Configuring Logging

18 Mar

Configuring Logging
The process for configuring a router to log events is fairly straightforward and simple, yet it’s one of the most important security configuration changes that security administrators will make on their routers. To enable logging, follow these steps:

1.Use the logging on global configuration command to enable logging of messages. This command is enabled by default and will be needed only if message logging has been disabled.

2.Use the following command to configure all logging messages to contain the same IP address:

logging source−interface <interface type interface number>

By default the logging message contains the IP address of the interface it uses to leave the router.

3.Use this command to define a logging server that should receive the logging messages (more than one host may be defined):

logging <buffered|monitor|console|ip address>

4.Use the logging trap <level> command to define the level of detail for logged messages.
Table 3.1 earlier in this chapter lists event error messages and their corresponding severity levels.

5.Use the following command to enable time stamping of log messages:

service timestamps log <datetime|uptime> [msec] [localtime]
[show timezone]

The logging buffered command copies logging messages to an internal buffer within the router. This buffer is circular in nature, meaning newer messages overwrite older messages when the buffer becomes full. The logging ip address command identifies a server to receive logging messages. The logging monitor command logs messages to the nonconsole terminal. The logging console command copies logging messages to the console port of the router.

Router B in Figure 3.10 is configured to send warning level logging messages to the syslog server at IP address Router B is configured with a loopback interface that has an IP address of, and this interface is to be the source of all logging messages that Router B sends. Listing 3.23 details the configuration commands needed to enable Router B for message logging to host

Figure 3.10: A network design with logging defined.
Listing 3.23: Router B’s logging configuration.

#config t
#service timestamps log uptime
#service timestamps log datetime msec
#no logging console
#logging source−interface loopback1
#logging trap 4

In Listing 3.23, Router B has been configured to log warning level messages to the system logging server with an IP address of To verify that logging has been properly configured, issue the show logging command. Listing 3.24 displays the output.

Listing 3.24: Show logging output.

Router−B#show logging
Syslog logging: enabled (0 messages dropped,
0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 146 messages logged
Trap logging: level warning, 151 message lines logged
Logging to, 151 message lines loggedxs
Log Buffer (8192 bytes):
: %SONET−4−ALARM: POS0/1/0: B3 BER exceeds threshold
: %SONET−4−ALARM: POS0/1/0: B3 BER below threshold
: %WCCP−5−CACHEFOUND: Web Cache acquired
: %WCCP−5−CACHEFOUND: Web Cache acquired
: %STANDBY−6−STATECHANGE: Standby: 1: Vlan1 state Standby
: %STANDBY−6−STATECHANGE: Standby: 1: Vlan1 state Active
: %STANDBY−6−STATECHANGE: Standby: 1: Vlan1 state Speak

The output in Listing 3.24 shows that console logging has been disabled. Monitor and buffer logging are logged at the default debugging level. Notice that the trap logging has been changed from the default informational logging level to the warning level and the server the trap messages are sent to is displayed as well. The show logging command also displays the number of messages logged by each method.

Another command that can be used to view logging information is the show logging history command. The output of the show logging history command displays information in the system logging history table, such as the table size, the status of messages, and the text of the messages stored in the table. If the logging of message traps to a Simple Network Management Protocol (SNMP) management station, be sure network management station traps has been enabled with the snmp−server enable trap command.

The level of messages sent and stored in a history table on the router can be changed. The number of messages that get stored in the history table can be changed as well. Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination. By default, one message of the level warning is stored in the history table even if log traps are not enabled. The output of the show logging history command is shown in Listing 3.25.

Listing 3.25: Show logging history output.

Router−B#sh logging history
Syslog History Table:1 maximum table entries,
saving level warnings or higher
73 messages ignored, 0 dropped, 0 recursion drops
72 table entries flushed
SNMP notifications not enabled
entry number 73 : SYS−4−SNMP_WRITENET
SNMP WriteNet request. Writing current config to
timestamp: 313923920

As mentioned earlier, the logging history level can be changed; notice in Listing 3.25 that the logging history table lists 1 maximum table entry. The table history size can be changed as well. You can change the history level as well as the size of the history table by using the following commands:

Use the logging history <level> command, where the level equals the values detailed in Table 3.1, to change the default level of log messages stored in the history file and sent to the SNMP server.

Use the logging history size <size> command, where the size is a number between 0 and 500, to change the number of log messages that can be stored in the history table.

The following commands add the logging history and logging history size commands to the configuration of Router B. The arguments of these commands should be reflected in the show logging history command:

#config t
#logging history 3
#logging history size 400

The configuration changes that were made can be seen in the output of the show logging history command. Listing 3.26 reflects the changes that were made.

Listing 3.26: Show logging history.

Router−B#sh logging history
Syslog History Table:400 maximum table entries,
saving level errors or higher
73 messages ignored, 0 dropped, 0 recursion drops
72 table entries flushed
SNMP notifications not enabled
entry number 74 : SYS−5−CONFIG_I
SNMP WriteNet request. Writing current config to
timestamp: 176910958

Related solution:                            Found on page:
Configuring SNMP Security             26

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.