Hello Preston,

I've ran a wireshark trace, but the syslog messages are all just plain text. There is no XML to spot.

Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(3)T, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Fri 23-Mar-12 21:00 by prod_rel_team

ROM: System Bootstrap, Version 15.1(1r)T2, RELEASE SOFTWARE (fc1)

cmuc03 uptime is 1 week, 19 hours, 40 minutes

System returned to ROM by reload at 12:37:35 CET Tue Apr 24 2012

System image file is "flash:c3900e-universalk9-mz.SPA.152-3.T.bin"

Last reload type: Normal Reload

Last reload reason: Reload Command

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE250/K9 with 1793024K/304128K bytes of memory.

Processor board ID FCZ150423W1

4 Gigabit Ethernet interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 72 bits wide with parity enabled.

256K bytes of non-volatile configuration memory.

254464K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------

Device#   PID                   SN

-------------------------------------------------

*0        C3900-SPE250/K9       FOC15013FAW

Technology Package License Information for Module:'c3900e'

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot

------------------------------------------------------------------

ipbase        ipbasek9      Permanent      ipbasek9

security      securityk9    Permanent      securityk9

uc            uck9          Permanent      uck9

data          datak9        Permanent      datak9

Configuration register is 0x2102

Alright, it's clear now.

When I configure logging host 192.168.1.1 the debugs are sent to the syslog server, but there is a difference in what is sent to the syslog server and what appears in the logging buffer. The logging buffer contains more debug messages.

Do you know a reason why this is?

Hi Grant,

This is another reason we don't recommend troubleshooting by sending debugs to syslog.  The number of debugs can overwhelm the system so that we drop messages from the syslog queue and they never get sent to the server.  By design, it's more important that they make it into the loggigng buffer so that should be where you go for troubleshooting.  Overall, the best practice for debugging is this, especially for noisy debugs:

- Ensure that you aren't logging debugs to console, monitor, or syslog (the top of show log will tell you the level of each.  This will save you from maxing out cpu, and let you type on the sesion with debugs spewing out.

- increase the size of the logging buffer

- use "show log" or "show log | i " to filter out the debugs you care about.

Remember that "u all" will turn off all debugs, so if you ever get in a state where the debugs are out of control, type this and hit enter even if you can't see what you've typed through all the debugs, evnetually they should disable.

Alright, I know everything I need.

Thank you for your help.