Need to start logging

Unanswered Question
Mar 25th, 2008
User Badges:

Good morning to all,

Let me start off by saying that I am fairly new to IOS and Cisco so please don't assume anything. Now that is out of the way, I need to start logging on our Home Office router that handles MPLS connections to all of our plants. The router was configured by our Cisco VAR when we switched from Brand X to Cisco but they don't seem to want to answer a lot of questions without charging a fee so I would appreciate any help that any of you can give. Now to the task at hand.

Logging is not enabled on the router at present. There are 4 access-list statements in there. I know what one of them is. Here are the statements.


access-list 23 permit 10.10.10.0 0.0.0.7

access-list 99 permit 172.23.1.182 (this is our Cisco Works server

access-list 100 permit ip host 172.23.1.168 any

access-list 100 permit ip any host 172.23.1.168


We have a syslog server that I need to start logging to. I am a little nervous about volume and I surely don't want to put in anything that might endanger the flow of traffic through the router. What will I get if I put in the following commands?


logging 172.23.5.10

logging trap debugging

logging source-interface GigabitEthernet0/0

logging on

service timestamps log datetime localtime show-timezone msec


This router is on a 172.23.1.0 LAN

The syslog server is on a 172.23.5.0 LAN


They are connected between two building with fiber running from a switch on the 172.23.1.0 LAN to the 172.23.5.0 LAN.


I appreciate any help that can be given.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
royalblues Tue, 03/25/2008 - 05:58
User Badges:
  • Green, 3000 points or more

With the above config you would be sending syslog messages for all the levels (0-7)to the server 172.23.5.10.


All these messages will have the source as the Gigabit interface IP.


The last command will include the time/date in the log


There should not be any problem with the above configs on the device


HTH

Narayan

ROBERT ISAACS Tue, 03/25/2008 - 12:05
User Badges:

Narayan,

I entered those commands and I don't seem to be getting anything. I have enclosed the results from a show logging command.


RI




Attachment: 
Jon Marshall Tue, 03/25/2008 - 06:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I wouldn't recommend "logging trap debugging" because this will generate an almost continuous flow of traffic from your router to your syslog server.


logging trap warnings or logging trap errors is a more suitable place to start.


http://www.cisco.com/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g04.html#wp1033213


HTH


Jon

ROBERT ISAACS Tue, 03/25/2008 - 12:08
User Badges:

Jon,

I posted the result of a show logging command. I am not getting anything.


RI


Jon Marshall Tue, 03/25/2008 - 12:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Are you sure that your syslog server is up and running ?


I'm assuming you can ping the syslog server from the 3845 router.

It looks like the router is sending the logs, i would be looking at the syslog server.


Jon


ROBERT ISAACS Tue, 03/25/2008 - 12:22
User Badges:

First of all, thanks so much for the help! Yes, I can ping the syslog server. On the show logging command, should the syslog server have gotten 3 packets or 65? If either, I am surprised it is not more than that.


Thanks,

RI

Jon Marshall Tue, 03/25/2008 - 12:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you confirm whether you are seeing any messages on your syslog server ?



ROBERT ISAACS Tue, 03/25/2008 - 13:37
User Badges:

The Unix admin is running that portion and he says no. He sees no activity from anything with a source id of 172.23.1.17 (which is the 3800 router that I am attempting to configure logging on).


RI

Jon Marshall Tue, 03/25/2008 - 14:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I have just tested your config in our test environment and it logged messages fine. So either


1) your syslog server is rejecting the messages, can you get your unix admin to see if he is getting any error messages in his logs.


2) Something is blocking the syslog messages to the unix server.


Jon

ROBERT ISAACS Wed, 03/26/2008 - 11:20
User Badges:

Jon,

I just tested with the Unix admin. I started a telnet session on the router and then did the following

config t

exit

exit

He got a log message so it is working. But we are not getting anything much at all. I was expecting to see log messages from all of the traffic that is passing through the router. Am I going to have to do something like the following to get this info:


access-list 101 permit tcp any any log

access-list 102 permit ip any any log

interface GigabitEthernet0/0

ip access-group 101 in

ip access-group 102 in

????

The syslog server is an RSA enVision device and it has canned reports that my boss would like to see. He wants to get a network baseline from this so if I am thinking correctly I would have to add a bunch more access-lists to get all protocols passing through this device.

Thanks,

RI


ROBERT ISAACS Wed, 03/26/2008 - 11:40
User Badges:

Thanks for the reply Matt. Trying to answer the age old question, how busy is the network, utilization percentage being the ultimate target?

Actions

This Discussion