Get IT Done: Keep on top of network issues with the help of Cisco router logs

Use Cisco router logs to administer networks

We IT personnel spend a lot of our time on daily support tasks. Users call the help desk because they can’t log in or access a particular directory. We chase down printer and connectivity problems. We find ourselves dedicating time to issues that don’t justify the resources, like answering the plea “I lost my e-mail, can you find it for me?”

Getting caught up in these day-to-day tasks is the nature of the IT support beast. So how do we get to the point where we’re planning and controlling the IT networking function, instead of continuously reacting to it? This Daily Feature is dedicated to helping you get on top of network issues by showing you how to monitor router and switch informational messages, which inform us of the health and status of our networks. Few of us have time to routinely watch the console for important messages, but we can log these messages en masse. Then the logs can be parsed on a regular basis to search for potential problems before they happen, rather than awaiting their arrival.

View logging settings on your router
The router can log messages to a buffer, but the number of messages and size of the log is somewhat limited by available memory. You can view the logging settings of your router by using the following command:
Router# show log

A more effective method involves logging messages to a server, where they can be stored in a file. To capture this information, we can use the logging feature on a Cisco router to direct system messages to a SYSLOG server, where they’re then stored. SYSLOG server software with varying capabilities is readily available for most server operating systems (more about this later). To accomplish logging to a SYSLOG server, we must first enable logging on the router:
Router(config)# logging on

Then, after enabling the logging feature, we can tell it where to send the system messages:
Router(config)# logging

Here, we have specified the actual IP address of the SYSLOG server. Logging can be set for different message levels from 0 to 7, as shown in Figure A.

Figure A
The most critical messages occur at level 0 and decrease in severity as the level increases.

Severity level is especially relevant if you’re only interested in logging certain types of system messages. Under most circumstances, you won’t want to log some message types. For instance, debug messages are generally only used during troubleshooting and will need to be displayed at the console, rather than being redirected to a SYSLOG server. With this in mind, we can now set the level of messages that we want logged to the SYSLOG server for storage, as follows:
Router(config)# logging trap informational

As a result of this command, all system messages up to and including informational (severity 0-6) will be trapped to the SYSLOG server.

After you’ve enabled logging, you may notice that the times listed in the system messages are incorrect. The time must be set on the router for the messages to be written with the correct time. To set the time, you can use the clock set command:
Router# clock set 20:03:00 10 October 2001

Here, we’ve set the time using the following format: hh:mm:ss day month year. Now, if you execute the show clock command, your logs will display the current time. Another issue associated with time and logging is the timestamp. For system messages to be written with time information, timestamps must be enabled, as follows:
Router(config)# service timestamps log uptime

This command is generally found at or near the beginning of the router configuration and can easily be viewed with the show run command. At this point, we have completed all the router configuration tasks necessary to perform logging to a SYSLOG system. Again, you can verify the logging configuration using the show logging command.

SYSLOG server thoughts
Now we simply need a SYSLOG server to receive the system messages. As previously mentioned, the options are plentiful and diverse in capability. You can find a whole list of software at CNET’s Some are free utilities offered by network equipment suppliers, and others are provided by third-party network software vendors. Most are quite simple to install and configure.

One of the more impressive offerings is the Router IP Console from Innerdive. This software has a great deal of features and some specific to Cisco routers. The Cisco-specific features include:
  • Show current running config
  • CPU and memory load monitoring
  • Environmental monitoring
  • IP accounting monitoring
  • Description for router's interfaces
  • Interface load monitoring
  • Basic support for voice interfaces

The key issue for whichever SYSLOG server you choose is log file setup. In most cases, you’ll want to set up separate log files for each network device you’ll be logging. You’ll also need to decide when the log files roll over or break because of size issues. (Remember: Allowing enormous log files can begin to slow your SYSLOG server down, which in turn will slow down your routers and can cause an entire network to bog down.) Another consideration is how long to keep the logs. Often, this is governed by the amount of available disk space.

The final and most important step in this process is to actually view the log files to ferret out potential network problems. In most cases, these files can easily be imported into a spreadsheet or database for sophisticated querying. There is nothing complex here as these are simply columnar text files. That’s all there is to it. If you want to transcend the day-to-day problem/response cycle, I think you’ll find the logging facility a productive tool in the management of your network environment.

Editor's Picks