Using a Remote Log Server
Problem
You want to send log messages to a remote syslog server.
Solution
Use the following command to send router log messages to a remote syslog server:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging 172.25.1.1
Router(config)#end
Router#
Although configuring the router with a static IP address like this is the preferred method of configuring a syslog server, you can also specify a hostname to be resolved:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip host nms.oreilly.com 172.25.1.1
Router(config)#logging nms.oreilly.com
Router(config)#end
Router#
With this configuration, the router will attempt to resolve the server name that is provided. If the router cannot resolve the server name via DNS or static host lookup, then the entry will fail. For more information about DNS and static host names, please see Chapter 2.
Beginning with IOS Version 12.2(15)T, logging host replaced the logging command; however, both methods are still supported:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#logging host 172.25.1.1
Router2(config)#end
Router2#
Discussion
Forwarding log messages to a remote syslog server has several advantages over just retaining log messages locally on the router. The primary advantage is that messages sent to the server are stored to disk. All other forms of router logging are lost upon router reload, including vital log messages that occurred just before a router crashes due to error.
Another advantage of using a remote syslog server is storage capacity. A router stores logging messages in internal system memory, which severely limits the number of logs messages that can be stored. A syslog server, on the other hand, can store days, weeks, or even months worth of log messages. It is not uncommon for an organization to retain a month or more of archived log messages for examination later.
Finally, being able to view log messages from all of your routers in a single location can be quite useful. Forwarding all router log messages to a common logfile can assist fault isolation, problem resolution, network forensics, and security investigations. In addition, parsing router logfiles by using custom scripts can provide an excellent understanding of network health. In addition, many network management software vendors now include tools to handle syslog messages.
The example below illustrates a router configured with two remote syslog servers:
Router>show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 654 messages logged
Monitor logging: level debugging, 65 messages logged
Buffer logging: level debugging, 2 messages logged
Logging Exception size (4096 bytes)
Trap logging: level informational, 658 message lines logged
Logging to 172.25.1.1, 1 message lines logged
Logging to 172.25.1.3, 1 message lines logged
Log Buffer (4096 bytes):
Router>
The syslog protocol resides on UDP port 514, and messages are forwarded asynchronously without acknowledgements from the server. In other words, communications between the router and server flow in a single direction, with the server acting as a passive receiver.
By default, the router sends its log messages tagged with only its IP address. In some instances, it is useful to tag the log messages with the router hostname as well. This is especially true if the syslog packets pass through a NAT device. The ability to tag syslog messages was introduced in IOS Version 12.2(15)T:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#logging origin-id hostname
Router2(config)#end
Router2#
Before hostname tagging is enabled, the syslog server captures an example log message by only its IP address. Note that if the router IP address could be resolved by the syslog server, then the IP address would be converted to the resolved hostname. Here's an example of a normal syslog message:
Jul 15 20:35:07 172.25.1.100: Jul 15 20:35:07.499 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)
After hostname tagging is enabled, the router's hostname is embedded within the log message. We've highlighted the embedded hostname:
Jul 15 20:37:05 172.25.1.100: Router2: Jul 15 20:37:05.173 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)