ACE Logging

Unanswered Question

I have set up ACE to log to our log server. Not only do I not get any logs, I have ran captures and ACE is not even trying to send any logs to the remote server.

I am on version 3.0(0)A1(6.1, here is the logging config:

logging enable

logging standby

logging timestamp

logging facility 23

logging queue 1638

logging host 1.2.3.4 udp/514

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Syed Iftekhar Ahmed Mon, 07/28/2008 - 14:59

Enable logging buffered to see if you get logs there. If you see that logs are going to buffer then issue could be between ACE & Syslog server connectivity.

Syed

Syed Iftekhar Ahmed Tue, 07/29/2008 - 08:40

Packet Capture on ACE doesnt capture CP originated traffic. You wont see probe traffic in capture as well.

I will recommend running an external capture.

Is syslog server L2 adjacent?

Syed Iftekhar Ahmed

sachinga.hcl Tue, 07/29/2008 - 09:13

Hi Firewalz,

The system message logging function of the ACE saves these messages in a log file and allows you to send the logging messages to one or more output locations. System log messages provide you with logging information for monitoring and troubleshooting the operation of the ACE.

By default, messages are not saved in a log file. You must enable the transmission of syslog messages to a specified output location.

If the ACE is operating in multiple-context mode, you can configure the ACE to include an identifier for the virtual context and the virtual user responsible for executing the function in the log message.

To view logs generated by the ACE, you must configure an output location. You can choose to send all messages, or subsets of messages, to one or more output locations. You can limit which messages are sent to an output location by specifying the severity level of the message. Severity level values are 0 to 7; the lower the level number, the more severe the error

By default, the ACE does not display syslog messages during console sessions. To enable the logging of syslog messages during console sessions and to limit the display of messages based on severity, use the logging console configuration command.

Logging to the console can degrade system performance. Use the logging console command only when you are testing and debugging problems, or when there is minimal load on the network. Do not use this command when the network is busy, as it can reduce ACE performance. When the ACE is active, use the following commands:

• The logging buffered command to store messages

• The show logging command to view messages

• The clear logging command to clear the messages displayed by the logging buffered command

The syntax of this command is as follows:

logging console severity_level

The severity_level argument specifies the maximum level for system log messages sent to the console. The severity level that you specify indicates that you want syslog messages at that level and messages less than the level. For example, if the specified level is 3, the syslog displays level 3, 2, 1, and 0 messages. We recommend that you use a lower severity level, such as 3, since logging at a high rate may impact the performance of the ACE.

Allowable entries include:

• 0-emergencies (System unusable messages)

• 1-alerts (Take immediate action)

• 2-critical (Critical condition)

• 3-errors (Error message)

• 4-warnings (Warning message)

• 5-notifications (Normal but significant condition)

• 6-informational (Information message)

• 7-debugging (Debug messages)

For example, to enable the logging of syslog messages during console sessions and set the severity level to 3, enter:

host1/Admin(config)# logging console 3

To disable message logging to the console, enter:

host1/Admin(config)# no logging console

I recommend sending syslog messages directly to the console only during testing.

The logging configuration is flexible and allows you to customize many aspects of how the ACE handles system messages. Using the system message logging feature, you can do the following:

• Specify one or more output locations where messages should be sent, including the console, an internal buffer, one or more syslog servers, an SNMP network management station, to Telnet or SSH sessions, or to Flash memory on the ACE.

• Specify which messages should be logged.

• Specify the severity level of a message.

• Enable time stamps.

• Specify the unique device ID of the ACE that is sent to a syslog server.

• Change the size of the logging message queue.

• Limit the rate at which the ACE generates messages in the syslog.

• Reject new connections if a specified condition has been reached.

• Enable the logging of connection setup and teardown messages.

sachinga.hcl Tue, 07/29/2008 - 09:15

a quick overview of the steps required to configure system message logging on the ACE. Each step includes the CLI command required to complete the task.

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, log directly in to, or change to, the correct context.

host1/Admin# changeto C1

host1/C1#

The rest of the examples in this table use the Admin context, unless otherwise specified.

2. Enter configuration mode by entering config.

host1/Admin# config

Enter configuration commands, one per line. End with CNTL/Z

host1/Admin(config)#

3. Enable logging to send system log messages to one or more output locations.

host1/Admin(config)# logging enable

4. Configure the ACE system software to send system logging messages to the output locations of your choice.

For example, to set the logging buffer level to 3 for logging error messages, enter:

host1/Admin(config)# logging buffered 3

To send log messages to a syslog server, enter:

host1/Admin(config)# logging host 192.168.10.1

5. (Optional) Enable the display of a time stamp on system logging messages.

host1/Admin(config)# logging timestamp

6. (Optional) Limit the number of messages sent to a syslog server based on severity.

host1/Admin(config)# logging trap 6

7. (Optional) Display a unique device ID in non-EMBLEM format syslog messages sent to the syslog server.

host1/Admin(config)# logging device-id hostname

8. (Optional) Set the syslog logging facility to a value other than the default of 20 (LOCAL4).

host1/Admin(config)# logging facility 16

9. (Optional) Change the number of syslog messages that can appear in the message queue while awaiting processing.

host1/Admin(config)# logging queue 100

10. (Optional) Disable the display of a specific syslog message or change the severity level of a specific system log message.

For example, to disable the %-6-615004 syslog message, enter:

host1/Admin(config)# no logging message 615004

For example, to change the level of the 615004 syslog message, enter:

(config)# logging message 615004 level 5

11. (Optional) Limit the rate at which the ACE generates messages in the syslog.

host1/Admin(config)# logging rate-limit 42 60

12. (Optional) Enable logging on the failover standby ACE.

host1/Admin(config)# logging standby

13. (Optional) Define if the ACE prohibits new connections from passing through the device if a specified condition has been met.

host1/Admin(config)# logging reject-newconn rate-limit-reached

14. (Optional) Enable the logging of connection setup and teardown messages at a faster rate (that is, at the connection rate).

host1/Admin(config)# logging fastpath

15. (Optional) Save your configuration changes to Flash memory.

host1/Admin(config)# exit

host1/Admin# copy running-config startup-config

Enabling System Message Logging

Message logging is disabled by default. You must enable logging if you want to send messages to one or more output locations. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. You must set a logging output location to view any logs

To enable message logging, use the logging enable configuration mode command. The syntax of this command is as follows:

logging enable

For example, to enable message logging to all output locations, enter:

host1/Admin(config)# logging enable

To stop message logging to all output locations, enter:

host1/Admin(config)# no logging enable

Specifying Syslog Output Locations

You configure the ACE to send syslog messages to the output location of your choice. The ACE provides several output locations for sending syslog messages:

• An internal buffer on the ACE

• One or more syslog servers running on hosts

• A Telnet or SSH connection

• The console

Thanks for the reply,I still cannot figure it out. Here is the current config:

logging enable

logging standby

logging timestamp

logging buffered 6

logging queue 1024

logging host 1.2.3.4 udp/514

The dowstream firewall shows no connections.

show logging statistics

Syslog statistics: sent 54646056 discarded 2111

Messages sent:

...

... host 0

sachinga.hcl Thu, 07/31/2008 - 01:47

HI Firewalz,

Can you please try using the following command

logging host 1.2.3.4

because udp/514 is default.

dpetitpierre Wed, 08/20/2008 - 13:07

Hi!

It is necessary to set a trap level:

logging trap 6

The logic seems to be that "logging buffered" determines which messages are collected and "logging trap" determines which messages are transmitted. So, for it to work, the buffered level should be equal or higher than the trap level.

The reference manual is not helping much: it could at least relate "logging host" to "logging trap".

Check also that the syslog program on the host logs local4 facility messages and that there are no firewall in between that block UDP syslog packets.

Best regards,

Dominique

Actions

This Discussion