aspect of network management and should be conducted regularly. Monitoring the log files allows the execution of appropriate and timely action when problems are detected, such as breaches of security or events that are likely to lead to a potential security breach. The logging facility: There are several types of events that can be monitored. Messages are classified in terms of levels of severity. Level 0 is the highest level (most severe) and level 7 is the lowest level (least severe). System messages can be saved based on the type of facility and the severity level. Syslog messages can be categorized as follows: Which event an administrator decides to capture depends largely on the information they are seeking. For example, logs can be invaluable in characterizing and responding to security incidents. To do so, the most important events to log include change of interface status, changes to the system configuration, access list matches, and events detected by the optional firewall and intrusion detection features. The logging facility can also be configured to send captured logging information to select destinations. By default, switches and routers normally log significant system messages to their internal buffer and the system console. The four destinations that syslog messages can be forwarded to are listed below: Be aware that the debugging destination that is used, affects system overhead. Logging to the console produces very high overhead, whereas logging to a virtual terminal produces less overhead. Logging to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method. Time, specifically timestamp, is a valuable piece of information used to determine when a problem arose. The idea behind this is that many network problems can often be correlated to system configuration changes, modifications to the network topology (both intentional and unintentional), and so on. For this reason, syslog messages should be time-stamped to enhance real-time debugging and management.
Content 7.2 Gathering Information on Application Layer Problems 7.2.6 Syslog destinations Message logging is enabled by default. However, the default could have been disabled with the no logging on command. To enable message logging to all supported destinations other than the console (the default), enter the following: Router(config)#logging on The logging process controls the distribution of logging messages to the various destinations, such as the logging buffer, terminal lines, or syslog server. To turn logging on and off for these destinations individually use the logging buffered, logging monitor, and logging global configuration commands. If the no logging on command has been configured, no messages will be sent to these destinations. Only the console will receive messages. However, disabling the logging on command will substantially slow down the router. Any process that is generating debug or error messages will wait until the messages have been displayed on the console before continuing. Additionally, the logging process logs messages to the console and the various destinations after the processes that generated them have completed. When the logging process is disabled, messages are displayed on the console as soon as they are produced, often appearing in the middle of command output. The logging synchronous line configuration command also affects the displaying of messages to the console. When configured, messages will appear only after the user types a carriage return. Selecting Console Logging Levels
Different logging levels and corresponding keywords can be used when setting logging levels. The highest level message is Level 0, emergencies. The lowest level is Level 7, debugging, which also displays the largest number of messages. To limit the types of messages that are logged to the console, use the logging console command. The full syntax of this command follows: Router(config)#logging console level The logging console command limits the logging of messages displayed on the console terminal to the specified level and (numerically) lower levels. The level number or level name can be entered. For example, the following sets the console logging to the warnings level. This will display all warnings (4), as well as errors (3), critical (2), alerts (1), and emergencies (0) messages. Router(config)#logging console warnings or logging console 4 The no logging console command disables logging to the console terminal. Logging to the Internal Buffer
To log messages to an internal buffer, use the logging buffered router configuration command. The full syntax of this command follows: Router(config)#logging buffered The logging buffered command copies logging messages to an internal buffer instead of writing them to the console terminal. The buffer is circular in nature. Therefore, newer messages overwrite older messages. To limit the types of messages that are logged to the buffer, use the logging buffered level command. The level argument is one of the keywords listed in Figure . The full syntax of this command follows: Router(config)#logging buffered level To display the messages that are logged in the buffer, use the privileged EXEC command show logging. Use the clear logging command to reset the logging buffer. The no logging buffered command cancels the use of the buffer and writes messages to the console terminal (the default). Logging to the Terminal Lines
To log messages logged to the terminal lines (VTY), use the logging monitor router configuration command. The full syntax of this command follows: Router(config)#logging monitor level The logging monitor command limits the logging messages displayed on terminal lines other than the console line to messages with a level up to and including the specified level argument. The level argument is one of the keywords listed in Figure . To display logging messages on a terminal (virtual console), use the privileged EXEC command terminal monitor. Logging to a Syslog Server
Messages can also be logged to a syslog server. The host is required to be running a Syslog Server application such as Unix Syslog server (native in most Unix implementation) or Kiwi Syslog Daemon (Win9x, ME, XP, NT4, and 2000). Commands to set up a Unix Syslog server are covered later in this module. To log messages to the syslog server host, use the logging ip-address configuration command. The full syntax of this command follows: Router(config)#logging ip-address The logging command identifies a syslog server host to receive logging messages. The ip-address argument is the IP address of the host. By issuing this command more than once, a list of syslog servers to receive logging messages is created. The no logging command deletes the syslog server with the specified address from the list of syslogs. To limit the number of messages sent to the syslog servers, use the logging trap router configuration command. The full syntax of this