Good morning to all,
Let me start off by saying that I am fairly new to IOS and Cisco so please don't assume anything. Now that is out of the way, I need to start logging on our Home Office router that handles MPLS connections to all of our plants. The router was configured by our Cisco VAR when we switched from Brand X to Cisco but they don't seem to want to answer a lot of questions without charging a fee so I would appreciate any help that any of you can give. Now to the task at hand.
Logging is not enabled on the router at present. There are 4 access-list statements in there. I know what one of them is. Here are the statements.
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 99 permit 172.23.1.182 (this is our Cisco Works server
access-list 100 permit ip host 172.23.1.168 any
access-list 100 permit ip any host 172.23.1.168
We have a syslog server that I need to start logging to. I am a little nervous about volume and I surely don't want to put in anything that might endanger the flow of traffic through the router. What will I get if I put in the following commands?
logging trap debugging
logging source-interface GigabitEthernet0/0
service timestamps log datetime localtime show-timezone msec
This router is on a 172.23.1.0 LAN
The syslog server is on a 172.23.5.0 LAN
They are connected between two building with fiber running from a switch on the 172.23.1.0 LAN to the 172.23.5.0 LAN.
I appreciate any help that can be given.
With the above config you would be sending syslog messages for all the levels (0-7)to the server 172.23.5.10.
All these messages will have the source as the Gigabit interface IP.
The last command will include the time/date in the log
There should not be any problem with the above configs on the device
I wouldn't recommend "logging trap debugging" because this will generate an almost continuous flow of traffic from your router to your syslog server.
logging trap warnings or logging trap errors is a more suitable place to start.
Are you sure that your syslog server is up and running ?
I'm assuming you can ping the syslog server from the 3845 router.
It looks like the router is sending the logs, i would be looking at the syslog server.
First of all, thanks so much for the help! Yes, I can ping the syslog server. On the show logging command, should the syslog server have gotten 3 packets or 65? If either, I am surprised it is not more than that.
The Unix admin is running that portion and he says no. He sees no activity from anything with a source id of 172.23.1.17 (which is the 3800 router that I am attempting to configure logging on).
I have just tested your config in our test environment and it logged messages fine. So either
1) your syslog server is rejecting the messages, can you get your unix admin to see if he is getting any error messages in his logs.
2) Something is blocking the syslog messages to the unix server.
I just tested with the Unix admin. I started a telnet session on the router and then did the following
He got a log message so it is working. But we are not getting anything much at all. I was expecting to see log messages from all of the traffic that is passing through the router. Am I going to have to do something like the following to get this info:
access-list 101 permit tcp any any log
access-list 102 permit ip any any log
ip access-group 101 in
ip access-group 102 in
The syslog server is an RSA enVision device and it has canned reports that my boss would like to see. He wants to get a network baseline from this so if I am thinking correctly I would have to add a bunch more access-lists to get all protocols passing through this device.
If he is thinking about protocol discovery, try nbar. This will let you know what your top protocols are.
Link below explains protocol discovery
Thanks for the reply Matt. Trying to answer the age old question, how busy is the network, utilization percentage being the ultimate target?