Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Logging buffered or no logging buffered

We have a debate going on in our office about buffering logs. We are using CW as our syslog server for a network with approx. 450 Cisco devices (switches, routers, APs, firewalls, etc.). The debate has to do with whether we should be buffering logs.

Some techs in the group say that it is recommended to "no logging buffered" set if you are sended logs to a syslog server. Others point out that this can be an issue if you are at a downed site and/or don't have access to CW. What is the recommendation for buffering logs? I don't see an issue with both buffering and sending to syslog server. Any advice?


Re: Logging buffered or no logging buffered

Syslogging should ideally go to more than one server. Cisco devices sometimes generate syslogs before they boot up fully, so maintaining logging buffer can have unique values, such as what I just ran into recently with SYS-2-PS_FAIL:

Cisco Employee

Re: Logging buffered or no logging buffered

Logging bufferend and logging to 2 syslog servers is generally considered a leading practice with my team. Logging buffered gets you some 'fallback' in case you need the logs before a device has fully rebooted and reestablished routes. It can also be the source if a network partition happens and no NMS access is available.

What you DON'T want to do is have more than 4 syslog event receivers. I worked with a customer that had 9... 4 were going to servers in the same subnet. If you have a lot of need for syslog processing (multiple NMSs, IDSs, etc) look at syslog repeaters like Syslog-NG.

CreatePlease login to create content