Previous section   Next section

Recipe 18.5 Using a Remote Log Server

18.5.1 Problem

You want to send log messages to a remote syslog server.

18.5.2 Solution

Use the following command to send router log messages to a remote syslog server:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging 172.25.1.1
Router(config)#end 
Router#

Although configuring the router with a static IP address is the preferred method of configuring a syslog server, you can also specify a hostname to be resolved:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip host nms.oreilly.com 172.25.1.1
Router(config)#logging nms.oreilly.com
Router(config)#end 
Router#

With this configuration, the router will attempt to resolve the server name that is provided. If the router cannot resolve the server name via DNS or static host lookup then the entry will fail. For more information about DNS and static hostnames, see Chapter 2.

18.5.3 Discussion

Forwarding log messages to a remote syslog server has several advantages over just retaining log messages locally on the router. The primary advantage is that messages sent to the server are stored to disk. All other forms of router logging are lost when the router reloads, including vital log messages that occur just before a router crashes due to error.

Another advantage of using a remote syslog server is storage capacity. A router stores logging messages in internal system memory, which severely limits the number of log messages that can be stored. A syslog server, on the other hand, can store days', weeks', or even months' worth of log messages. It is not uncommon for an organization to retain a month or more of archived log messages for later examination.

Finally, being able to view log messages from all of your routers in a single location can be quite useful. Forwarding all router log messages to a common log file can assist in fault isolation, problem resolution, network forensics, and security investigations. In addition, parsing router log files using custom scripts can provide an excellent understanding of network health. Many network management software vendors now include tools to handle syslog messages.

The example below illustrates a router configured with two remote syslog servers:

Router>show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 
overruns)
    Console logging: level debugging, 654 messages logged
    Monitor logging: level debugging, 65 messages logged
    Buffer logging: level debugging, 2 messages logged
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 658 message lines logged
        Logging to 172.25.1.1, 1 message lines logged
        Logging to 172.25.1.3, 1 message lines logged
          
Log Buffer (4096 bytes): 
Router>

The syslog protocol uses UDP port 514, and messages are forwarded asynchronously without acknowledgement from the server. In other words, communications between the router and server flow in a single direction with the server acting as a passive receiver.

18.5.4 See Also

Recipe 18.6; Recipe 18.9; Recipe 18.14


  Previous section   Next section
Top