Configure synchronization logging
The primary purpose of the logging Synchronous command is to synchronize the log message output and debug output to the Router line: console, auxiliary, and vty lines.
The primary purpose of the synchronization log is to control when messages are displayed on the router's line. When this feature is enabled, the synchronization log causes Cisco IOS to display messages and then executes an equivalent CTRL-R command, which causes the router to re-display the information already entered on the command line.
You can use the logging Synchronous command to affect the display of log messages:
Router (config) #line type #
Router (config)-line) #logging synchronous [level severity_level|all] [limit #_of_lines]
Severity refers to the severity of the log messages, which are displayed asynchronously. A message with a severity value higher than this value (a message with a lower severity) is displayed synchronously, and a lower value (more severe) message is displayed asynchronously. The default severity level is 2. The parameter all causes all messages to be displayed asynchronously, regardless of the severity level of the allocation.
The parameter limit specifies how many synchronization messages can be queued before the router starts discarding new messages. The default is 20 messages. If the threshold is reached, the router must discard the message and see the following log message stating the number of messages the router must discard:
%sys-3-msglost #_of_messages due to overflow

The main disadvantage of the synchronization log is that when the router is generating many messages, and we are entering it slowly in the CLI, the router must discard any messages that exceed the threshold. Therefore, you will not be able to see these messages on the line. If you see such events as critical to you, it is recommended that they be recorded in the router's internal cache, the Syslog server, or the SNMP management console.
Be careful when setting the maximum queue limit for non-console lines such as Vty. If a hacker can enter vty on the router, and the synchronization log is turned on on vty, the hacker can make the vty line idle during the input command. This will cause Cisco IOS to fill a large queue with messages that could deplete the entire memory of the router.

Third, the log record destination
Log information can be forwarded to the following 4 basic destinations
Line
Internal cache;
System log server;
SNMP Management Console.


1. Line Log
There are two commands that can be used to control log messages being sent to the router's line:
Router (config) #logging console [Severity_level]
Router (config) #logging Monitor [Severity_level]
The logging console command refers to logging to a physical TTY, such as consoles and auxiliary lines. The Logging Monitor command logs logging to the logical vty. By default, logging to the console is turned on for all levels, but can be modified by changing the severity level in the Logging console command.
Logging to vty and aux is off by default, to open the EXEC command Terminal Monitor to perform the privileged level, copy the console log messages to vty, or configure the Logging Monitor command.
If you use Logging monitor, you do not need to execute the Terminal Monitor command to view the log output of the TTY command line when you first access routing vty. When you configure the Logging Monitor command, the default is 7 (debug) If you do not specify a severity level.
For two commands, you must use the logging on command to turn on logging.
Because displaying the message on the terminal line, such as the console, increases the processing burden on the router, it is recommended that the severity level be changed to a higher severity than the debug (lower number). If you want to view messages at a lower severity level, you can use the router's internal cache, the Syslog server, or the SNMP management console.
If the logging on command is turned off during the generation of errors and debugging messages, the speed of the router is greatly reduced until the messages are displayed on the router's line. Therefore, be careful when assigning severity levels to log messages that are displayed on the console line.

2. Internal cache Log
Logging messages to TTY or vty the problem is that if you are not looking at the screen output of the connection line, the message rolls over the screen and goes beyond the history cache of the terminal software, there is no mechanism to see the missing messages again. This problem can be avoided if log messages are logged to destinations other than lines.
One solution is to log messages to the internal cache of the router, which may be turned on or off by default, depending on the router platform, which is open by default on most platforms. Use the following command to log logs to the router's cache:
Router (config) #logging buffered [Buffer_size|severity_level]
The command has two parameters, buffer_size specifies how much memory is allocated for the internal cache, in bytes. Use the default logging buffered command to set the cache size back to factory defaults. Severity_level indicates the severity level that should be logged. The default size and severity level (typically 7) depends on the platform model.

3. syslog server Log

The following are the basic commands for logging to the Syslog server:
Router (config) #logging on
Router (config) #logging host {Ip_address|hostname}
Router (config) #logging trap severity_level
Router (config) #logging source-interface interface_type_interface_#
Router (config) #logging Origin-id {hostname|ip|string string}
Router (config) #logging facility Facility_type
e.g

Installing 3CSyslog on a PC (and general installation software does not make a difference all the way next.) The storage path of the change log after the installation is complete)
C3560#config T
C3560 (config) #logging on
C3560 (config) #logging the IP address of the 10.86.20.10//log server
C3560 (config) #logging facility local0//facility identity
C3560 (config) #logging trap 3 (log log)//logging Level
C3560 (config) #logging trap debugging//is equivalent to logging trap 7 records all logs
C3560 (config) #logging source-interface G0/3//Source IP address for log emit
C3560 (config) #service timestamps debug datetime localtime//log record timestamp settings, which can be configured as needed
C3560 (config) #exit
C3560#show Logging viewing log records


The logging on command allows logging to a non-console destination. The Logging host command specifies the IP address, host name, or fully qualified domain name (FQDN) of the syslog server. If you enter this command more than once and specify a different syslog server destination, you can establish a list of syslog servers used by the router.
Before the Cisco IOS12.2 (t) version, use logging {hostname| IP_Address} command to open trap logging, use the Logging Host command now.
The Logging Trap command specifies the severity level of log messages to be sent to the syslog server. The default is informational.
By default, the IP address of the interface that the router uses to reach the Syslog server is used as the source IP address in the IP packet header. Use the logging source-interface command to generate a consistent log entry.
This way the router uses an identical source address. When you use this command, you must specify the name and number of the interface. This command is required only if the router has two or more interfaces that can reach the syslog server.
But for consistency, be sure to use the same source address in the syslog packet. This makes it easier to implement filtering rules on the syslog server to block unwanted log messages.
In the 12.2 version, Cisco added the ability to add router identity information to syslog messages, which makes it easier to search for or detach information on the Syslog server based on each router.
This is implemented by logging Origin-id. The command is turned off by default. Identity information can be selected hostname (the name configured with the hostname command), the IP address (the IP address of the sending interface), and the string that defines the router identity information. If the string contains spaces, you must enclose it in quotation marks.
The Logging Facility command defines the tools that are used on the Syslog server running UNIX, and the log information is saved on that server.

System Log Tool type
Parameter description
Auth Authorization System
Cron Cron Tool
Daemon System Daemon
Kern kernel
Local0 to LOCAL7 locally-defined messages (from 0 to 7)
LPR Printer System
Mail e-mail system
News Usenet
SYS9 to SYS14 system use
Syslog System Log
User-defined Process
UUCP Unix-to-UNIX replication system

If you do not specify a tool, the default is LOCAL7. On UNIX, you can specify where to save the log files for the specified tool by editing the appropriate configuration file. For example, to edit a/etc/syslog configuration file, you can create an entry for the tool. such as: Local7.debugging/usr/adm/logs/router.log
In this example, the tool level is the Local7,debugging keyword that specifies the system logging level. The system log level determines which level of messages will be saved in the following file: Any messages of that severity and higher level will be stored in this particular file.

5. SNMP Log
To send a log message to the SNMP management console, execute the following command:
Router (config) #snmp-server enable trap syslog

Then, there are three command controls to log messages to the management console:
Router (config) #logging on
Router (config) #logging history severity_level
Router (config) #logging history size Number
The second command specifies which severity level of log messages should be sent to the SNMP management console. The default level is warning. Because SNMP uses UDP, and UDP is an unreliable connection, system log traps are saved in the router's history table.
At least one Syslog message (the latest one) is saved in the History table (by default, a message). This value can be increased to 500 using the logging history size.
Starting with the Cisco IOS12.2 (1.4) version, Cisco IOS can use the IP NAT log translations syslog command to record each NAT conversion.

Iv. Other Log commands
1. Date and time stamp
By default, the log message does not include the date and time stamp. Use one of the following two commands to add a date and time stamp:
Router (config) #service timestamps {Debug|log} uptime or
Router (config) #service timestamps {debug|log} datetime [msec] [localtime] [Show-timezone] [year]
You can add timestamps in two types of messages: Debug and log messages. Use the debug parameter to make Cisco IOS include timestamps when debugging output.
Use the log parameter to add a timestamp to each of the log messages. The first command includes the uptime parameter, which allows Cisco IOS to include the time since the router was powered on in the message, such as: 1w0d:%sys-5-config_i:configured from the console by console
If you want to know the exact date and time, use the datetime parameter. This parameter allows Cisco IOS to include the date and time (date and time in UTC format) in the message, and the standard format is: MMM DD HH:MM:SS.
When you use the datetime parameter, there are optional parameters available. The msec parameter includes millisecond information in the message.
LocalTime displays the time zone based on the local configuration of the router. By default, year information is not included in the time information, but it can be included with the optional years.
The Show-timezone parameter includes the time zone name in the date and time output. Here is a simple example of a log parameter used with the DateTime, LocalTime, and Show-timezone options:
(. 11:13:25 UTC:%sys-5-config_i:configured from console by Consle)
A log message is typically a beginning of three characters, a space, an asterisk, or a period.
Log message start character

Parameter name Description
The clock of the space router is manually set or synchronized with the NTP time server
* The asterisk router is not always set or is not synchronized with the NTP server
. The clock of the period router is set to sync, but it loses contact with the NTP server


2. Serial number
In addition to adding timestamps to log messages, you can have Cisco IOS display serial numbers in each message. You can do this by using the following command:
Router (config) #service sequence-numbers

3. Rate limit
Starting with the Cisco IOS12.1 (3) t version, you can use the logging rate-limit command to limit the rate at which log messages are logged in seconds
Router (config) #logging rate-limit {number|all number|console number}[except severity]
By default, there is no rate limit on the router. By specifying a number from 1 to 10,000. You can limit the number of log messages logged per second to this value. The all keyword, followed by a numeric value, will be used for all logging and debugging messages.
The console keyword limits the rate at which log messages are logged to the console.
The except parameter establishes an exception for messages that specify a severity level or root high.
It is strongly recommended to use this command, especially on the console interface. Flooding occurs when attacked, which reduces the amount of messages the router needs to process.

Five, log record verification

1. Show Logging Command
Show logging shows the status of the current system log errors and event records, including all configured syslog server addresses, which type of log is open, and logging statistics. Here is the format of the command:
Router#show Logging [summary]
Use the Clear logging command to clear the log messages in the internal cache.

2. Show Logging History command
This command shows the size of the System Log History table, the status of the messages in the table, and the message itself.

Vi. log records and error counts
This feature is useful if you are using the router internal cache and older messages are aging. With this feature, Cisco iOS will still track the number of occurrences of a particular log message and the last occurrence of the message.
This feature is useful if the internal cache is not able to retain all messages and the same error or problem persists. This feature can basically replace the show logging Summary command discussed above
In configuration mode, execute the following command to enable the feature:
Router (config) #logging count
This command counts each log message, including the timestamp of the last occurrence of each message type.
When this feature is enabled, you can use the Show logging Count command to view the error count.

Cisco-log

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: