All Cisco-Network Study Notes: 12/23/08

XML-Formatted Log Messages cp19

XML-Formatted Log Messages

Problem

You wish to send your syslog messages in XML format.

Solution

To enable XML-formatted syslog messages, use the following commands:

Router2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#logging console xml
Router2(config)#logging monitor xml
Router2(config)#logging buffered xml
Router2(config)#logging host 172.25.1.1 xml
Router2(config)#end
Router2#

Discussion

Beginning with IOS Version 12.2(15)T, Cisco introduced Extensible Markup Language (XML) formatted logging of system events and errors. XML provides a method of standardizing and consistently formatting messages, which can easily be utilized by third-party applications to extract data. When XML logging is enabled, system log messages are tagged using a standardized format. Detailed information regarding the message tagging is contained in Table 18-4.

XML tagging can be enabled on all logging facilities, including console, monitor, buffer, or remote syslog servers. However, XML tagged system messages are not as easily read or understood by humans, which means XML tagged messages are most likely sent to a remote syslog server for processing. For example, here is a typical system message created by a router in normal syslog format:

Jul 15 20:37:17.277 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)

The following is the same system message with XML tagging enabled:

SYS5CONFIG_IJul 15 20:37:17.277 EDTconsoleijbrown on vty0 (172.25.1.1)

As you can see, the XML tagged system message is difficult to decipher for us humans; however, the consistent tagging structure is perfectly suited for external monitoring programs to extract data. The following table breaks down the various XML tags used by Cisco to encode system messages.

Table 18-4. X ML Tags used for syslog messages
Tag applied	Item delimited
	Entire syslog message.
	The facility name of the log message (e.g., SYS).
	The severity level of the message from 0 to 7, with 0 the most severe (e.g., 5).
	The error or event message type (e.g., CONFIG_I).
	The message sequence number.
	The timestamp of the message, including the time and date (e.g., Jul 15 20:37:27.277 EDT).
	The variables contained within the human readable test. Note that the full human readable is not kept. Only the individual arguments are formatted and retained. See the next section.
	The specific arguments that are embedded within the human readable test. These arguments are sequentially numbered starting from 0 (e.g., Arg0 = console Arg1= ijbrown on vty0 (172.25.1.1) ).

If you are unfamiliar with XML, we recommend XML Pocket Reference by Simon St.Laurent and Michael Fitzgerald (O'Reilly). A simple description of XML is that it uses special tags that define objects. One tag defines the start of an object, and a second tag defines the end of that object. For example, in Table 18-4, we indicated that the entire log message begins with the tag and ends with the same tag, but with a slash in it (). You can then nest other objects inside this object, with each object surrounded by a similar pair of tags. However, as we mentioned earlier, XML is not really intended to be human-readable.

It's possible to enable both normal system log buffering and XML tagged log buffering concurrently. To view the XML buffered log on a router, use the show log xml command:

Router2#show logging xml 
enabledenabled
  enableddisabled
  disableddisabled
      vty6(35)
  enableddisabled
  
  
  
      enableddisabled
      disableddisabled
      


CLEAR5COUNTERSJul 16 10:09:43.832 EDTallinterfacesijbrown on vty0 (172.25.1.1)
Router2#

It is also possible to send standard system log messages to one host and XML-tagged log messages to another host; however you must specify a different IP address. You cannot send both standard and XML system messages to the same host concurrently:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#logging host 172.25.1.1 xml
Router2(config)#logging host 172.25.1.3
Router2(config)#end
Router2#

In this example, the router is configured to send XML-tagged system messages to host 172.25.1.1, and standard system log messages to host 172.25.1.3.

Enabling Error Log Counting

Problem

You wish to see the number and type of log messages created by the router.

Solution

Use the logging count command to enable error log counting:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#logging count
Router2(config)#end
Router2#

Discussion

The logging count command causes the router to maintain a count and timestamp of each recorded log type. To view the results of the log counting, use the show logging count command:

Router2#show logging count
Facility       Message Name                     Sev Occur      Last Time
==================================================================================
NTP            PEERREACH                          6    3 Jul 13 20:31:34.441      
NTP            PEERSYNC                           5    1 Jul 13 20:23:03.571      
NTP            PEERUNREACH                        4    3 Jul 13 20:22:00.435      
NTP            RESTART                            6    1 Jan 31 14:13:33.769      
-------------  -------------------------------  ----------------------------------
NTP TOTAL                                              8

SYS            ESMSHUTDOWN                        7    7 Jul 15 19:18:07.476      
SYS            PRIV_AUTH_PASS                     5    7 Jul 15 19:32:50.735      
SYS            LOGGINGHOST_STARTSTOP              6    4 Jul 15 19:56:31.203      
SYS            RESTART                            5    1 Jan 31 14:13:33.697      
SYS            CONFIG_I                           5   23 Jul 15 20:11:14.943      
SYS            CLOCKUPDATE                        6    4 Jul 13 20:21:59.574      
-------------  -------------------------------  ----------------------------------
SYS TOTAL                                             46

LINEPROTO      UPDOWN                             5    4 Jan 31 14:13:33.260      
-------------  -------------------------------  ----------------------------------
LINEPROTO TOTAL                                        4

LINK           CHANGED                            5    2 Jan 31 14:13:34.390      
-------------  -------------------------------  ----------------------------------
LINK TOTAL                                             2

CLEAR          COUNTERS                           5    4 Jul 15 20:09:00.005      
-------------  -------------------------------  ----------------------------------
CLEAR TOTAL                                            4

Router2#

Notice that the router displays a nice overview of error log messages that have occurred and a timestamp of the most recent occurrence. The router also groups log messages by type, keeping all NTP-related messages together, for instance.

On the highlighted output line, notice that the router's configuration has been modified 23 times since log counting was enabled. Also notice the last recorded message was July 15 at 20:11. Note that the "Sev" column indicates the log message's severity level.

Unfortunately, Cisco doesn't provide an easy way to clear these statistics. The only way to reset the logging count values is to reload the router

Rate-Limiting Syslog Traffic

Problem

You wish to rate-limit the syslog traffic to your server.

Solution

Use the logging rate-limit configuration command to limit the number of syslog packets sent to your server:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging rate-limit 30 except warnings
Router(config)#end 
Router#

To rate limit the number of log messages sent to the console port, use the following command:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging rate-limit console 25 except warnings
Router(config)#end
Router#

This feature became available starting in IOS Version 12.1(3)T.

Discussion

By default, a router that is configured for remote logging will forward all log messages to the syslog server as they are created, regardless of how many there are. The rate-limit command will throttle the number of packets to ensure that router won't flood the network or syslog server. It is particularly useful to throttle syslog messages when forwarding debug traces or if the network is congested.

Cisco provides the option to throttle log messages sent to the console port, as well. This feature is important, since all messages written to the console port cause CPU interrupts. If a large number of log messages are being sent to the console port, then the router can suffer noticeable service degradation. Being able to rate-limit messages is an effective alternative to completely disabling them.

The syntax for rate limiting includes several options. The examples above limit the rate of syslog messages to 30 messages per second. The valid limits for this option are 1 to 10,000 messages per second. Since log messages vary in length, it is difficult to calculate a meaningful number in terms of bytes per second. However, a typical average size for a log message is between 150 and 170 bytes. So we can roughly estimate that 30 messages per second will correspond to 36,000 to 40,800 bits per second, which is a good limit for serial lines.

Both examples in this section use the optional keyword except. Use this keyword to ensure that only non-critical messages become rate-limited. For example, to rate-limit all messages at a warning severity level or lower, and to allow all other severity messages to be sent, use the except warning keywords. The examples in this section rate-limit only those messages set at a warning severity level or below. Note that the keyword all is equivalent to setting the except option at the debug level, meaning all messages are rate-limited

Testing the Syslog Sever Configuration

Problem

You want to test the configuration of your syslog server to ensure that the log messages are stored in their correct location.

Solution

The Bourne shell script in Example 18-2 emulates syslog messages at various severity levels to ensure that your server routes them to the correct location. By default, the script will emulate syslog messages to the local7 syslog facility, since Cisco routers default to local7, but the logging facility is completely configurable. No arguments are required or expected.

Example 18-2. testlog.sh

#!/bin/sh
#
#    testlog.sh -- a script to test the syslog facility to ensure that
#                  messages, at various levels, are being forwarded
#                  to the correct file(s)
#
# Set Behavior
FACILITY=local7
LOGGER="/usr/bin/logger"
#
$LOGGER -p $FACILITY.emerg   "This meassage was sent to $FACILITY.emerg (0)"
$LOGGER -p $FACILITY.alert   "This meassage was sent to $FACILITY.alert (1)"
$LOGGER -p $FACILITY.crit    "This meassage was sent to $FACILITY.crit (2)"
$LOGGER -p $FACILITY.err     "This meassage was sent to $FACILITY.err (3)"
$LOGGER -p $FACILITY.warning "This meassage was sent to $FACILITY.warning (4)"
$LOGGER -p $FACILITY.notice  "This meassage was sent to $FACILITY.notice (5)"
$LOGGER -p $FACILITY.info    "This meassage was sent to $FACILITY.info (6)"
$LOGGER -p $FACILITY.debug   "This meassage was sent to $FACILITY.debug (7)"

Discussion

This script is designed to test the syslog server configuration to ensure that router log messages forward to the correct file(s). Basically, the script emulates router log messages at the various severity levels to verify how the syslog daemon handles them.

We use the Unix logger command to generate log messages and forward them to the syslog daemon. The server should route these log messages to same location as the router log messages. If the test log messages either do not show up in the expected file or show up in undesirable locations, then there must be configuration problems in your syslog.conf file.

As noted above, the script's default syslog facility is set to local7, but this is completely configurable. For instance, if your routers are set to use local6, then the variable FACILITY needs to be local6:

FACILITY=local6

If your syslog.conf file includes an entry to forward local7.info log messages to a file called /var/log/rtrlog, then the output from the script would look like the following:

Freebsd# ./testsyslog.sh

Message from syslogd@localhost at Sun Mar 31 22:44:09 2002 ...
localhost This message was sent to local7.emerg (0) 
Freebsd# tail /var/log/rtrlog
Mar 31 22:44:09 localhost This message was sent to local7.emerg (0)
Mar 31 22:44:09 localhost This message was sent to local7.alert (1)
Mar 31 22:44:09 localhost This message was sent to local7.crit (2)
Mar 31 22:44:09 localhost This message was sent to local7.err (3)
Mar 31 22:44:09 localhost This message was sent to local7.warning (4)
Mar 31 22:44:09 localhost This message was sent to local7.notice (5)
Mar 31 22:44:09 localhost This message was sent to local7.info (6)
Freebsd#

Notice that one of the messages produced by the script was sent directly to the screen. This is because the test server's syslog.conf file is configured to forward all emergency level syslog messages to all TTY terminals, as is a commonly done on Unix machines. Although this message will not cause any system problems, it can strike fear into other active users, so be aware.

The second part of the output shows the contents of the /var/log/rtrlog file. You will notice that the output shows seven lines of progressively decreasing priority log messages, but it does not display a severity 7 (debugging) message. This is because the syslog.conf configuration included a line for local7.info, which does not include debug level messages.

Finally, with a minor modification to your syslog.conf file, you can utilize this script to test remote syslog servers:

local7.info                    @nms.oreilly.com

This example would forward all local7 log messages to a remote syslog server called nms.oreilly.com. Notice the syntax of this line introduces the @ sign to signify that a server name follows. Running the script again would forward local7 log messages to the remote server, which would effectively emulate router log messages and test the server's syslog configuration. When testing is completed, make sure to remove or comment out the above configuration line; otherwise, incoming local7 log messages will also be forwarded to the remote syslog server.

Preventing the Most Common Messages from Being Logged

Problem

You want to disable the router from creating link up/down syslog messages on unimportant router interfaces.

Solution

Use the no logging event configuration commands to disable the logging of common interface level messages:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface Serial0/0
Router(config-if)#no logging event link-status
Router(config-if)#no logging event dlci-status-change
Router(config-if)#no logging event subif-link-status 
Router(config-if)#exit
Router(config)#end 
Router#

Discussion

By default, log messages are sent whenever a router interface status changes states. Generally, you want to see log messages that indicate that an interface status has changed, but there are times when it can be useful to disable these types of messages. For instance, dial interfaces may cycle up and down many times throughout the course of a normal day without being cause for concern. Having the capability to suppress these messages helps keep logs uncluttered and can prevent network management staff from wasting time responding to unnecessary trouble reports:

%LINK-3-UPDOWN: Interface Serial0, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
%LINK-3-UPDOWN: Interface Serial0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up

The example above shows the log messages that are sent when a router interface changes states from up to down and back to up. You can use the no logging event link-status command to suppress these messages.

On frame-relay interfaces, DLCI state changes trigger the router to create log messages. In large Frame Relay-based networks, many DLCI changes can occur daily, which can clutter logs and open duplicate trouble reports. Using the no logging event dlci-status-change configuration command will prevent these log messages from being created:

%FR-5-DLCICHANGE: Interface Serial0 - DLCI 50 state changed to INACTIVE
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.1, changed state to down
%FR-5-DLCICHANGE: Interface Serial0 - DLCI 50 state changed to ACTIVE
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.1, changed state to up

Finally, subinterface link up or down messages can be suppressed by using the no logging event subif-link-status configuration command. The example below demonstrates a typical frame-relay interface failure. Notice that the router sends a "line protocol down" log message for the main interface, as well as each of the subinterfaces. Although this example only shows one subinterface, it is not uncommon to see dozens of subinterfaces on a single physical interface. In these cases, it can be useful to suppress subinterface messages:

%LINK-3-UPDOWN: Interface Serial0, changed state to down
%FR-5-DLCICHANGE: Interface Serial0 - DLCI 50 state changed to DELETED
%FR-5-DLCICHANGE: Interface Serial0 - DLCI 102 state changed to DELETED
%FR-5-DLCICHANGE: Interface Serial0 - DLCI 103 state changed to DELETED
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down

Maintaining Syslog Files on the Server

Problem

You want to automatically rotate and archive router logfiles on a Unix server.

Solution

The Bourne shell script in Example 18-1 automatically rotates router logfiles to ensure that these files don't become too big and cumbersome to navigate. The script is intended to be invoked via a cron job on a daily basis, but you can also run it manually. By default, the script retains seven days worth of archived logfiles and compresses files older than two days. No arguments are required or expected.

Example 18-1. rotatelog.sh

#!/bin/sh
#
#  rotatelog.sh -- a script to rotate logfiles and
#                  compress archived files
#
# Set behavior   
SYSLOGPID=/etc/syslog.pid   
LOGDIR=/var/log
LOG=rtrlog
DAYS=7
COMPRESS="/usr/bin/compress -f"
#
# Program body
[ -f $SYSLOGPID ] || echo "Syslog PID file doesn't exist"
if [ -d $LOGDIR ]; then
 cd $LOGDIR
 [ -f $LOG.1 ] && \Q$COMPRESS $LOG.1\Q && sleep 1
 while [ $DAYS -gt 1 ]
 do
       LOW=\Qexpr $DAYS - 1\Q
       [ -f $LOG.$LOW.Z ] && mv $LOG.$LOW.Z $LOG.$DAYS.Z
       DAYS=$LOW
 done
[ -f $LOG ] || echo "Log file $LOG doesn't exist"
[ -f $LOG ] && mv $LOG $LOG.1
touch $LOG
chmod 644 $LOG
sleep 10
kill -HUP \Qcat $SYSLOGPID\Q
#
else
echo "Log directory $LOGDIR is not valid"
fi

Discussion

If left unchecked, the router logfiles grow until your disk space runs out. This script is designed to rotate router logfiles on a daily basis to ensure they don't grow too large.

This script will rotate logs on a daily basis and retain seven days worth of archived logfiles, and overwrite files that are older than this. To reduce the required disk space of the archived logfiles, the script will retain the previous day's log, in a normal format, and compress the remaining days. The number of archived days stored by the script is completely configurable. For instance, to change the number of archived days to 30, change the DAYS variable:

DAYS=30

The script is initially configured to rotate a file called /var/log/rtrlog, but it can easily be configured to rotate any logfile by changing the two variables, LOGDIR and LOG. The variable named LOGDIR contains the directory that the logfiles reside in, and the variable LOG contains the name of the logfile itself. For instance, if you want to change the script to rotate a file called /var/adm/nmslog, then you would modify the following lines in the script:

LOGDIR=/var/adm
LOG=nmslog

The final variable that may require modification is the SYSLOGPID variable. This variable contains the location of your system's syslog.pid file. The script assumes that the process ID number (PID), which is carried by the SYSLOGPID variable, can be found in the file /etc/syslog.pid, which is a common location for Solaris-based machines (another common location is /var/run/syslog.pid). Configuring the script with the correct syslog.pid location is vitally important; otherwise, your logfiles will not rotate correctly. To find the location of your syslog.pid file on your system, use the following command, which can take several minutes to run:

server% find / -name syslog.pid print
/etc/syslog.pid
server%

As mentioned earlier, the script is intended to be launched from cron on a nightly basis. Since it will likely require root privileges to create the necessary files, launch the script from root's crontab. Below is an example of the crontab entry required to launch the script each day at midnight (assuming it is located in /usr/local/bin):

0 0 * * *            /usr/local/bin/rotatelog.sh

Finally, since archived files older then one day, are compressed, we should mention some methods of working with compressed files. First, to view a compressed file, use the zcat command or uncompress c command. To permanently uncompress a compressed file, use the uncompress command (without any switches).

Logging Router Syslog Messages in Different Files

Problem

You want the Unix server to send router log messages to a different logfile than the local system messages.

Solution

To disable router syslog messages from inundating your local system logfiles, use the following commands:

local7.info                             /var/log/rtrlog
*.err;kern.debug;auth.notice;mail.crit;local7.none       /var/log/syslog
*.notice;kern.debug;auth.info;mail.crit;local7.none       /var/adm/messages

Discussion

Most common syslog facilities will, by default, log all messages of a certain severity and higher (see Table 18-1) to their generic local system logfiles. However, once you configure your syslog.conf file to store all router log messages to a specific file, /var/log/rtrlog, in this case, you want to suppress this from occurring. Suppressing router log messages from being stored in your local system logfiles prevents cluttering, separates unrelated logfiles, and prevents the storing of redundant data.

The first line of the example above causes the syslog facility to store all router logs to a certain file. However, syslog will continue to archive router messages into the general system logfiles, as well. Notice that lines 2 and 3 above include a wildcard option (*.err and *.info, respectively). These wildcards match the local7 logging facility and all others as well, causing all log messages of a certain severity level and higher, to be stored. To prevent the router logs from being stored in the general system logfiles, use the local7.none, which will override the wildcard setting.

Setting the IP Source Address for Syslog Messages

Problem

You want the router to use a particular source IP address for syslog messages.

Solution

Use the logging source-interface configuration command to specify a particular IP address for syslog messages:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging source-interface Loopback0
Router(config)#end
Router#

Discussion

Normally, when you enable logging to a remote server, that server will see the source of the message as being the router's nearest interface. However, this is not always meaningful. Sometimes you want it to be a loopback address so that all messages from this router look the same. For example, it is a common practice to populate DNS with only the loopback IP addresses to facilitate router access. This means that none of the other router interfaces can be resolved by using DNS:

Apr  2 20:27:01 172.25.2.6 94: %SYS-5-CONFIG_I: Configured from on vty0
Apr  2 20:27:48 Boston 95: %SYS-5-CONFIG_I: Configured from on vty0

The above example shows two identical log messages originating from the same router, as they appear on the syslog server. The first message uses the IP address of a serial interface that the syslog server is unable to resolve. Notice that the server still stores the message, although it uses the IP address to identify the source.

The second log message occurs after configuring the router to use the loopback interface as the source address. Notice that the syslog server is now able to resolve the source IP address and identifies the source as the router Boston. This makes parsing the logfile for all syslog messages that belong to Boston straightforward and simple.

Restricting What Log Messages Are Sent to the Server

Problem

You want to limit which logging levels the router will send to the syslog server.

Solution

Use the logging trap configuration command to limit the severity level of syslog messages:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging trap notifications
Router(config)#end 
Router#

Discussion

By default, when you enable remote logging on a router, it will forward only those messages with a severity level informational or higher (see Table 18-1). This means that the router forwards everything but debugging messages to the syslog server. Raising the severity of the log messages forwarded to the syslog server can help to reduce bandwidth utilization across the network, as well as the disk space required for storing the log messages on the server. This example shows the output of the show logging exec command:

Router>show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
   Console logging: level debugging, 658 messages logged
   Monitor logging: level debugging, 65 messages logged
   Buffer logging: level debugging, 6 messages logged
   Logging Exception size (4096 bytes)
   Trap logging: level notifications, 662 message lines logged
       Logging to 172.25.1.1, 5 message lines logged
       Logging to 172.25.1.3, 5 message lines logged
        
Log Buffer (4096 bytes):
Router>

Notice that the logging severity level is set to notifications and that both outbound servers are limited to the same level. It is important to note that the logging trap command sets the severity level for all syslog servers.

Another important use for the logging trap command is allowing the router to send debug level messages to a syslog server. The default severity level for syslog is informational, so the router will not forward any debug messages. Having the ability to store debug messages can often be useful in fault isolation and trouble resolution. The following commands show how to enable the forwarding of debugging severity-level messages:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging trap debugging
Router(config)#end 
Router#

You must also configure the syslog server to handle debug level messages. You can accomplish this in one of two waysby creating a dedicated file to handle debug messages or by forwarding debug messages to the normal router logfile. The following two examples will demonstrate how to modify your syslog.conf file to handle both situations:

local7.debug                    /var/log/debug

Or:

local7.=debug                    /var/log/debug

The difference between these two methods is that while the first sends all messages with a severity greater than or equal to debug severity to the indicated file, the second directs only debug level messages to this file. The first example is a more traditional method to assign debug level messages to a particular file, but the second example is preferred since it allows you to separate debug messages from the normal router log messages. Most modern syslog facilities will handle the second example command syntax, but please check your manpages to ensure compatibility by issuing a man syslog.conf.

To simply forward all debug level messages to the default router log, change your syslog.conf files to include the following:

local7.debug                    /var/log/rtrlog

Use caution when enabling the remote storing of debug messages. Debug messages can quickly overwhelm your server if not properly enabled on the router

Changing the Default Log Facility

Problem

You want to change the default logging facility.

Solution

Use the logging facility configuration command to change the syslog facility that the router sends error messages to:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging facility local6
Router(config)#end
Router#

The default syslog facility setting is local7.

Discussion

By default, the router will forward all syslog messages to the server's local7 log facility. You can modify this behavior and forward all of your router's syslog messages to another facility by utilizing the logging facility configuration command. Table 18-3 illustrates the possible logging facilities that a router will accept.

Table 18-3. Cisco logging facility types
Facility	Description
Auth	Authorization system
Cron	Cron/at facility
Daemon	System daemons
Kern	Kernel
local0	Local use
local1	Local use
local2	Local use
local3	Local use
local4	Local use
local5	Local use
local6	Local use
local7	Local use (Default facility for Cisco routers)
Lpr	Line printer system
Mail	Mail system
News	USENET news
sys9	System use
sys10	System use
sys11	System use
sys12	System use
sys13	System use
sys14	System use
Syslog	Syslog itself
User	User process
Uucp	Unix-to-Unix copy system

We generally recommend that you choose one of the "local" facilities, as these are intended specifically for this type of use.

There are a number of reasons why it can be quite useful to choose a facility other than the default. First, another application on the syslog server itself may already be using the logging facility local7. Although most applications provide a means by which to change the default logging facility, some, regrettably, do not.

Second, you might want to separate log messages from routers and switches, or other types of network equipment. This makes parsing through the logfiles much easier. For example, you could configure your switches to forward all log messages to local7, and your routers to local6.

Third, it can often be important for security auditing reasons to be able to separate perimeter router logs from those of internal company routers. Perimeter routers protect the organization from outsiders and require more diligent attention. Sending their log messages to a separate file so that they are not lumped in with the rest of the organization's router messages makes it easier to give them this extra attention. For instance, perimeter router logs may require different archive periods, or might have specialized scripts to parse through them. Assigning a different log facility to them is generally a good idea.

The example below shows a sample portion of a syslog.conf file that forwards log messages from all perimeter routers to facility local5, all other router logs to facility local6, and all switch logs to facility local7:

local5.info                    /var/log/seclog
local6.info                    /var/log/rtrlog
local7.info                    /var/log/switchlog

The sample router configuration in the solution section forwards router log messages to log facility local6. The next example illustrates how to configure the perimeter routers to forward their log messages to log facility local5:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging facility local5
Router(config)#end 
Router#

One final useful thing to do with your syslog configuration is to send high severity log messages to a separate file to make parsing easier. The following example shows a sample syslog.conf configuration that logs all router log messages to a single file called /var/log/rtrlog, and all high severity log messages to a file called /var/log/rtrpriority:

local7.info                        /var/log/rtrlog
local7.err                        /var/log/rtrpriority

Enabling Syslog on a Unix Server

Problem

You want to configure a Unix server to accept syslog messages from routers.

Solution

For most flavors of Unix and Linux, you simply need to modify the /etc/syslog.conf file on your Unix server to include the following entry (basic configuration):

local7.info                                     /var/log/rtrlog

This example stores all router messages using the default logging facility for Cisco routers, local7. It also stipulates that router log messages with a severity level of informational or greater (refer to Table 18-1) will be directed to the file /var/log/rtrlog. The syntax of the syslog.conf file is log facility.priority notation, followed by a filename.

Note that the syslog.conf file needs tabs, and not spaces, between the various fields.

Discussion

By default, your syslog server may not be equipped to handle router log messages. The above configuration entry will caused the syslog daemon to store all router messages, of informational severity level and higher, to a file called /var/log/rtrlog. Before the server will begin forwarding messages to this file, it must exist and have the proper file attributes:

Freebsd# cd /var/log
/var/log
Freebsd# touch rtrlog
Freebsd# chmod 644 rtrlog
Freebsd#

Then you should reload or HUP the syslog daemon to force it to read your new configuration file and begin storing router log messages. On System V-based Unix servers, use the following commands:

Solaris# ps -ef | grep syslogd
   root   142     1  0   Nov 12 ?        1:21 /usr/sbin/syslogd -m 30
Solaris# kill -HUP 142
Solaris#

On BSD-based Unix and Linux servers, use the following commands:

Freebsd# ps -aux | grep syslogd
root       66  0.0  0.2   960  624  ??  Ss    3Mar02   0:28.66 syslogd -m 30
Freebsd# kill -HUP 66
Freebsd#

For more information on your syslog daemon and its configuration options, check your system's manual pages by using the Unix commands man syslog and man syslog.conf.

Note that some Unix flavors, including most Linux distributions, require the syslog daemon be initialized with the -r switch before they will accept remote syslog messages. See your manual pages for more information (man syslogd).

Sending Log Messages to Your Screen

Problem

You want the router to display log messages to your VTY session in real time.

Solution

Use the terminal monitor command to enable the displaying of log messages to your VTY:

Router#terminal monitor 
Router#

To disable logging to your VTY session, use the following command:

Router#terminal no monitor
Router#

Discussion

Routers forward all logging messages to their console ports by default, but not to their VTY lines. When you are troubleshooting a network problem on a remote router, it is often quite useful to instruct the router to send log messages to your VTY so that you can view them in real time. Here is an example showing how to configure the router to display messages with informational severity level and greater (see Table 18-1 for more information about logging severity levels) to VTY lines:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging monitor informational 
Router(config)#exit
Router#terminal monitor
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface Fastethernet0/0
Router(config-subif)#shutdown
Router(config-subif)#exit
Router(config)#end
Router#
Mar 26 09:36:43: %LINK-5-CHANGED: Interface Fastethernet0/0, changed state to administratively down

This example changes the logging monitor level to informational, enables terminal monitoring and then changes the state of an interface to trigger a sample log message. By default, when you enable VTY displaying of log messages, the terminal monitor severity level is set to debugging, so you will see all messages. Notice that in this example, we have changed the severity level to informational. This will suppress the printing of debug messages, while continuing to display messages with all other severity levels. Keep in mind that setting the severity level for VTY logging is a configuration-based command whereas the command to enable VTY logging, terminal monitor, is a privileged-level command that must be set per session.

Enabling this type of logging makes a Telnet session to a router's VTY port look similar to connecting directly to the router's console port. You can use the show logging command to view the current monitor-logging configuration as follows:

Router>show logging
Syslog logging: enabled (0 messages dropped, 101 messages rate-limited, 0 flushes, 0 overruns)
  Console logging: level debugging, 66712 messages logged
  Monitor logging: level informational, 65263 messages logged
        Logging to: vty66(0)
  Buffer logging: level debugging, 644 messages logged
  Logging Exception size (4096 bytes)
  Trap logging: level debugging, 3805 message lines logged
      Logging to 172.25.1.1, 3805 message lines logged
      
Log Buffer (8000 bytes):

The highlighted section of the output shows that the monitor logging facility has been set to a severity level of informational, and that one session is currently in use, with the messages being displayed on vty66(0):

Router>show users
  Line       User       Host(s)              Idle       Location
* 66 vty 0     ijbrown    idle                 00:00:00 freebsd.oreilly.com
67 vty 1     kdooley    idle                 00:00:26 solaris.oreilly.com
Router>

You can easily determine which user is currently using the monitor logging facility by issuing the show users command. This output indicates that the user ijbrown is currently using the monitor logging facility.

Use caution when enabling VTY logging in conjunction with debugging, as it can overwhelm your session.

This feature is so useful that enabling it will soon become second nature

Using a Remote Log Server

Problem

You want to send log messages to a remote syslog server.

Solution

Use the following command to send router log messages to a remote syslog server:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging 172.25.1.1
Router(config)#end 
Router#

Although configuring the router with a static IP address like this is the preferred method of configuring a syslog server, you can also specify a hostname to be resolved:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip host nms.oreilly.com 172.25.1.1
Router(config)#logging nms.oreilly.com
Router(config)#end 
Router#

With this configuration, the router will attempt to resolve the server name that is provided. If the router cannot resolve the server name via DNS or static host lookup, then the entry will fail. For more information about DNS and static host names, please see Chapter 2.

Beginning with IOS Version 12.2(15)T, logging host replaced the logging command; however, both methods are still supported:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#logging host 172.25.1.1
Router2(config)#end
Router2#

Discussion

Forwarding log messages to a remote syslog server has several advantages over just retaining log messages locally on the router. The primary advantage is that messages sent to the server are stored to disk. All other forms of router logging are lost upon router reload, including vital log messages that occurred just before a router crashes due to error.

Another advantage of using a remote syslog server is storage capacity. A router stores logging messages in internal system memory, which severely limits the number of logs messages that can be stored. A syslog server, on the other hand, can store days, weeks, or even months worth of log messages. It is not uncommon for an organization to retain a month or more of archived log messages for examination later.

Finally, being able to view log messages from all of your routers in a single location can be quite useful. Forwarding all router log messages to a common logfile can assist fault isolation, problem resolution, network forensics, and security investigations. In addition, parsing router logfiles by using custom scripts can provide an excellent understanding of network health. In addition, many network management software vendors now include tools to handle syslog messages.

The example below illustrates a router configured with two remote syslog servers:

Router>show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
   Console logging: level debugging, 654 messages logged
   Monitor logging: level debugging, 65 messages logged
   Buffer logging: level debugging, 2 messages logged
   Logging Exception size (4096 bytes)
   Trap logging: level informational, 658 message lines logged
        Logging to 172.25.1.1, 1 message lines logged
        Logging to 172.25.1.3, 1 message lines logged
        
Log Buffer (4096 bytes):
Router>

The syslog protocol resides on UDP port 514, and messages are forwarded asynchronously without acknowledgements from the server. In other words, communications between the router and server flow in a single direction, with the server acting as a passive receiver.

By default, the router sends its log messages tagged with only its IP address. In some instances, it is useful to tag the log messages with the router hostname as well. This is especially true if the syslog packets pass through a NAT device. The ability to tag syslog messages was introduced in IOS Version 12.2(15)T:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#logging origin-id hostname
Router2(config)#end
Router2#

Before hostname tagging is enabled, the syslog server captures an example log message by only its IP address. Note that if the router IP address could be resolved by the syslog server, then the IP address would be converted to the resolved hostname. Here's an example of a normal syslog message:

Jul 15 20:35:07 172.25.1.100: Jul 15 20:35:07.499 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)

After hostname tagging is enabled, the router's hostname is embedded within the log message. We've highlighted the embedded hostname:

Jul 15 20:37:05 172.25.1.100: Router2: Jul 15 20:37:05.173 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)

Setting the Log Size

Problem

You want to change the size of the router's log.

Solution

You can use the optional size attribute with the logging buffered configuration command to change the size of your router's internal log buffer:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging buffered 16000
Router(config)#end
Router#

Be careful, though, because adjusting the size of the router's logging buffer wipes out all of the current contents of the buffer.

Discussion

The typical default size of a router's logging buffer is 4,096 bytes (although some high-end routers will default to a higher value). A buffer of this size can hold approximately 50 log messages before overwriting occurs. Fifty messages, although better than no logging, is relatively small, and most engineers will want increase their buffer size to store more messages. To check the size of your router's logging buffer, use the show buffer command:

Router>show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
   Console logging: level debugging, 653 messages logged
   Monitor logging: level debugging, 65 messages logged
   Buffer logging: level debugging, 1 messages logged
   Logging Exception size (4096 bytes)
   Trap logging: level informational, 657 message lines logged
        
Log Buffer (16000 bytes): 
Router>

As you can see, this router's buffer size is currently set to 16,000 bytes (roughly 16 KB).

The router will theoretically accept a wide range of buffer sizes ranging from 4,096 bytes (nothing smaller) to an astronomical 2,147,483,647 bytes (about 2 GB). Exercise caution when choosing the size of your logging buffer because it comes out of the router's system memory. A good rule is to set your logging buffer to 16 KB for smaller routers. Routers with more than 32 MB of memory can safely dedicate 32 KB, or even 64 KB, without problems. To be safe, always check the amount of free memory on your router with the show memory command before increasing your buffer size.

We note in passing that you can combine the keywords in Recipe 18.1 and 18.2 into a single router command:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging buffered 16000 informational
Router(config)#end
Router#

In this case, we set the buffer size to 16,000 bytes, and the severity level to informational, by using a single configuration command.

Clearing the Router's Log

Problem

You want to clear the router's log buffer.

Solution

Use the clear logging command to clear the router's internal log buffer:

Router#clear logging
Clear logging buffer [confirm]
Router#

Discussion

There are times when it is useful to be able to clear your router's internal buffer log. For instance, while debugging a network problem, old debug messages can cause unnecessary confusion during stressful moments. This will clear the router log:

Router#clear logging
Clear logging buffer [confirm]
Router>show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
   Console logging: level debugging, 64201 messages logged
   Monitor logging: level debugging, 64820 messages logged
   Buffer logging: level debugging, 9 messages logged
   Logging Exception size (4096 bytes)
   Trap logging: level debugging, 2253 message lines logged
       Logging to 172.25.1.1, 2253 message lines logged
        
Log Buffer (4096 bytes):
Router>

Note that this command has no effect on the other forms of logging

Enabling Local Router Logging

Problem

You want your router to record log messages, instead of just displaying them on the console.

Solution

Use the logging buffered configuration command to enable the local storage of router log messages:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging buffered informational
Router(config)#end
Router#

Discussion

This feature causes the router to store all log messages to a revolving buffer called the logging buffer. Many network administrators find it convenient and useful to keep detailed router logs on the router itself. The router discards its oldest messages to make room for new ones. This ensures that the logging buffer contains the most recent messages without depleting the router's RAM. You can use the show logging command to view this buffer:

Router>show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
   Console logging: level debugging, 653 messages logged
   Monitor logging: level debugging, 65 messages logged
   Buffer logging: level informational, 1 messages logged
   Logging Exception size (4096 bytes)
   Trap logging: level informational, 657 message lines logged
        
Log Buffer (4096 bytes):
Mar 26 09:02:25: %SEC-6-IPACCESSLOGS: list 99 denied 172.16.2.2 5 packets
Mar 26 09:04:56: %CLEAR-5-COUNTERS: Clear counter on all interfaces on vty1 
Mar 26 09:05:13: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty1 
Router>

Note that the default severity logging level is set to debugging. You can adjust the severity level of the buffered log with the severity level keyword. In the example in the Solution section, we configured the router with the keyword informational. This will cause it to ignore debugging messages, but retain all other system log messages.

The log messages appear in order from oldest to most recent. By default, the show logging command displays all messages contained in the log buffer. However, you can display specific message types by using output modifiers:

Router>show log | include denied
Apr  7 21:16:12 EDT: %SEC-6-IPACCESSLOGS: list 98 denied 172.25.25.1 19 packets
Apr  7 21:21:12 EDT: %SEC-6-IPACCESSLOGS: list 98 denied 172.25.1.5 1 packet
Apr  7 21:26:12 EDT: %SEC-6-IPACCESSLOGS: list 98 denied 172.25.25.1 19 packets
Apr  7 21:31:13 EDT: %SEC-6-IPACCESSLOGS: list 98 denied 172.25.25.1 5 packets
Apr  7 21:33:13 EDT: %SEC-6-IPACCESSLOGS: list 98 denied 172.25.1.5 16 packets
Apr  7 21:36:13 EDT: %SEC-6-IPACCESSLOGS: list 98 denied 172.25.25.1 5 packets
Router>

By using output modifiers, you can display a single type of message based on a regular expression, similar to the grep command in Unix.

We discussed the importance of accurate time keeping and log time stamping in Chapter 14, where we highly recommended enabling log time stamps to help make the log messages more meaningful.

To disable the router's logging buffer, use the following command:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#no logging buffered
Router(config)#end
Router#

Sample router log messages-Cisco logging severity levels

Many network administrators overlook the importance of router logs. Logging is critical for fault notification, network forensics, and security auditing.

Cisco routers handle log messages in five ways:

By default, the router sends all log messages to its console port. Only users that are physically connected to the router console port may view these messages, though. This is called console logging.
Terminal logging is similar to console logging, but it displays log messages to the router's VTY lines instead. This type of logging is not enabled by default, so if you want to use it, you need to need activate it for each required line.
Buffered logging creates a circular buffer within the router's RAM for storing log messages. This circular buffer has a fixed size to ensure that the log will not deplete valuable system memory. The router accomplishes this by deleting old messages from the buffer as new messages are added.
The router can use syslog to forward log messages to external syslog servers for centralized storage. This type of logging is not enabled by default. Much of this chapter is devoted to configuring remote syslog features. The router sends syslog messages to the server on UDP port 514. The server does not acknowledge these messages.
With SNMP trap logging, the router is able to use SNMP traps to send log messages to an external SNMP server. This is an effective method of handling log messages in a SNMP-based environment, but it has certain limitations. We will discuss this logging method in Chapter 17, which deals with SNMP configuration.

Cisco log messages are categorized by severity level, following the structure and format of the 4.3BSD Unix syslog framework. In particular, router log messages follow the syslog's severity levels, as shown in Table 18-1. Note that the lower the severity level, the more critical the log message is.

Table 18-1. Cisco logging severity levels
Level	Level name	Description	Syslog definition
0	Emergencies	Router unusable	LOG_EMERG
1	Alerts	Immediate action needed	LOG_ALERT
2	Critical	Critical conditions	LOG_CRIT
3	Errors	Error conditions	LOG_ERR
4	Warnings	Warning conditions	LOG_WARNING
5	Notifications	Normal but important conditions	LOG_NOTICE
6	Informational	Informational messages	LOG_INFO
7	Debugging	Debugging messages	LOG_DEBUG

Here is an example of a log message that shows the typical format of Cisco router log messages:

Apr 12 14:01:16: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)

As you can see, the log message is broken into three sections that are delimited by colons. The first section is the optional date and time section that is enabled by using the service timestamp configuration command. A detailed discussion of timestamps can be found in Chapter 14.

The second part of the log message, %CLEAR-5-COUNTERS, gives the message code and severity level. In the example log message above, the message code family is CLEAR, the priority level is -5-, which indicates a Notifications severity-level message, and a family type of COUNTERS. All Cisco log messages are arranged in this manner. There are many different message codes, such as FRAME for frame relay messages, SYS for system messages, and LINK for interface messages. Within each message code, log messages are categorized by severity type: 7 is the least severe to 0 is the most critical, following the syslog model. Finally, each specific message type is assigned a unique message code, such as COUNTERS, in this case, or UPDOWN for LINK messages, and so forth.

The final section of a log is the message body, which contains human readable text. The example message above contains the message body "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)". The message body generally contains easy to understand text as well as some custom variables, such as ijbrown and vty0, in this case, which help to make log messages more meaningful.

Table 18-2 shows a typical log message for each of the eight severity levels.

Table 18-2. Sample router log messages
Level	Level name	Sample router messages
0	Emergencies	System shutting down due to missing fan tray
1	Alerts	Core CRITICAL Temperature limit exceeded
2	Critical	Memory allocation failures
3	Errors	Interface Up/Down messages
4	Warnings	Configuration file written to server, via SNMP request
5	Notifications	Line protocol Up/Down
6	Informational	Access-list violation logging
7	Debugging	Debug messages

You will rarely see log messages with severity levels of Alert or Emergency because any problems this severe generally mean the router is inoperable.

Using SAA

Problem

You want to configure the routers to automatically poll one another to collect performance statistics.

Solution

Cisco supplies a feature called the Service Assurance Agent (SAA) in IOS Version 12.0(5)T and higher, which allows the routers to automatically poll one another to collect end-to-end performance statistics:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#rtr responder
Router1(config)#rtr 10
Router1(config-rtr)#type echo protocol ipIcmpEcho 10.1.2.3
Router1(config-rtr)#tag ECHO_TEST
Router1(config-rtr)#threshold 1000
Router1(config-rtr)#frequency 300
Router1(config-rtr)#exit
Router1(config)#rtr schedule 10 life 2147483647 start-time now 
Router1(config)#rtr 20
Router1(config-rtr)#type jitter dest-ipaddr 10.1.2.3 dest-port 99 num-packets 100
Router1(config-rtr)#tag JITTER_TEST
Router1(config-rtr)#frequency 300
Router1(config-rtr)#exit
Router1(config)#rtr schedule 20 life 100000 start-time now ageout 3600
Router1(config)#exit
Router1#

The target router, which is specified as the destination in both of these tests, 10.1.2.3, must be configured to respond to SAA tests as follows:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#rtr responder
Router2(config)#exit
Router2#

Discussion

The SAA feature includes replaces the earlier Round Trip Reporter (RTR) and Route Trip Time Monitor (RTTMON) facilities, which were available in IOS Version 11.3, and uses the same basic syntax. However, where RTR only includes some simple round-trip PING and SNA tests, SAA includes several more interesting and useful features.

The first line in the example is the rtr responder command. This is required on all routers that will be taking part in SAA, including the targets of these tests. You will notice, for example, that both of the tests use a target IP address of 10.1.2.3. This destination must be another Cisco router that is also configured with the rtr responder command.

In this example, we have configured two tests. We have given the first test the arbitrary number, 10, and a name ECHO_TEST. The second test is number 20, and is called JITTER_TEST. Note that you don't actually need to give your SAA tests names, but it is a good idea if you have several of them. This name, or tag, is included in the SAA SNMP MIB table for this test. So, if you intend to download the test data via SNMP for performance management purposes, it can be extremely useful to name your tests.

Let's look at both of these example tests in more detail.

The first test does an ICMP echo (PING) to the destination device, 10.1.2.3:

Router1(config)#rtr 10
Router1(config-rtr)#type echo protocol ipIcmpEcho 10.1.2.3
Router1(config-rtr)#tag ECHO_TEST
Router1(config-rtr)#threshold 1000
Router1(config-rtr)#frequency 300
Router1(config-rtr)#exit

The threshold command defines a minimum interesting threshold, which in this case is set to 1,000 milliseconds. This allows you to count the number of ping tests where the round-trip time was greater than one second, in addition to keeping track of the PING times and number of PING failures, which we will show in a moment.

Next is the frequency command, which defines how often this test will be run in seconds. In this case, we want the test to run every five minutes (300 seconds).

Then, once you have defined the test in the rtr configuration block, you have to tell the router when to run it. This is done with the rtr schedule command:

Router1(config)#rtr schedule 10 life 2147483647 start-time now

This command defines the schedule for running test number 10. It sets a lifetime for this test of 2,147,483,647 seconds (a very long time), which is the maximum value. This effectively means that this test will continue to run indefinitely. It is scheduled to start immediately.

Note that when we scheduled the second test, we used slightly different parameters:

Router1(config)#rtr schedule 20 life 100000 start-time now ageout 3600

In this case, the test is scheduled to run only for 100,000 seconds, which is about 27 hours. We have also configured an ageout value of 3,600 seconds for this test. This says that the router will keep this test rule in memory for this length of time after it expires. This allows you to restart the test if you want to, without needing to reconfigure it.

You can view the data for the first test as follows:

Router1#show rtr operational-state 10
     Current Operational State
Entry Number: 10
Modification Time: 18:51:53.000 EST Tue Dec 17 2002
Diagnostics Text:
Last Time this Entry was Reset: Never
Number of Octets in use by this Entry: 1910
Connection Loss Occurred: FALSE
Timeout Occurred: FALSE
Over Thresholds Occurred: FALSE
Number of Operations Attempted: 203
Current Seconds Left in Life: 2147483647
Operational State of Entry: active
Latest Completion Time (milliseconds): 54
Latest Operation Start Time: 11:41:53.000 EST Wed Dec 18 2002
Latest Operation Return Code: ok
Latest 10.1.2.3

In this output, you can see that it has run this test 203 times, and the last test took 54 milliseconds, and completed successfully. Note that it doesn't give a running average PING time. However, one of the nicest features of SAA is that you can configure a network management station to download this data using SNMP, provided you have the SAA MIB loaded on your server.

The second test is considerably more interesting. This test measures jitter between the routers by sending a series of UDP packets and looking at the time differences between consecutive packets at both ends:

Router1(config)#rtr 20
Router1(config-rtr)#type jitter dest-ipaddr 10.1.2.3 dest-port 99 num-packets 100
Router1(config-rtr)#tag JITTER_TEST
Router1(config-rtr)#frequency 300
Router1(config-rtr)#exit
Router1(config)#rtr schedule 20 life 100000 start-time now ageout 3600

The type command defines a jitter test to the same destination IP address as the previous test. In this case, we have decided to use UDP port 99 for our test, and each test run will consist of 100 packets. The frequency command tells the router to run this test every five minutes. Here is some sample output from this test:

Router1#show rtr operational-state 20
     Current Operational State
Entry Number: 20
Modification Time: 10:25:36.000 EST Wed Dec 18 2002
Diagnostics Text:
Last Time this Entry was Reset: Never
Number of Octets in use by this Entry: 1742
Number of Operations Attempted: 22
Current Seconds Left in Life: 93400
Operational State of Entry: active
Latest Operation Start Time: 12:10:36.000 EST Wed Dec 18 2002
RTT Values:
NumOfRTT: 98    RTTSum: 6063    RTTSum2: 384317
Packet Loss Values:
PacketLossSD: 0 PacketLossDS: 2
PacketOutOfSequence: 2  PacketMIA: 0    PacketLateArrival: 0
InternalError: 0        Busies: 0
Jitter Values:
MinOfPositivesSD: 4     MaxOfPositivesSD: 14
NumOfPositivesSD: 32    SumOfPositivesSD: 175   Sum2PositivesSD: 1111
MinOfNegativesSD: 1     MaxOfNegativesSD: 5
NumOfNegativesSD: 60    SumOfNegativesSD: 175   Sum2NegativesSD: 547
MinOfPositivesDS: 1     MaxOfPositivesDS: 45
NumOfPositivesDS: 20    SumOfPositivesDS: 78    Sum2PositivesDS: 2166
MinOfNegativesDS: 1     MaxOfNegativesDS: 16
NumOfNegativesDS: 21    SumOfNegativesDS: 69    Sum2NegativesDS: 693

There is a clearly a lot more information in this test output. This is because measuring jitter is not a simple single variable test. What you want from a jitter measurement is to characterize the statistical distribution of packet-by-packet variation in latency in the forward and backward directions, as well as for the round trip. All of this information is here. Note that as with the SAA PING test we discussed earlier, the router only records the results of the most recent test. If you want to keep historical records, you need to poll and download the SAA MIB tables once per poll cycle.

The first set of numbers includes the Round Trip Time (RTT) values. You can see that this sample included 98 packets. The total of all of the round trip times of all of these packets was 6,063 milliseconds, and the sum of the squares of all of these times was 384,317 milliseconds. These values are not extremely meaningful in themselves, but if you divide the RTTSum value by the number of measurements, you get the average latency for this set of packets, roughly 61 milliseconds.

Applying some simple statistics, you can use the square value to understand how the actual values are spread around this average. The mean of the squares of the round-trip times is 3,922 milliseconds2 (just dividing the sum of the squares by the total number of samples). If you subtract the square of the average from this value, and take the square root, you get a statistical estimate of the variation in milliseconds. The higher this value, the greater the spread. In this case, you can calculate that this spread is roughly 10 milliseconds. This means that half of the time, the round trip latency is within the range 61 ± 10ms. Note that the ± symbol is a standard mathematical notation that, in this case, indicates a range from 51 ms (61 10) to 71 ms (61 + 10).

The next set of data records dropped packets. Recall that the sample size is 100 packets, but the NumOfRTT value is only 98. So the network must have dropped two of our test packets. SAA separately keeps track of packets lost in both directions, source to destination (PacketLossSD) and destination to source (PacketLossDS). This router is the source; the other router is the destination. So in this example, both of the lost packets happened on the way back. Notice also that the output claims that there were two out-of-sequence packets during this test, which is consistent with the number of dropped packets.

The next group of numbers includes the actual jitter measurements. There are two groups of numbers here. The variables that end with "SD" are measured from the source to the destination, and "DS" are for the return path. Within each of these groups there are two subgroups, one for "positives" and the other for "negatives." Positives are events where the spacing between two packets has increased since the last pair of successive packets. The "Negatives" counters record all of the times that the interpacket spacing decreased. Now let's look a little bit more closely at one set of values:

MinOfPositivesSD: 4     MaxOfPositivesSD: 14
NumOfPositivesSD: 32    SumOfPositivesSD: 175   Sum2PositivesSD: 1111

This says that of the 100 packets the router sent in this polling interval, there were 32 cases when the jitter in the forward direction had a positive value. Of these, the largest value was 14 milliseconds, and the smallest was 4 milliseconds. Then we can use the sum and the sum of the squares to calculate the average and spread of values in precisely the same way as we did to calculate the average latency a moment ago. The result here is that half the time the positive jitter in this direction was within the range 5.5 ± 2.2 ms.

Applying this same technique to the other jitter measurements gives the following statistics. The negative jitter from source to destination was 2.9 ± 0.8 ms, with a maximum of 5 ms and a minimum value of 1 ms. In the other direction, the positive jitter was 3.9 ± 9.6 ms, and the negative jitter was 3.3 ± 4.7 ms. These last two values might look a little bit funny because the spread is larger than the mean. This is actually not bad, though, because the output also shows that the maximum positive jitter in this direction was 45 ms, and 16 ms for negative jitter. So clearly, the spread is very large, but the mean jitter values are relatively small. This is a fairly typical result

Strong SNMPv3 Encryption

Problem

You want to increase the strength of SNMPv3 encryption.

Solution

Starting with IOS Version 12.4(2)T, Cisco introduced support for stronger encryption capabilities. To enable 3DES use the following command:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv 3des privpass
Router1(config)#end                                                                      
Router1#

To enable AES encryption of SNMPv3 traffic, use the following command:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv aes 128 privpass
Router1(config)#end
Router1#

Discussion

Beginning with IOS Version 12.4(2)T, Cisco enhanced the encryption capabilities of SNMPv3 by adding support for 3DES and Advanced Encryption Standard (AES). The addition of AES 128-bit encryption meets the RFC 3826 standard. In addition, Cisco has also added support for 168-bit 3DES, and 192-bit and 256-bit AES encryption, which is currently not part of the RFC standard.

AES and 3DES encryption are only supported in IOS images that support encryption services.

To display the user encryption method to confirm configuration, use the show snmp user command:

Router1#show snmp user wbrejniak

User name: wbrejniak
Engine ID: 800000090300000E84244E70
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: 3DES
Group-name: ORAROV3

Router1#

Notice that user wbrejniak is currently configured to use 3DES encryption, as highlighted in our previous example:

Router1#show snmp user wbrejniak

User name: wbrejniak
Engine ID: 800000090300000E84244E70
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: ORAROV3

Router1#

Now notice that we've changed the configuration of user wbrejniak to support AES 128-bit encryption.

In our next example, we'll use Net-SNMP to extract the hostname using strong encryption. Please note that Net-SNMP currently only supports DES 56-bit and AES 128-bit encryption because they are standards based:

Freebsd% snmpget -v 3 -u wbrejniak -l authPriv -a md5 -A authpass -x aes -X privpass 172.25.1.101 sysName.0
SNMPv2-MIB::sysName.0 = STRING: Router1.oreilly.com
Freebsd%

XML-Formatted Log Messages

Problem

Solution

Discussion

Table 18-4. X ML Tags used for syslog messages

See Also

Enabling Error Log Counting

Problem

Solution

Discussion

Rate-Limiting Syslog Traffic

Problem

Solution

Discussion

Testing the Syslog Sever Configuration

Problem

Solution

Example 18-2. testlog.sh

Discussion

Preventing the Most Common Messages from Being Logged

Problem

Solution

Discussion

Maintaining Syslog Files on the Server

Problem

Solution

Example 18-1. rotatelog.sh

Discussion

Logging Router Syslog Messages in Different Files

Problem

Solution

Discussion

See Also

Setting the IP Source Address for Syslog Messages

Problem

Solution

Discussion

See Also

Restricting What Log Messages Are Sent to the Server

Problem

Solution

Discussion

Changing the Default Log Facility

Problem

Solution

Discussion

Table 18-3. Cisco logging facility types

See Also

Enabling Syslog on a Unix Server

Problem

Solution

Discussion

See Also

Sending Log Messages to Your Screen

Problem

Solution

Discussion

Using a Remote Log Server

Problem

Solution

Discussion

See Also

Setting the Log Size

Problem

Solution

Discussion

See Also

Clearing the Router's Log

Problem

Solution

Discussion

Enabling Local Router Logging

Problem

Solution

Discussion

See Also

Table 18-1. Cisco logging severity levels

Table 18-2. Sample router log messages

Using SAA

Problem