Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Logging Question

Hi. Could you tell me what are the necessary items to log using cisco devices. My concern is basically limiting the log size but still identify config changes and who was the last one who logged in and i guess critical errors on the switch/router.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Logging Question

Mark

On Cisco IOS devices you can set the severity level of messages generated for syslog. By setting the severity level to critical you would limit the volume of messages generated and receive the most critical event messages. If you set the severity level to warning or informational you would get a larger volume of messages and messages about a wider variety of things on the device.

You might consider setting the severity level to a more restrictive level for messages sent to an external syslog server where the volume of messages impacts the requirement for disk space to store the messages and set the severity level to something more inclusive for logging buffered where the messages are stored in a wrap around buffer and the volume of messages does not impact storage requirements. This would allow you to see more messages if there were some event that you need to investigate on the device.

Note that while there is a recent feature in IOS that allows writing messages in syslog when someone logs into the device there is not any mechanism for recording config changes in syslog. Recording config changes and login history is better accomplished by using the accounting funtion of AAA in IOS.

HTH

Rick

3 REPLIES
Hall of Fame Super Silver

Re: Logging Question

Mark

On Cisco IOS devices you can set the severity level of messages generated for syslog. By setting the severity level to critical you would limit the volume of messages generated and receive the most critical event messages. If you set the severity level to warning or informational you would get a larger volume of messages and messages about a wider variety of things on the device.

You might consider setting the severity level to a more restrictive level for messages sent to an external syslog server where the volume of messages impacts the requirement for disk space to store the messages and set the severity level to something more inclusive for logging buffered where the messages are stored in a wrap around buffer and the volume of messages does not impact storage requirements. This would allow you to see more messages if there were some event that you need to investigate on the device.

Note that while there is a recent feature in IOS that allows writing messages in syslog when someone logs into the device there is not any mechanism for recording config changes in syslog. Recording config changes and login history is better accomplished by using the accounting funtion of AAA in IOS.

HTH

Rick

Hall of Fame Super Silver

Re: Logging Question

Mark

I am glad that my response helped to resolve your question. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read a response which did help to resolve the question.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

Silver

Re: Logging Question

"Note that while there is a recent feature in IOS that allows writing messages in syslog

when someone logs into the device there is not any mechanism for recording config changes

in syslog."

This is NOT correct. In IOS version 12.4, you can record configuration changes via syslog, as seen below:

May 18 02:48:02 192.168.15.201 146: May 18 02:48:13.369: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:interface Loopback0

May 18 02:48:02 192.168.15.201 146: May 18 02:48:13.369: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:interface Loopback0

May 18 02:48:02 192.168.15.201 147: May 18 02:48:13.961: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:shutdown

May 18 02:48:02 192.168.15.201 147: May 18 02:48:13.961: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:shutdown

May 18 02:48:03 192.168.15.201 148: May 18 02:48:15.229: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:no shutdown

May 18 02:48:03 192.168.15.201 148: May 18 02:48:15.229: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:no shutdown

May 18 02:48:07 192.168.15.201 149: May 18 02:48:18.921: %SYS-5-CONFIG_I: Configured from console by cciesec on vty0 (129.174.1.8)

May 18 02:48:07 192.168.15.201 149: May 18 02:48:18.921: %SYS-5-CONFIG_I: Configured from console by cciesec on vty0 (129.174.1.8)

That can be dowe with the following commands in the configurtion:

archive

log config

logging enable

notify syslog contenttype plaintext

hidekeys

The differences between syslog and AAA accounting is that AAA is a much more powerful tool than syslog. For example, AAA can identify bad user login attempt while syslog can only log the source IP of the bad attempt.

Hope that will clarify the question you have.

128
Views
0
Helpful
3
Replies
CreatePlease to create content