Previous section   Next section

Introduction

Many network administrators overlook the importance of router logs. Logging is critical for fault notification, network forensics, and security auditing.

Cisco routers handle log messages in five ways:

Cisco log messages are categorized by severity level, following the structure and format of the BSD Unix syslog framework, as shown in Table 18-1. The lower the severity level, the more critical the log message is.

Table 18-1. Cisco logging severity levels

Level

Level name

Description

Syslog definition

0

Emergencies

Router unusable

LOG_EMERG

1

Alerts

Immediate action needed

LOG_ALERT

2

Critical

Critical conditions

LOG_CRIT

3

Errors

Error conditions

LOG_ERR

4

Warnings

Warning conditions

LOG_WARNING

5

Notifications

Normal but important conditions

LOG_NOTICE

6

Informational

Informational messages

LOG_INFO

7

Debugging

Debugging messages

LOG_DEBUG

Here is an example of a log message that shows the typical format of Cisco router log messages:

Apr 12 14:01:16: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on 
vty0 (172.25.1.1)

The log message is broken into three sections that are delimited by colons. The first section is the optional date and time section that is enabled by using the service timestamp configuration command. A detailed discussion of timestamps can be found in Chapter 14.

The second part of the log message, %CLEAR-5-COUNTERS, gives the message's code and severity level. The message code family is CLEAR, and the priority level is -5- (indicating a Notifications severity level message). The family type is COUNTERS. All Cisco log messages are arranged in this manner. There are many different message codes, such as FRAME for Frame Relay messages, SYS for system messages, and LINK for interface messages. Within each message code, log messages are categorized by severity type. 7 is the least severe, while 0 is the most critical (following the syslog model). Finally, each specific message type is assigned a unique message code such as COUNTERS in this case, or UPDOWN for LINK messages, and so forth.

The remainder of a log entry is the message body, which contains human-readable text. The example message above contains the message body "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)." The message body generally contains easy-to-understand text, as well as some custom variables (in this case, ijbrown and vty0), which helps to make log messages more meaningful.

Table 18-2 shows an example of a typical log message for each of the eight severity levels.

Table 18-2. Sample router log messages

Level

Level name

Sample router messages

0

Emergencies

System shutting down due to missing fan tray

1

Alerts

Core CRITICAL temperature limit exceeded

2

Critical

Memory allocation failures

3

Errors

Interface up/down messages

4

Warnings

Configuration file written to server, via SNMP request

5

Notifications

Line protocol up/down

6

Informational

Access-list violation logging

7

Debugging

Debug messages

You will rarely see log messages with severity levels of Alert or Emergency—any problems this severe generally mean that the router is inoperable.


  Previous section   Next section
Top