Need to start logging

ROBERT ISAACS · ‎03-25-2008

Good morning to all,

Let me start off by saying that I am fairly new to IOS and Cisco so please don't assume anything. Now that is out of the way, I need to start logging on our Home Office router that handles MPLS connections to all of our plants. The router was configured by our Cisco VAR when we switched from Brand X to Cisco but they don't seem to want to answer a lot of questions without charging a fee so I would appreciate any help that any of you can give. Now to the task at hand.

Logging is not enabled on the router at present. There are 4 access-list statements in there. I know what one of them is. Here are the statements.

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 99 permit 172.23.1.182 (this is our Cisco Works server

access-list 100 permit ip host 172.23.1.168 any

access-list 100 permit ip any host 172.23.1.168

We have a syslog server that I need to start logging to. I am a little nervous about volume and I surely don't want to put in anything that might endanger the flow of traffic through the router. What will I get if I put in the following commands?

logging 172.23.5.10

logging trap debugging

logging source-interface GigabitEthernet0/0

logging on

service timestamps log datetime localtime show-timezone msec

This router is on a 172.23.1.0 LAN

The syslog server is on a 172.23.5.0 LAN

They are connected between two building with fiber running from a switch on the 172.23.1.0 LAN to the 172.23.5.0 LAN.

I appreciate any help that can be given.

royalblues · ‎03-25-2008

With the above config you would be sending syslog messages for all the levels (0-7)to the server 172.23.5.10.

All these messages will have the source as the Gigabit interface IP.

The last command will include the time/date in the log

There should not be any problem with the above configs on the device

HTH

Narayan

ROBERT ISAACS · ‎03-25-2008

Narayan,

I entered those commands and I don't seem to be getting anything. I have enclosed the results from a show logging command.

RI

Jon Marshall · ‎03-25-2008

Hi

I wouldn't recommend "logging trap debugging" because this will generate an almost continuous flow of traffic from your router to your syslog server.

logging trap warnings or logging trap errors is a more suitable place to start.

http://www.cisco.com/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g04.html#wp1033213

HTH

Jon

ROBERT ISAACS · ‎03-25-2008

Jon,

I posted the result of a show logging command. I am not getting anything.

RI

Jon Marshall · ‎03-25-2008

Are you sure that your syslog server is up and running ?

I'm assuming you can ping the syslog server from the 3845 router.

It looks like the router is sending the logs, i would be looking at the syslog server.

Jon

ROBERT ISAACS · ‎03-25-2008

First of all, thanks so much for the help! Yes, I can ping the syslog server. On the show logging command, should the syslog server have gotten 3 packets or 65? If either, I am surprised it is not more than that.

Thanks,

RI

Jon Marshall · ‎03-25-2008

Can you confirm whether you are seeing any messages on your syslog server ?

ROBERT ISAACS · ‎03-25-2008

The Unix admin is running that portion and he says no. He sees no activity from anything with a source id of 172.23.1.17 (which is the 3800 router that I am attempting to configure logging on).

RI

Jon Marshall · ‎03-25-2008

Hi

I have just tested your config in our test environment and it logged messages fine. So either

1) your syslog server is rejecting the messages, can you get your unix admin to see if he is getting any error messages in his logs.

2) Something is blocking the syslog messages to the unix server.

Jon

ROBERT ISAACS · ‎03-26-2008

Jon,

I just tested with the Unix admin. I started a telnet session on the router and then did the following

config t

exit

He got a log message so it is working. But we are not getting anything much at all. I was expecting to see log messages from all of the traffic that is passing through the router. Am I going to have to do something like the following to get this info:

access-list 101 permit tcp any any log

access-list 102 permit ip any any log

interface GigabitEthernet0/0

ip access-group 101 in

ip access-group 102 in

????

The syslog server is an RSA enVision device and it has canned reports that my boss would like to see. He wants to get a network baseline from this so if I am thinking correctly I would have to add a bunch more access-lists to get all protocols passing through this device.

Thanks,

RI

mattcalderon · ‎03-26-2008

If he is thinking about protocol discovery, try nbar. This will let you know what your top protocols are.

Link below explains protocol discovery

http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnbar2.html

ROBERT ISAACS · ‎03-26-2008

Thanks for the reply Matt. Trying to answer the age old question, how busy is the network, utilization percentage being the ultimate target?