By default, Cisco IOS displays these syslog messages on the console, along with the date and time the syslog message occurred (timestamp). If you do not want to see every sys-log message printed on the console, but instead only want to be notified of severity 3 messages or lower, configure the following:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging console errors
Only severity 3 (or worse, meaning severity 0, 1, or 2) syslog messages will appear on the console.
By default, syslog messages will have a timestamp with the date and time, including the millisecond entry, of the message. It is also possible to change the format of the time-stamp, which begins each message. For example, to change the timestamp to use the uptime of the Cisco IOS device, enter the following:
Router(config)#service timestamps log uptime
Note By default, Cisco IOS uses uptime for service timestamps. To enable a timestamp field with the data and time, you must use the following command in configuration mode:
Router(config)#service timestamps log datetime
The syslog messages will have a timestamp showing the uptime of the Cisco IOS device, in other words, how much time has elapsed since the device booted up.
It is also possible to completely disable the timestamps from appearing in the syslog mes-sages. To do so, configure the following:
syslogSender#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
syslogSender(config)#no service timestamps log syslogSender(config)#end
syslogSender#
Sequence numbers can be optionally included before the timestamp. To enable this, con-figure service sequence-numbers, as shown here:
syslogSender#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
syslogSender(config)#service sequence-numbers syslogSender(config)#end
syslogSender#
000039: *Jan 9 21:12:12.751: %SYS-5-CONFIG_I: Configured from console by console syslogSender#
In the preceding example, you can see that the sequence number has been added to the beginning of the syslog message before the timestamp. In this case, the sequence num-ber is 39. Sequence numnum-bers enable you to determine whether messages have been dropped or lost.
Messages can also be saved in a small text buffer. The buffer can save only a certain num-ber of messages before becoming full. Once full, the oldest are removed to make space for the newest messages. To configure the buffer size for the syslog message, change the size of the logging buffer as follows:
Router(config)#logging buffered 1000000
The number 1000000 represents how many bytes of local memory will be used to save outgoing syslog messages. To review all the setting for the syslog in the Cisco IOS device, enter the following command:
Router#show logging
syslog logging: enabled (0 messages dropped, 12 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level errors, 46 messages logged, xml disabled, filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled
Chapter 5: Advanced Tcl Operation in Cisco IOS 115
Buffer logging: level debugging, 9 messages logged, xml disabled, filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled Persistent logging: disabled
Trap logging: level informational, 72 message lines logged Log Buffer (1000000 bytes):
2d20h: %SYS-5-CONFIG_I: Configured from console by console 2d20h: %LDP-5-CLEAR_NBRS: Clear LDP neighbors (*) by console
2d20h: %LDP-5-NBRCHG: LDP Neighbor 10.131.159.251:0 (3) is DOWN (User cleared session manually)
2d20h: %LDP-5-NBRCHG: LDP Neighbor 10.131.191.252:0 (4) is DOWN (User cleared session manually)
2d20h: %LDP-5-NBRCHG: LDP Neighbor 10.131.191.252:0 (1) is UP 2d20h: %LDP-5-NBRCHG: LDP Neighbor 10.131.159.251:0 (2) is UP
The output of the command will show various settings related to the syslog and the con-tents of the local buffer, which holds the syslog messages. As you can see, console log-ging is enabled, and the severity level of messages will be error or severity 3 (or worse).
In addition, the size of the internal buffer has been enlarged to 1000000 bytes and will store severity level debugging or severity 7 (or worse).
Now that you have an understanding of the syslog operation in Cisco IOS, you can see how the syslog messages can be sent to a remote host for central correlation.
The syslog protocol allows both User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) to be used to send messages between devices. UDP messages are not acknowledged; they are sent in one direction only. For this reason, TCP support was added to Cisco IOS to provide a small level of guarantee that messages are delivered to the central syslog server. Because it is possible for network interruptions to bring down the TCP connection, a special syslog message is generated every time the TCP connection is established or torn down.
Note The Berkeley Software Distribution (BSD) syslog protocol, described in RFC 3164, does not mention the use of TCP as a method to transport information.
To see a syslog message being sent to a remote host, you must configure the IOS device to begin sending messages to the host, tell it what protocol to use, and provide the IP address of the remote host. In this example, syslog messages will be generated by an IOS router with the hostname of syslogSender:
syslogSender#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
syslogSender(config)#logging host 10.10.10.1 transport tcp port 9500 syslogSender(config)#end
syslogSender#
*Dec 6 22:09:39.175: %SYS-5-CONFIG_I: Configured from console by console syslogSender#
*Dec 6 22:10:00.231: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.10.10.1 port 9500 started - CLI initiated
syslogSender#
From the previous configuration, the router has been configured to send logging mes-sages to the host (or syslog daemon) with the IP address of 10.10.10.1. In addition, TCP port 9500 will be used for the connection.
Now that the Cisco IOS router has been configured to send the messages to a specific host, we will use a Tcl script to receive the actual syslog messages.
Note The most common method of transporting syslog data is over UDP. Using TCP to transport the messages is less common. The default syslog port is UDP port 514.