Implementing System Logging
System Logging (Syslog) is the standard application used for sending system log messages. Log messages indicates the health of the device and point to any encountered problems or simplify notification messages according to the severity level. The IOS XR router sends its syslog messages to a syslog process. By default, syslog messages will be sent to the console terminal. But, syslog messages can be send to destinations other than the console such as the logging buffer, syslog servers, and terminal lines.
Syslog Message Format
By default, the general format of syslog messages generated by the syslog process on the Cisco IOS XR software is as follows:
node-id : timestamp : process-name [pid] : % message category -group -severity -message -code : message-text
The following table describes the general format of syslog messages on Cisco IOS XR software.
Field |
Description |
||
---|---|---|---|
node-id |
Node from which the syslog message originated. |
||
timestamp |
Time stamp in the month day HH:MM:SS format, indicating when the message was generated.
|
||
process-name |
Process that generated the syslog message. |
||
size |
Process ID (pid) of the process that generated the syslog message. |
||
[ pid ] |
Message category, group name, severity, and message code associated with the syslog message. |
||
message-text |
Text string describing the syslog message. |
Syslog Message Severity Levels
In the case of logging destinations such as console terminal, syslog servers and terminal lines, you can limit the number of messages sent to a logging destination by specifying the severity level of syslog messages. However, for the logging buffer destination, syslog messages of all severity will be sent to it irrespective of the specified severity level. In this case, the severity level only limits the syslog messages displayed in the output of the command show logging , at or below specified value. The following table lists the severity level keywords that can be supplied for the severity argument and the corresponding UNIX syslog definitions in order from the most severe level to the least severe level.
Severity Keyword |
Level |
Description |
---|---|---|
emergencies |
0 |
System unusable |
alert |
1 |
Immediate action needed |
critical |
2 |
Critical conditions |
errors |
3 |
Error conditions |
warnings |
4 |
Warning conditions |
notifications |
5 |
Normal but significant condition |
informational |
6 |
Informational messages only |
debugging |
7 |
Debugging messages |
Prerequisites for Configuring System Logging
These prerequisites are required to configure the logging of system messages in your network operating center (NOC):
- You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
- You must have connectivity with syslog servers to configure syslog server hosts as the recipients for syslog messages.
Configuring System Logging
Perform the tasks in this section for configuring system logging as required.
Configuring Logging to the Logging Buffer
Syslog messages can be sent to multiple destinations including an internal circular buffer known as logging buffer. You can send syslog messages to the logging buffer using the logging buffered command.
Configuration Example
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging buffered 3000000
RP/0/RP0/CPU0:Router(config)# commit
Configuring Logging to a Remote Server
Syslog messages can be sent to destinations other than the console, such as logging buffer, syslog servers, and terminal lines. You can send syslog messages to an external syslog server by specifying the ip address or hostname of the syslog server using the logging command. Also you can configure the syslog facility in which syslog messages are send by using the logging facility command.
The following table list the features supported by Cisco IOS XR Software to help managing syslog messages sent to syslog servers.
Features |
Description |
---|---|
UNIX system log facility |
Facility is the identifier used by UNIX to describe the application or process that submitted the log message. You can configure the syslog facility in which syslog messages are sent by using the logging facility command. |
Hostname prefix logging |
Cisco IOS XR Software supports hostname prefix logging. When enabled, hostname prefix logging appends a hostname prefix to syslog messages being sent from the router to syslog servers. You can use hostname prefixes to sort the messages being sent to a given syslog server from different networking devices. Use the logging hostname command to append a hostname prefix to syslog messages sent to syslog servers |
Syslog source address logging |
By default, a syslog message sent to a syslog server contains the IP address of the interface it uses to leave the router. Use the logging source-interface command to set all syslog messages to contain the same IP address, regardless of which interface the syslog message uses to exit the router. |
Configuration Example
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging 10.3.32.154
RP/0/RP0/CPU0:Router(config)# logging trap warnings
RP/0/RP0/CPU0:Router(config)# logging facility kern (optional)
RP/0/RP0/CPU0:Router(config)# logging hostnameprefix 123.12.35.7 (optional)
RP/0/RP0/CPU0:Router(config)# logging source-interface TenGigE 0/0/0/10(optional)
RP/0/RP0/CPU0:Router(config)# commit
Configuring Logging to Terminal Lines
By default syslog messages will be sent to the console terminal. But, syslog messages can also be send to terminal lines other than the console. You can send syslog messages to the logging buffer using the logging monitor command.
Configuration Example
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging monitor critical
RP/0/RP0/CPU0:Router(config)# commit
RP/0/RP0/CPU0:Router# terminal monitor
Modifying Logging to Console Terminal
By default syslog messages will be sent to the console terminal. You can modify the logging of syslog messages to the console terminal
Configuration Example
This example shows how to modify the logging of syslog messages to the console terminal.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging console alerts
RP/0/RP0/CPU0:Router(config)# commit
Modifying Time Stamp Format
By default, time stamps are enabled for syslog messages. Time stamp is generated in the month day HH:MM:SS format indicating when the message was generated.
Configuration Example
This example shows how to modify the time-stamp for syslog and debugging messages.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# service timestamps log datetime localtime msec or service timestamps log uptime
RP/0/RP0/CPU0:Router(config)# service timestamps debug datetime msec show-timezone or service timestamps debug uptime
RP/0/RP0/CPU0:Router(config)# commit
Suppressing Duplicate Syslog Messages
Suppressing duplicate messages, especially in a large network, can reduce message clutter and simplify the task of interpreting the log. The duplicate message suppression feature substantially reduces the number of duplicate event messages in both the logging history and the syslog file.
Configuration Example
This example shows how to suppress the consecutive logging of duplicate syslog messages.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging suppress duplicates
RP/0/RP0/CPU0:Router(config)# commit
Archiving System Logging Messages to a Local Storage Device
Syslog messages can also be saved to an archive on a local storage device, such as the hard disk or a flash disk. Messages can be saved based on severity level, and you can specify attributes such as the size of the archive, how often messages are added (daily or weekly), and how many total weeks of messages the archive will hold. You can create a logging archive and specify how the logging messages will be collected and stored by using the logging archive command.
The following table lists the commands used to specify the archive attributes once you are in the logging archive submode.
Features |
Description |
---|---|
archive-length weeks |
Specifies the maximum number of weeks that the archive logs are maintained in the archive. Any logs older than this number are automatically removed from the archive. |
archive-size size |
Specifies the maximum total size of the syslog archives on a storage device. If the size is exceeded then the oldest file in the archive is deleted to make space for new logs. |
device {disk0 | disk1 | harddisk} |
Specifies the local storage device where syslogs are archived. By default, the logs are created under the directory device/var/log. If the device is not configured, then all other logging archive configurations are rejected. We recommend that syslogs be archived to the harddisk because it has more capacity than flash disks. |
file-size size |
Specifies the maximum file size (in megabytes) that a single log file in the archive can grow to. Once this limit is reached, a new file is automatically created with an increasing serial number. |
frequency {daily | weekly} |
Specifies if logs are collected on a daily or weekly basis. |
severity severity |
Specifies the minimum severity of log messages to archive. All syslog messages greater than or equal to this configured level are archived while those lesser than this are filtered out. |
Configuration Example
This example shows how to save syslog messages to an archive on a local storage device.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging archive
RP/0/RP0/CPU0:Router(config-logging-arch)# device disk1
RP/0/RP0/CPU0:Router(config-logging-arch)# frequency weekly
RP/0/RP0/CPU0:Router(config-logging-arch)# severity warnings
RP/0/RP0/CPU0:Router(config-logging-arch)# archive-length 6
RP/0/RP0/CPU0:Router(config-logging-arch)# archive-size 50
RP/0/RP0/CPU0:Router(config-logging-arch)# file-size 10
RP/0/RP0/CPU0:Router(config)# commit