Logging and and using syslog

Cisco devices communicate with an administrator through system messages. These system messages are typically sent to a logging process, so they are most often called syslog messages. Syslog is also the name of the UNIX-based service that handles system messages from UNIX systems (and also Cisco devices if configured to do so).

Logging is enabled by default. The no logging on command actually forces system messages to the console. In fact, this can impede the performance of the Cisco device because processes must wait for messages to be written to the console before the processes can continue their operations. It is recommended that the administrator leave the logging process enabled (the default behavior); that way logging messages can be written to the console more efficiently.

Because there is really no way out to stop the sending of system messages to the console, administrators should use the logging synchronous command in line configuration mode. This command prevents these messages from "interrupting" typing at the console.

To have the Cisco device store syslog messages in an internal buffer, administrators should ensure the logging process is in its default enabled state (logging console command) and then use the command logging buffered. This will use a default size of 4096 bytes. This can be changed by specifying an optional size at the end of the logging buffered command. To view the contents of the buffer, there is the show logging command. The oldest messages display first. When the buffer fills to capacity, new messages overwrite the oldest messages. The buffer can be cleared anytime with the clear logging command.

Syslog messages can be stored on a server (UNIX- or Windows-based) in the network.
CiscoWorks LAN Management Suite (LMS) features a built-in syslog server application that stores these messages in a searchable database. It allows the filtering of messages, reporting on messages, and even action filters that allow automated responses to certain messages, including pages and e-mails.

To send system messages to a UNIX or CiscoWorks syslog server, ensure the logging process is enabled and then issue the command logging x.x.x.x, where x.x.x.x is the IP address of the syslog server. The command can be entered multiple times to configure multiple destinations for the messages. To limit the sending of all messages, use the logging trap level command, where level is the number or the name of the severity level. For example, logging trap notifications restricts the messages sent to only those of level 0 through 5. This keeps debugging and informational messages from being sent to the server. UDP port 514 is used for syslog messages, so be sure that your firewalls permit this port if you need the messages to pass through such devices.

UNIX syslog servers use a facility code to identify the source of syslog messages. They use this code to create different logs for the different sources of messages. Sample facilities include lpr for the Line Printer System and mail for the e-mail system. UNIX syslog servers reserve the facility codes local0 through local7 for log messages received from remote servers and network devices. To have switches use one log file on the server and routers use another, change the facility code for switches using the logging facility local6 command. By default, Cisco devices use local7 for their messages so that your router messages will be in a different log. Note that CiscoWorks requires the use of local7.

Some devices even allow logging of system messages to a file in flash memory. The command to do this is simply logging file flash:myname.txt. This command can also set size limits on the file and control the types of messages that are sent to flash.

Administrators should stamp syslog messages with the date and time that they were generated. This is accomplished with the service timestamps log datetime command.