Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3619
Views
1
Helpful
2
Replies

What is the size of a single log created by Cisco IOS..?

Go to solution
Sreejith Vanjipattu
Level 1
Level 1

‎01-07-2014 07:26 AM

Hi,

My requirement is to allocate bandwidth usage for a network segment which has a SIEM tool collecting logs for multiple cisco devices. I could find that there is an average of 50000 logs per hour flowing from network devices to SIEM.

How can i make a rough idea on how much network data would be used by these logs..?

Please advise

Thanks

Regards,

Sreejith

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee

‎01-07-2014 10:52 AM

Sorry, but not sure what do you mean by size of log?

Do you mean one perticular syslog sent by a Cisco device (like switch, router, security etc devices).

The full format of a Syslog message seen on the wire has three distinct parts:

• PRI (priority)

• HEADER

• MSG (message text)

The total length of the packet cannot exceed 1024 bytes. There is no minimum length.

Devices are expected to comply with the following rules while sending Syslogs:

     • Device should include PRI as recommended by RFC 3164

     • Device could optionally send Timestamp information in RFC recommended format in the header. The RFC recommendation does not include the TIMEZONE information. Hence, it is assumed that the device sends the local time and that the device and Server are in the same time zone.

      • Device could optionally send Hostname information in the header.

      • To support devices that are in different time zones than the server, IOS allows configuring the devices to send the Time Information along with TZ, optionally, in the message part of the Syslog packet.

Such timestamps should be prefixed with some separator character (like * or :), so the Syslog daemons (such as unix syslogd) do not treat them as header information. This could cause unix syslogd to misinterpret the time information, because they ignore the TZ part of the Timestamp.

Considering the above, devices should send Syslogs in one of the following formats:

Format A

<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} mmm dd hh:mm:ss TimeZone ] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description

Format B

<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} yyyy mmm dd hh:mm:ss TimeZone <-|+> hh:mm] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description

Examples of good syslog messages: [ as sent by the device ]

<187>%PIX-4-106023 description

<187>Mar 23 10:21:03 %PIX-4-106023 description

<187>*Mar 23 12:12:12 PDT %PIX-4-106023 description

<187>Mar 23 10:21:03 *Mar 23 12:12:12 PDT %PIX-4-106023 description

<187>Mar 23 10:21:03 *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description

<187>Mar 23 10:21:03 93: *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description

It is difficult to tell the size, but as it can't exceed 1024 you can consider the 50000 msgs x 1024 bytes = 51200000 bytes. This comes out to be roughly 48.85 MB approx.


Hope this clarifies.

-Thanks

Vinod

**Rating Encourages contributors, and its really free. **

-Thanks Vinod **Rating Encourages contributors, and its really free. **

View solution in original post

2 Replies 2

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee

‎01-07-2014 10:52 AM

Sorry, but not sure what do you mean by size of log?

Do you mean one perticular syslog sent by a Cisco device (like switch, router, security etc devices).

The full format of a Syslog message seen on the wire has three distinct parts:

• PRI (priority)

• HEADER

• MSG (message text)

The total length of the packet cannot exceed 1024 bytes. There is no minimum length.

Devices are expected to comply with the following rules while sending Syslogs:

     • Device should include PRI as recommended by RFC 3164

     • Device could optionally send Timestamp information in RFC recommended format in the header. The RFC recommendation does not include the TIMEZONE information. Hence, it is assumed that the device sends the local time and that the device and Server are in the same time zone.

      • Device could optionally send Hostname information in the header.

      • To support devices that are in different time zones than the server, IOS allows configuring the devices to send the Time Information along with TZ, optionally, in the message part of the Syslog packet.

Such timestamps should be prefixed with some separator character (like * or :), so the Syslog daemons (such as unix syslogd) do not treat them as header information. This could cause unix syslogd to misinterpret the time information, because they ignore the TZ part of the Timestamp.

Considering the above, devices should send Syslogs in one of the following formats:

Format A

<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} mmm dd hh:mm:ss TimeZone ] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description

Format B

<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} yyyy mmm dd hh:mm:ss TimeZone <-|+> hh:mm] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description

Examples of good syslog messages: [ as sent by the device ]

<187>%PIX-4-106023 description

<187>Mar 23 10:21:03 %PIX-4-106023 description

<187>*Mar 23 12:12:12 PDT %PIX-4-106023 description

<187>Mar 23 10:21:03 *Mar 23 12:12:12 PDT %PIX-4-106023 description

<187>Mar 23 10:21:03 *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description

<187>Mar 23 10:21:03 93: *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description

It is difficult to tell the size, but as it can't exceed 1024 you can consider the 50000 msgs x 1024 bytes = 51200000 bytes. This comes out to be roughly 48.85 MB approx.


Hope this clarifies.

-Thanks

Vinod

**Rating Encourages contributors, and its really free. **

-Thanks Vinod **Rating Encourages contributors, and its really free. **

Go to solution
Sreejith Vanjipattu
Level 1
Level 1
In response to Vinod Arya

‎01-07-2014 08:05 PM

Hi Vinod,

Many thanks for the explanation. Now i got more clarity....

Thanks

Sreejith

0 Helpful
Customers Also Viewed These Support Documents