The log records are designed for the system equipment to report its operation during operation, in order to ensure the normal operation of the system, to solve the various problems that may be encountered every day, the network administrator must carefully read the logging. At present, the company's system routers are about 50, all Cisco routers, using the show log command to view the log, but it is very time-consuming to view all the routers individually. Because the cache for Cisco router storage logging is small (by default, 4 KB), a record is typically saved for only a few minutes, the cache processes the log records in first-in, out-of-the-way queue mode, the oldest records are refreshed, and some important log records are potentially overwritten. Therefore, we should establish the Log Management Server, summarize all the log records of the routers, make it easy to manage and query, and find out the problems in the running of the router in time to ensure the normal operation of MIS system.
1 Establishment process
Syslog is a logging tool that runs on UNIX and Linux operating systems. It is capable of receiving log records from remote systems, processing records containing multiple systems in a single log, and filing them as files. You can view all the records in one place without having to connect to multiple systems at the same time. Syslog uses UDP as the transport protocol, through the destination port 514, all the router's log management configuration to the server installed Syslog software system, the SYSLOG server automatically receive log data and write to the log file, Log files that store external router logs are usually stored in the messages file in the server "/var/log" directory. In order to view the contents of a log file, you must have "Root" permission. The information in the log file is important and can only be accessed by super users.
2nd log File
The log file is a plain text file, and every 1 lines is a message. 1 messages are made up of the following 4 fields in a fixed format, as long as Linux, the ability to handle plain text tools can be used to view the log files.
2.1 Time label (TIMESTAMP). Represents the date and time the message was issued, that is, the time the server was used. When a log is created, the router's time is ignored, and the time to use the server can be used as a single standard without having to check that all routers have the same time.
2.2 Host name (HOSTNAME) and log ID. The hostname is the port IP address on which the router sends logs, indicating the name of the device that generated the message. If there are only 1 computers, the host name can be suddenly
But in a network environment, using syslog can distinguish between messages sent by different hosts. The number after the IP address represents the log ID number, and the Cisco router adds 1 to the log ID number for each log record generated.
3 System Configuration
3.1 Server Configuration
Hardware configuration: PC with Pentium 4 2.8GHz CPU, memory 1G or higher configuration.
Operating system: Redhat Linux as 5 Updata 2
Connect the server to the network and set the IP address. For example: 10.32.2.1. The startup program for the Syslog server is syslogd. At normal startup, it does not receive messages from the network and must initialize the Syslog server with the-r parameter, starting with the following steps.
1. First open the server with "root" user login;
2. Click the Start Menu "Run Command" item, enter "Syslogd-r" command in the Command box, click Run;
3. See if a startup message is generated in the/var/log/messages file
Sep 14:44:05 localhost syslogd 1.4.1:restart;
4. Run the "terminal" program, that is, at ([email protected] root) # prompt, type "netstat-a more", enter to see if there is a "UDP 0 0 *:syslog *:*" line, if any, the Syslog server started successfully.
3.2 Router Configuration
Enter the following commands in global mode.
Router (config) # logging.
Router (config) # logging 10.32.2.1
Then, using "Ctrl^z" to exit the global mode, the router starts forwarding its log records. (Note: Cisco routers can send log messages to 5 log servers at the same time)
3.3 Configuration Test
Enter 2 commands (Router # config T, router (config) # exit) on the router to generate 1 messages within the server/var/log/messages file: Sep 25 14:47:22 10.32.2. 1 66:4w0d:%sys-5-config i:configured from console by Vty0 (172.16.2.1) This means that the log server has started to receive the router's logging and the system configuration is successful.
4 Viewing log files
In the Terminal program window, display the program with pagination like more or less, or use the grep command to find a specific message. Never open a file with a text editor, otherwise it is easy to reduce system performance and not allow changes to log files. Here are a few ways to query.
Mode 1:
The paging displays the log file. You can use the following command:
([email protected] root) #more/var/log/messages
([email protected] root) #less/var/log/messages
Where the less command scrolls files up and down and finds records by string.
Mode 2:
Extracts a single device log record from the log file. For example, if you find that the record for the 10.32.2.1 router is saved to the Router.txt file, enter
([email protected] root) # grep ' 10.32.2.1 '/var/log/messages>router.txt
5 Applications
By viewing the various information in the log records, you can keep abreast of the status of each router and various emergencies, and can also track line failures, such as the following record:
Sep 01:25:32 10.32.2.1 410:3w1d:%linepro TO-5 updown:line protocol. Interface serial0,changed state-to-down this record refers to the 28th 01:25;32, the protocol-level interrupt for the serial interface 0 of the router on 10.32.2.1, which reflects the failure of all communication protocols on the line, Although it is not possible to know the cause of the failure accurately, it can be analyzed that there is a problem with the line between the serial interface and the connected router.
Linux System storage Switch logs