Sample Router Log Messages

Started by certforumz, December 26, 2011, 12:29:07 AM

Previous topic - Next topic

certforumz

Logging is critical for fault notification, network forensics, and security auditing.

Cisco routers handle log messages in five ways:

    By default, the router sends all log messages to its console port. Only users that are physically connected to the router console port may view these messages, though. This is called console logging.

    Terminal logging is similar to console logging, but it displays log messages to the router's VTY lines instead. This type of logging is not enabled by default, so if you want to use it, you need to need activate it for each required line.

    Buffered logging creates a circular buffer within the router's RAM for storing log messages. This circular buffer has a fixed size to ensure that the log will not deplete valuable system memory. The router accomplishes this by deleting old messages from the buffer as new messages are added.

    The router can use syslog to forward log messages to external syslog servers for centralized storage. This type of logging is not enabled by default. Much of this chapter is devoted to configuring remote syslog features. The router sends syslog messages to the server on UDP port 514. The server does not acknowledge these messages.

    With SNMP trap logging, the router is able to use SNMP traps to send log messages to an external SNMP server. This is an effective method of handling log messages in a SNMP-based environment, but it has certain limitations. We will discuss this logging method in Chapter 17, which deals with SNMP configuration.

Log message levels are as given below:

Level    Level name    Description    Syslog definition
0           Emergencies    Router unusable    LOG_EMERG
1           Alerts            Immediate action needed    LOG_ALERT
2           Critical            Critical conditions    LOG_CRIT
3           Errors            Error conditions    LOG_ERR
4           Warnings            Warning conditions    LOG_WARNING
5           Notifications    Normal but important conditions    LOG_NOTICE
6           Informational    Informational messages    LOG_INFO
7           Debugging            Debugging messages    LOG_DEBUG

Here is an example of a log message that shows the typical format of Cisco router log messages:

Apr 12 14:01:16: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)


As you can see, the log message is broken into three sections that are delimited by colons. The first section is the optional date and time section that is enabled by using the service timestamp configuration command. A detailed discussion of timestamps can be found in Chapter 14.

The second part of the log message, %CLEAR-5-COUNTERS, gives the message code and severity level. In the example log message above, the message code family is CLEAR, the priority level is -5-, which indicates a Notifications severity-level message, and a family type of COUNTERS. All Cisco log messages are arranged in this manner. There are many different message codes, such as FRAME for frame relay messages, SYS for system messages, and LINK for interface messages. Within each message code, log messages are categorized by severity type: 7 is the least severe to 0 is the most critical, following the syslog model. Finally, each specific message type is assigned a unique message code, such as COUNTERS, in this case, or UPDOWN for LINK messages, and so forth.

The final section of a log is the message body, which contains human readable text. The example message above contains the message body "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)". The message body generally contains easy to understand text as well as some custom variables, such as ijbrown and vty0, in this case, which help to make log messages more meaningful.

Level    Level name    Sample router messages
0            Emergencies    System shutting down due to missing fan tray
1            Alerts            Core CRITICAL Temperature limit exceeded
2            Critical            Memory allocation failures
3            Errors            Interface Up/Down messages
4            Warnings            Configuration file written to server, via SNMP request
5            Notifications    Line protocol Up/Down
6            Informational    Access-list violation logging
7            Debugging    Debug messages