Many network administrators overlook the importance of router logs. Logging is critical for fault notification, network forensics, and security auditing.
Cisco routers handle log messages in five ways:
By default, the router sends all log messages to its console port. Only users that are physically connected to the router console port may view these messages. This is called console logging.
Terminal logging is similar to console logging, but it displays log messages to the router's VTY lines. This type of logging is not enabled by default; if you want to use it, you need to need activate it for each required line.
Buffered logging creates a circular buffer within the router's RAM for storing log messages. This circular buffer has a fixed size to ensure that the log will not deplete valuable system memory. The router saves memory by deleting old messages from the buffer as new messages are added.
The router can use syslog to forward log messages to external syslog servers for centralized storage. This type of logging is not enabled by default. Much of this chapter is devoted to configuring remote syslog features. The router sends syslog messages to the server on UDP port 514. The server does not acknowledge these messages.
With SNMP trap logging, the router is able to use SNMP traps to send log messages to an external SNMP server. This is an effective method of handling log messages in a SNMP-based environment, but it has certain limitations. We discuss this logging method in Chapter 17, which deals with SNMP configuration.
Cisco log messages are categorized by severity level, following the structure and format of the BSD Unix syslog framework, as shown in Table 18-1. The lower the severity level, the more critical the log message is.
|
Level |
Level name |
Description |
Syslog definition |
|---|---|---|---|
|
0 |
Emergencies |
Router unusable |
LOG_EMERG |
|
1 |
Alerts |
Immediate action needed |
LOG_ALERT |
|
2 |
Critical |
Critical conditions |
LOG_CRIT |
|
3 |
Errors |
Error conditions |
LOG_ERR |
|
4 |
Warnings |
Warning conditions |
LOG_WARNING |
|
5 |
Notifications |
Normal but important conditions |
LOG_NOTICE |
|
6 |
Informational |
Informational messages |
LOG_INFO |
|
7 |
Debugging |
Debugging messages |
LOG_DEBUG |
Here is an example of a log message that shows the typical format of Cisco router log messages:
Apr 12 14:01:16: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)
The log message is broken into three sections that are delimited by colons. The first section is the optional date and time section that is enabled by using the service timestamp configuration command. A detailed discussion of timestamps can be found in Chapter 14.
The second part of the log message, %CLEAR-5-COUNTERS, gives the message's code and severity level. The message code family is CLEAR, and the priority level is -5- (indicating a Notifications severity level message). The family type is COUNTERS. All Cisco log messages are arranged in this manner. There are many different message codes, such as FRAME for Frame Relay messages, SYS for system messages, and LINK for interface messages. Within each message code, log messages are categorized by severity type. 7 is the least severe, while 0 is the most critical (following the syslog model). Finally, each specific message type is assigned a unique message code such as COUNTERS in this case, or UPDOWN for LINK messages, and so forth.
The remainder of a log entry is the message body, which contains human-readable text. The example message above contains the message body "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)." The message body generally contains easy-to-understand text, as well as some custom variables (in this case, ijbrown and vty0), which helps to make log messages more meaningful.
Table 18-2 shows an example of a typical log message for each of the eight severity levels.
|
Level |
Level name |
Sample router messages |
|---|---|---|
|
0 |
Emergencies |
System shutting down due to missing fan tray |
|
1 |
Alerts |
Core CRITICAL temperature limit exceeded |
|
2 |
Critical |
Memory allocation failures |
|
3 |
Errors |
Interface up/down messages |
|
4 |
Warnings |
Configuration file written to server, via SNMP request |
|
5 |
Notifications |
Line protocol up/down |
|
6 |
Informational |
Access-list violation logging |
|
7 |
Debugging |
Debug messages |
You will rarely see log messages with severity levels of Alert or Emergency—any problems this severe generally mean that the router is inoperable.
|
|
|
| Top |