Many network administrators overlook the importance of router logs. Logging is critical for fault notification, network forensics, and security auditing.
Cisco routers handle log messages in five ways:
-
By default, the router sends all log messages to its console port. Only users that are physically connected to the router console port may view these messages, though. This is called console logging.
-
Terminal logging is similar to console logging, but it displays log messages to the router's VTY lines instead. This type of logging is not enabled by default, so if you want to use it, you need to need activate it for each required line.
-
Buffered logging creates a circular buffer within the router's RAM for storing log messages. This circular buffer has a fixed size to ensure that the log will not deplete valuable system memory. The router accomplishes this by deleting old messages from the buffer as new messages are added.
-
The router can use syslog to forward log messages to external syslog servers for centralized storage. This type of logging is not enabled by default. Much of this chapter is devoted to configuring remote syslog features. The router sends syslog messages to the server on UDP port 514. The server does not acknowledge these messages.
-
With SNMP trap logging, the router is able to use SNMP traps to send log messages to an external SNMP server. This is an effective method of handling log messages in a SNMP-based environment, but it has certain limitations. We will discuss this logging method in Chapter 17, which deals with SNMP configuration.
Cisco log messages are categorized by severity level, following the structure and format of the 4.3BSD Unix syslog framework. In particular, router log messages follow the syslog's severity levels, as shown in Table 18-1. Note that the lower the severity level, the more critical the log message is.
| Level | Level name | Description | Syslog definition |
|---|---|---|---|
| 0 | Emergencies | Router unusable | LOG_EMERG |
| 1 | Alerts | Immediate action needed | LOG_ALERT |
| 2 | Critical | Critical conditions | LOG_CRIT |
| 3 | Errors | Error conditions | LOG_ERR |
| 4 | Warnings | Warning conditions | LOG_WARNING |
| 5 | Notifications | Normal but important conditions | LOG_NOTICE |
| 6 | Informational | Informational messages | LOG_INFO |
| 7 | Debugging | Debugging messages | LOG_DEBUG |
Here is an example of a log message that shows the typical format of Cisco router log messages:
Apr 12 14:01:16: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)
As you can see, the log message is broken into three sections that are delimited by colons. The first section is the optional date and time section that is enabled by using the service timestamp configuration command. A detailed discussion of timestamps can be found in Chapter 14.
The second part of the log message, %CLEAR-5-COUNTERS, gives the message code and severity level. In the example log message above, the message code family is CLEAR, the priority level is -5-, which indicates a Notifications severity-level message, and a family type of COUNTERS. All Cisco log messages are arranged in this manner. There are many different message codes, such as FRAME for frame relay messages, SYS for system messages, and LINK for interface messages. Within each message code, log messages are categorized by severity type: 7 is the least severe to 0 is the most critical, following the syslog model. Finally, each specific message type is assigned a unique message code, such as COUNTERS, in this case, or UPDOWN for LINK messages, and so forth.
The final section of a log is the message body, which contains human readable text. The example message above contains the message body "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)". The message body generally contains easy to understand text as well as some custom variables, such as ijbrown and vty0, in this case, which help to make log messages more meaningful.
Table 18-2 shows a typical log message for each of the eight severity levels.
| Level | Level name | Sample router messages |
|---|---|---|
| 0 | Emergencies | System shutting down due to missing fan tray |
| 1 | Alerts | Core CRITICAL Temperature limit exceeded |
| 2 | Critical | Memory allocation failures |
| 3 | Errors | Interface Up/Down messages |
| 4 | Warnings | Configuration file written to server, via SNMP request |
| 5 | Notifications | Line protocol Up/Down |
| 6 | Informational | Access-list violation logging |
| 7 | Debugging | Debug messages |
You will rarely see log messages with severity levels of Alert or Emergency because any problems this severe generally mean the router is inoperable.
