Get to know your logging options in the Cisco IOS

Knowing how to properly use logging is a necessary skill for any network administrator, and the Cisco IOS offers many options for logging. To help bring you up to speed, David Davis discusses how to configure logging, examines how to view the log and its status, and looks at three common errors when it comes to logging.

Knowing how to properly use logging is a necessary skill for any network administrator. It's vital that you know how to use logging when it comes time to start troubleshooting.

The Cisco IOS offers a great many options for logging. To help bring you up to speed, let's discuss how to configure logging, examine how to view the log and its status, and look at three common errors when it comes to logging.

The logging command in Global Configuration Mode and the show logging command in Privileged Mode are two simple but powerful tools to configure and show all Cisco IOS logging options. Let's take a closer look.

Configure logging in the Cisco IOS

When configuring logging, the most important command to know is the logging command, used when in Global Configuration Mode. Here's an example of this command and its options.

router(config)# logging ?
  Hostname or A.B.C.D   IP address of the logging host
  buffered              Set buffered logging parameters
  buginf                Enable buginf logging for debugging
  cns-events            Set CNS Event logging level
  console               Set console logging parameters
  count                 Count every log message and timestamp last occurrence
  exception             Limit size of exception flush output
  facility              Facility parameter for syslog messages
  history               Configure syslog history table
  host                  Set syslog server IP address and parameters
  monitor               Set terminal line (monitor) logging parameters
  on                    Enable logging to all supported destinations
  origin-id             Add origin ID to syslog messages
  rate-limit            Set messages per second limit
  reload                Set reload logging level
  server-arp            Enable sending ARP requests for syslog servers when 
                        first configured
  source-interface      Specify interface for source address in 
                        logging transactions
  trap                  Set syslog server logging level
  userinfo              Enable logging of user info on privileged mode enabling

router(config)# logging

While the scope of this article prevents us from exploring every one of these options, let's take a look at the most common ones.

You can configure the router to send buffered logging of its events to the memory. (Rebooting the router will lose all events stored in the buffered log.) Here's an example:

Router(config)# logging buffered 16384

You can also send the router's events to a syslog server. This is an external server running on your network. Most likely, the syslog server is running on a Linux or Windows server. Because it's external to the router, there's an added benefit: It preserves events even if the router loses power. A syslog server also provides for centralized logging for all network devices.

To configure syslog logging, all you need to do is use the logging command and the hostname or IP address of the syslog server. So, to configure your Cisco device to use a syslog server, use the following command:

Router(config)# logging

To learn more about using syslog with the Cisco IOS, check out this TechRepublic download, "Use syslog to monitor and troubleshooting Cisco devices."

The Cisco IOS enables logging to the console, monitor, and syslog by default. But there's a catch: There's no syslog host configured, so that output goes nowhere.

There are eight different logging levels.

  • 0—emergencies
  • 1—alerts
  • 2—critical
  • 3—errors
  • 4—warnings
  • 5—notification
  • 6—informational
  • 7—debugging

The default level for console, monitor, and syslog is debugging. The logging on command is the default. To disable all logging, use the no logging on command.

By default, the router logs anything at the level of debugging and greater. That means that logging occurs from level 7 (debugging) up to level 0 (emergencies). If you want to par down what the system logs, use something like the logging console notifications command.

In addition, the router doesn't enable logging to the system buffer by default. That's why you must use the logging buffered command to enable it.

View the status of logging and the logging itself

To view the status of your logging as well as the local buffered log, use the show logging command. Here's an example:

router# show logging
Syslog logging: enabled (0 messages dropped, 394 messages rate-limited,
                91 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 2766982 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 12370 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 2754146 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level debugging, 3420603 message lines logged
        Logging to, 3420603 message lines logged, xml disabled,
               filtering disabled
Log Buffer (10000000 bytes):
Feb  7 13:34:00.065 CST: %LINK-3-UPDOWN: Interface Serial1/1:22, changed state 
to up
Feb  7 13:34:00.069 CST: %DIALER-6-BIND: Interface Se1/1:22 bound 
to profile Di96

Note that this router has enabled syslog logging and is sending it to host In addition, console logging is at the debugging level, and the setting for local buffered logging is 10,000,000 bytes.

Look out for these common
logging errors

Logging can be frustrating at times. To help prevent some of that frustration, let's look at three common errors.

Not setting the terminal to monitor logging

If you Telnet into a router and can't see some of the logging you're expecting, check to see if you've set your terminal to monitor the logging. You can enable this with the terminal monitor command. To disable it, use the terminal no monitor command.

To determine whether you've enabled monitoring, use the show terminal command, and look for the following:

Capabilities: Receives Logging Output

If you see this, you're monitoring logging output. If it returns None for capabilities, then the monitoring is off.

Using the incorrect logging level

If you can't see logging output, you should also check whether you've set the level correctly. For example, if you've set the console logging to emergencies but you're running debugging, you won't see any debugging output on the console.

To determine the set level, use the show logging command. Keep in mind that you need to set the level to a higher number to see all levels below it. For example, setting logging at debugging shows you every other level.

In addition, make sure you match the type of logging that you want to see with the level you're configuring. If you configure monitor logging to debug but you're on the console and you've set it to informational, you won't see the debug output on the console.

Displaying the incorrect time and date in logs

You may see log messages that don't exhibit the correct date and time. There are a variety of options to control the date and time that appear on logging output (either to the screen or to the buffer). To control this, use the following command:

Router(config)# service timestamps debug ?
  datetime      Timestamp with date and time
  uptime        Timestamp with system uptime

Remember that many problems require some kind of historical log to help find a solution. That's why it's important to make sure you've properly configured logging so you can use your logs to see the past.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Editor's Picks

Free Newsletters, In your Inbox