Notes - Syslog on IOS-XE

The router can log messages to multiple destinations:

• Console

• Term monitor (SSH and telnet)

• Syslog server

• SNMP server

• Local buffer (non-persistent)

• Local persistent storage

Syslog message format

Syslog messages are in the format:

seq no:timestamp: %facility-severity-MNEMONIC:description

The sequence numbers feature causes a sequence number to increment for every message. It can be enabled using:

service sequence-numbers

The timestamp can be added to log/debug messages and can use the date or the uptime of the device. You can optionally add the msec, year, and timezone to the timestamp

service timestamps log|debug datetime|uptime [msec] [year] [show-timezone]

The facility is essentially the process that generated the message, such as SNMP, LDP, OSPF, SYS, LINEPROTO, etc.

The severity is a digit from 0-7, with 0 being the most severe.

Severity	Name
0	Emergency
1	Alert
2	Critical
3	Error
4	Warning
5	Notification
6	Informational
7	Debug

The MNEMONIC is a string that breifly describes the message, such as UPDOWN, ADJCHG, NBRCHG, etc.

The description is a longer string that describes the event, such as “LDP Neighbor 11.11.11.11:0 (4) is UP”

Enabling/Disabling Logging

By default logging is enabled. To turn it off you can use:

no logging on

However you will see see logging messages outputted to console. To disable this you must also use:

no logging console

Logging Buffer

The logging buffer is not persistent - the messages are lost upon a reboot.

You can control the size of the buffer using:

logging buffered <size in bytes>

You can control the level of log messages that are outputed to the buffer using:

logging buffered <size> <severity>

You can confirm the settings using show logging:

logging buffered 8192 informational

The above command show logging also displays the contents of the buffer.

Logging to Console and VTY lines

The console and VTY lines are configured separately.

You can set the logging level as follows. All log messages with a severity level equal or less than the specified value are sent to the line:

logging console <severity>
logging monitor <severity>

You can rate-limit the console messages only, or all logging messages. The all keyword message to include debug messages.

logging rate-limit [all] <messages per second>
!
! or
!
logging rate-limit console [all] <messages per second>

You should also configure synchronous logging for the console line. This makes the logging process wait for the terminal to finish printing a line before outputting the logging message.

line con 0
 logging sync

This is also configurable on the VTY lines, but I have never seen this used. Perhaps it is enabled by default for VTY?

line vty 0 15
 logging sync

Logging to a Syslog Server

You configure the logging severity level for the syslog server using:

logging trap <severity>

You configure the remote syslog server using the following command.

logging host 1.1.1.1

The default transport is UDP/514. You can configure this using:

logging host 1.1.1.1 transport tcp|udp port <port number>

Set the source-interface as follows:

logging source-interface Lo0

The facility code can be configured at the global level, not per-server. This is used to multiplex messages. The syslog server can separate log messages based on the facility - directing the messages to separate files, etc.

logging facility local1

You can set the queue depth for logs that are forwarded to a syslog server using:

logging queue-limit trap <number>

Logging to persistent memory

The logging buffer is lost upon reboots. You can additionally configure logs to be sent to a persistent directory at a given URL. The URL can be the local bootflash.

logging persistent url bootflash:/syslog/

You can control the max filesize of an individual log file using:

logging persistent filesize <bytes>

Logging to SNMP server

You can send syslog messages using SNMP traps. You must first enable SNMP traps for syslog and define the SNMP host.

snmp-server enable traps syslog
snmp-server host 1.1.1.1 COMMUNITY

You then set the SNMP syslog notification level using:

logging history <severity>

The idea is that syslog first sends the log to a dedicated history buffer, and then the agent replicates the messages as SNMP traps. This is the reason for the “logging history” syntax.