In the last post, I showed you how to configure a Syslog server on a Ubuntu machine. If you want to review it, please take a look here.

In this post, I would like to discuss system message logging on a Cisco switch or router. In the last part, I would like to show you how to send the logs to a remote Syslog server.

System message logging – Logging console

As you may know, when you connect to a Cisco switch or router via the console port, any generated log message is automatically displayed on the console line. This is the default configuration on all Cisco devices.

However, if you check the running-config, you will not find the command (logging console) that actually configures the logging on the console port.

SW2960#show running-config | include logging 
SW2960#

You can influence which log messages are showed on the console line by choosing the severity level. By default, the severity is set to level 7 which is debugging. This means that all log messages up to that level will be displayed on the console line.

SW2960(config)#logging console ?
  <0-7>          Logging severity level
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  discriminator  Establish MD-Console association
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  filtered       Enable filtered logging
  guaranteed     Guarantee console messages
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
  xml            Enable logging in XML
  <cr>

SW2960(config)#logging console 7
SW2960(config)#

A very useful command is logging synchronous. If this command is not configured and you are in the middle of writing a command and a log message pops up, the log message and your command will be mixed up. You can see an example below.

SW2960(config)#int gig0/20
SW2960(config-if)#shut
SW2960(config-if)#
Jul 18 10:51:57.476: %LINK-5-CHANGED: Interface GigabitEthernet0/20, changed state to administratively down
Jul 18 10:51:58.482: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
SW2960(config-if)#no shut
SW2960(config-if)#exit
SW2960(config)#
Jul 18 10:52:07.758: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to downip
Jul 18 10:52:10.282: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to up
Jul 18 10:52:11.289: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to up
% Incomplete command.

SW2960(config)#

After configuring the logging synchronous command under console line, you will not face this issue anymore.

SW3750#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
SW3750(config)#line con 0
SW3750(config-line)#log
SW3750(config-line)#logg
SW3750(config-line)#logging ?
  synchronous  Synchronized message output

SW3750(config-line)#logging sy
SW3750(config-line)#logging synchronous 
SW3750(config-line)#

System message logging – Logging monitor

Now you may ask yourself how you can view the generated log messages if you are connected to the device using Telnet or SSH and not through the Console line.

In order to be able to see the logs, you need to add 2 more commands to your default configuration (termianl monitor and logging monitor).

SW2960#terminal monitor
SW2960#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
SW2960(config)#log
SW2960(config)#loggi
SW2960(config)#logging monitor
SW2960(config)#

Below you can find the confirmation that now you can see the generated logs.

System message logging – Logging buffered

If you would like to see/check the logs at a later point in time, you have two options:

1. Save them in RAM on the Cisco device;
2. Send them to a remote Syslog server.

In order to save the logs in the RAM of the Cisco switch or router, you will need to add a new command to the running-config.

SW2960(config)#logging buffered ?
  <0-7>              Logging severity level
  <4096-2147483647>  Logging buffer size
  alerts             Immediate action needed           (severity=1)
  critical           Critical conditions               (severity=2)
  debugging          Debugging messages                (severity=7)
  discriminator      Establish MD-Buffer association
  emergencies        System is unusable                (severity=0)
  errors             Error conditions                  (severity=3)
  filtered           Enable filtered logging
  informational      Informational messages            (severity=6)
  notifications      Normal but significant conditions (severity=5)
  warnings           Warning conditions                (severity=4)
  xml                Enable logging in XML to XML logging buffer
  <cr>

SW2960(config)#logging buffered 
SW2960(config)#

You can check the buffer with the command:

SW2960#show logging 
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 52 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 7 messages logged, xml disabled,
                     filtering disabled
        Logging to: vty1(7)
    Buffer logging:  level debugging, 52 messages logged, xml disabled,
                     filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.
// Output omitted

Log Buffer (4096 bytes):
itEthernet0/2, changed state to up
*Mar  1 00:01:58.698: %LINK-3-UPDOWN: Interface GigabitEthernet0/9, changed state to up
*Mar  1 00:02:26.423: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  1 00:29:59.968: %LINK-5-CHANGED: Interface GigabitEthernet0/20, changed state to administratively down
*Mar  1 00:30:00.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
*Mar  1 00:30:18.314: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:30:19.170: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down
*Mar  1 00:30:21.670: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to up
*Mar  1 00:30:22.676: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to up
*Mar  1 00:33:37.133: %SYS-5-CONFIG_I: Configured from console by petru on vty0 (172.16.10.150)
*Mar  1 00:34:01.300: %SYS-5-CONFIG_I: Configured from console by petru on vty0 (172.16.10.150)
*Mar  1 00:49:04.426: %SYS-5-CONFIG_I: Configured from console by petru on vty0 (172.16.10.150)
*Jul 18 11:45:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:49:56 UTC Mon Mar 1 1993 to 11:45:00 UTC Tue Jul 18 2023, configured from console by petru on vty0 (172.16.10.150).
.Jul 18 10:46:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 11:45:31 UTC Tue Jul 18 2023 to 10:46:00 UTC Tue Jul 18 2023, configured from console by petru on vty0 (172.16.10.150).
Jul 18 10:50:54.000: %LINK-5-CHANGED: Interface GigabitEthernet0/20, changed state to administratively down
Jul 18 10:50:55.006: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
 --More-- 

System message logging – Logging host

The logs saved in the RAM of the Cisco router or switch are not persistent. As soon as the device is rebooted, the logs are lost. In order to keep them persistently, you can send the logs to a remote Syslog server.

In order to achieve this you need to add the following commands to your configuration. You need to specify the IP address or name of the remote Syslog server. You need to define the trap severity. In my lab, I configured that logs up to level 6 to be sent to the Syslog server.

SW2960(config)#logging host 172.16.10.150 
SW2960(config)#
SW2960(config)#loggin
SW2960(config)#logging tra
SW2960(config)#logging trap ?
  <0-7>          Logging severity level
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
  <cr>

SW2960(config)#logging trap inform
SW2960(config)#logging trap informational 
SW2960(config)#

After you have finished the configuration, do not forget to save the running-config to startup-config.

SW2960#copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]
0 bytes copied in 0.847 secs (0 bytes/sec)
SW2960#

You also need to confirm that the logs are present on the remote Syslog server.

Here you have the output from my Ubuntu Syslog server.

petru@ubuntu-dev:/var/log/remote$ ls -l
total 8
-rw-r----- 1 root adm 1668 Jul 18 13:09 172.16.10.50.log
-rw-r----- 1 root adm 1918 Jul 18 13:09 172.16.10.5.log
petru@ubuntu-dev:/var/log/remote$ tail -n 4 172.16.10.5.log 
Jul 18 12:09:36 172.16.10.5 %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
Jul 18 12:09:37 172.16.10.5 %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down
Jul 18 12:09:48 172.16.10.5 %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to up
Jul 18 12:09:49 172.16.10.5 %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to up
petru@ubuntu-dev:/var/log/remote$ tail -n 4 172.16.10.50.log 
Jul 18 13:09:45 172.16.10.50 02:13:44: %SYS-5-CONFIG_I: Configured from console by petru on vty0 (172.16.10.150)
Jul 18 13:09:46 172.16.10.50 02:13:45: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/20, changed state to down
Jul 18 13:09:49 172.16.10.50 02:13:48: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/20, changed state to up
Jul 18 13:09:49 172.16.10.50 02:13:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/20, changed state to up
petru@ubuntu-dev:/var/log/remote$ 

System message logging – Log message format

All log message have a structured format. You can find below the meaning of all the fields from the generated log message.

Log format on Cisco device.

Jul 18 12:09:37.326: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down

A timestamp: Jul 18 12:09:37.326

The facility on the router that generated the message: %LINK

The severity level: 3

A mnemonic for the message: UPDOWN

The description of the message: Interface GigabitEthernet0/20, changed state to down

Log format on Syslog server.

Jul 18 12:09:37 172.16.10.5 %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down

A timestamp: Jul 18 12:09:37

IP address of the device which generated this message: 172.16.10.5

The facility on the router that generated the message: %LINK

The severity level: 3

A mnemonic for the message: UPDOWN

The description of the message: Interface GigabitEthernet0/20, changed state to down

Viewing the Configured Log Settings on your Cisco device

In order to check the configured logs settings for your Cisco router or switch, you need to run the command:

show logging

It will generate an output similar to this one:

SW2960#show logging 
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 62 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 7 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 62 messages logged, xml disabled,
                     filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 66 message lines logged
        Logging to 172.16.10.150  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              10 message lines logged, 
              0 message lines rate-limited, 
              0 message lines dropped-by-MD, 
              xml disabled, sequence number disabled
              filtering disabled
          
Log Buffer (4096 bytes):
:49:04.426: %SYS-5-CONFIG_I: Configured from console by petru on vty0 (172.16.10.150)
*Jul 18 11:45:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:49:56 UTC Mon Mar 1 1993 to 11:45:00 UTC Tue Jul 18 2023, configured from console by petru on vty0 (172.16.10.150).
.Jul 18 10:46:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 11:45:31 UTC Tue Jul 18 2023 to 10:46:00 UTC Tue Jul 18 2023, configured from console by petru on vty0 (172.16.10.150).
Jul 18 10:50:54.000: %LINK-5-CHANGED: Interface GigabitEthernet0/20, changed state to administratively down
Jul 18 10:50:55.006: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
Jul 18 10:51:14.637: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down
Jul 18 10:51:17.245: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to up
Jul 18 10:51:18.251: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to up
Jul 18 10:51:57.476: %LINK-5-CHANGED: Interface GigabitEthernet0/20, changed state to administratively down
Jul 18 10:51:58.482: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
Jul 18 10:52:07.758: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down
Jul 18 10:52:10.282: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to up
Jul 18 10:52:11.289: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to up
Jul 18 10:54:54.608: %SYS-5-CONFIG_I: Configured from console by console
Jul 18 10:58:53.314: %SYS-5-CONFIG_I: Configured from console by console
Jul 18 11:01:13.545: %SYS-5-CONFIG_I: Configured from console by petru on vty0 (172.16.10.150)
Jul 18 11:20:06.961: %SYS-5-CONFIG_I: Configured from console by console
Jul 18 11:20:27.019: %LINK-5-CHANGED: Interface GigabitEthernet0/20, changed state to administratively down
Jul 18 11:20:28.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
Jul 18 11:20:37.614: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down
Jul 18 11:20:40.257: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to up
Jul 18 11:20:41.264: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to up
Jul 18 11:26:27.533: %SYS-5-CONFIG_I: Configured from console by petru on vty0 (172.16.10.150)
Jul 18 11:29:10.949: %LINK-5-CHANGED: Interface GigabitEthernet0/20, changed state to administratively down
Jul 18 11:29:11.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
Jul 18 11:29:18.943: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down
Jul 18 11:29:21.510: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to up
Jul 18 11:29:22.516: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to up
Jul 18 11:30:42.399: %SYS-5-CONFIG_I: Configured from console by console
Jul 18 11:38:29.290: %SYS-5-CONFIG_I: Configured from console by petru on vty0 (172.16.10.150)
Jul 18 12:06:11.336: %SYS-5-CONFIG_I: Configured from console by petru on vty0 (172.16.10.150)
Jul 18 12:06:12.342: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 172.16.10.150 Port 514 started - CLI initiated
Jul 18 12:09:01.170: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
Jul 18 12:09:02.177: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down
Jul 18 12:09:20.540: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to up
Jul 18 12:09:21.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to up
Jul 18 12:09:36.328: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to down
Jul 18 12:09:37.326: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to down
Jul 18 12:09:48.475: %LINK-3-UPDOWN: Interface GigabitEthernet0/20, changed state to up
Jul 18 12:09:49.482: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/20, changed state to up
SW2960# 

As you can see, on my switch I have configured logging on:

1. Line console with the debugging severity level;
2. Telnet and SSH (monitor logging) withe the debugging level;
3. I saved the log to the device RAM (buffer logging);
4. I am sending the logs to the Syslog server with the IP address 172.16.10.150 with the informational level

I hope you find this post useful. Share it on your social media channels so that other people can read it too.