XML-Formatted Log Messages
Problem
You wish to send your syslog messages in XML format.
Solution
To enable XML-formatted syslog messages, use the following commands:
Router2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#logging console xml
Router2(config)#logging monitor xml
Router2(config)#logging buffered xml
Router2(config)#logging host 172.25.1.1 xml
Router2(config)#end
Router2#
Discussion
Beginning with IOS Version 12.2(15)T, Cisco introduced Extensible Markup Language (XML) formatted logging of system events and errors. XML provides a method of standardizing and consistently formatting messages, which can easily be utilized by third-party applications to extract data. When XML logging is enabled, system log messages are tagged using a standardized format. Detailed information regarding the message tagging is contained in Table 18-4.
XML tagging can be enabled on all logging facilities, including console, monitor, buffer, or remote syslog servers. However, XML tagged system messages are not as easily read or understood by humans, which means XML tagged messages are most likely sent to a remote syslog server for processing. For example, here is a typical system message created by a router in normal syslog format:
Jul 15 20:37:17.277 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)
The following is the same system message with XML tagging enabled:
SYS 5 CONFIG_I console ijbrown on vty0 (172.25.1.1)
As you can see, the XML tagged system message is difficult to decipher for us humans; however, the consistent tagging structure is perfectly suited for external monitoring programs to extract data. The following table breaks down the various XML tags used by Cisco to encode system messages.
| Tag applied | Item delimited |
|---|---|
| Entire syslog message. | |
| The facility name of the log message (e.g., SYS). | |
| The severity level of the message from 0 to 7, with 0 the most severe (e.g., 5). | |
| The error or event message type (e.g., CONFIG_I). | |
| The message sequence number. | |
| The timestamp of the message, including the time and date (e.g., Jul 15 20:37:27.277 EDT). | |
| The variables contained within the human readable test. Note that the full human readable is not kept. Only the individual arguments are formatted and retained. See the next section. | |
| The specific arguments that are embedded within the human readable test. These arguments are sequentially numbered starting from 0 (e.g., Arg0 = console Arg1= ijbrown on vty0 (172.25.1.1) ). |
If you are unfamiliar with XML, we recommend XML Pocket Reference by Simon St.Laurent and Michael Fitzgerald (O'Reilly). A simple description of XML is that it uses special tags that define objects. One tag defines the start of an object, and a second tag defines the end of that object. For example, in Table 18-4, we indicated that the entire log message begins with the tag
It's possible to enable both normal system log buffering and XML tagged log buffering concurrently. To view the XML buffered log on a router, use the show log xml command:
Router2#show logging xmlenabled enabled
enabled disabled
disabled disabled
vty6(35)
enabled disabled
enabled disabled
disabled disabled
CLEAR 5 COUNTERS all interfaces ijbrown on vty0 (172.25.1.1)
Router2#
It is also possible to send standard system log messages to one host and XML-tagged log messages to another host; however you must specify a different IP address. You cannot send both standard and XML system messages to the same host concurrently:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#logging host 172.25.1.1 xml
Router2(config)#logging host 172.25.1.3
Router2(config)#end
Router2#
In this example, the router is configured to send XML-tagged system messages to host 172.25.1.1, and standard system log messages to host 172.25.1.3.