Syslog
Overview
Catalyst switches can be configured to generate an audit trail of messages describing important events that have occurred. These system message logs (syslog) can then be collected and analyzed to determine what has happened, when it happened, and how severe the event was.
When system messages are generated, they always appear in a consistent format, as shown here.
The fields described as below:
- Timestamp: The date and time from the internal switch clock. By default, the amount of time that the switch has been up is used.
- Facility Code: A system identifier that categorizes the switch function or module that has generated the message; the facility code always begins with a percent sign.
- Severity: A number from 0 to 7 that indicates how important or severe the event is; a lower severity means the event is more critical.
- Mnemonic: A short text string that categorizes the event within the facility code.
- Message Text: A description of the event or condition that triggered the system message.
Severity Level
- Emergencies (0)
- Alerts (1)
- Critical (2)
- Errors (3)
- Warnings (4)
- Notifications (5)
- Informational (6)
- Debugging (7)
Logging Destination
System messages can be sent to the switch console, collected in an internal memory buffer, and sent over the network to be collected by a syslog server. The following sections cover the configuration commands for each of these destinations.
Logging to the Switch Console
Switch(config)# logging console severity
If you are connected to a switch through a Telnet or Secure Shell (SSH) session, you can redirect the console messages to your remote access session.
Switch# terminal monitor
Logging to the Internal Buffer
Switch(config)# logging buffered severity
The logging buffer has a finite size and operates in a circular fashion. If the buffer fills, the oldest messages roll off as new ones arrive. By default, the logging buffer is 4096 bytes or characters long, which is enough space to collect 50 lines of full-length text. If you depend on the logging buffer to keep a running history of logging messages, you might need to increase its size with the following command:
Switch(config)# logging buffered size
The buffer length is set to size (4096 to 2147483647) bytes. Be careful not to set the length too big because the switch reserves the logging buffer space from the memory it might need for other operations.
Review the interval logging buffer using:
Switch# show logging
Logging to a Remote Syslog Server
Switch(config)# logging host ip-address
Switch(config)# logging trap severity
Disable Link-Status Logging
By default, a switch will generate a system message every time it detects an interface going up or down. If you want to remove it from the edge switch port that connects to the user PC, the following command can help you.
Switch(config-if)# no logging event link-status
Adding Time Stamps to Logging Messages
Switch(config)# service timestamps [ log | debug ] [ datetime | uptime ] [ localtime ] [ show-timezone ] [ msec ] [ year ]
Use the localtime keyword to use the local time zone configured on the switch; otherwise, coordinated universal time (UTC) is assumed. Add the show-timezone keyword if you want the time zone name added to the time stamps. Use the msec keyword to add milliseconds and the year keyword to add the year to the time stamps.
Example
Switch(config)# service timestamps log datetime localtime show-timezone msec
Switch(config)# exit
Switch# show logging
*May 2 02:39:23.871 EDT: %DIAG-SP-6-DIAG_OK: Module 1: Passed Online Diagnostics
*May 2 02:39:27.827 EDT: %HSRP-5-STATECHANGE: Vlan62 Grp 1 state Standby -> Active
*May 2 02:41:40.431 EDT: %OIR-SP-6-INSCARD: Card inserted in slot 9, interfaces are now online
*May 3 08:24:13.944 EDT: %IP-4-DUPADDR: Duplicate address 10.1.2.1 on Vlan5, sourced by 0025.64eb.216f
*May 13 09:55:57.139 EDT: %SYS-5-CONFIG_I: Configured from console by herring on vty0 (10.1.1.7)