Cisco IOS Syslog Messages

Hello,
I hope you are well.
I would like to see the difference, especially regarding the application, between the syslog and snmp protocols.

Hello Neves

SNMP and Syslog are similar in that they are both used to monitor network devices. But the similarities end there.

Syslog will generate a message whenever an event occurs on the device. The level of detail and what events are actually logged depends upon the configured severity level. There are eight severity levels from debugging, which is the least severe, denoted by 0, and Emergency which is the most severe denoted by 7. You can set the level which you want to log messages. A level of 4 for example, will log all Syslog messages with a severity level of 4 and above. Logging can take place on the device itself, or logs can be sent to an external Syslog server to be further parsed and analyzed. More about Syslog can be found here:

SNMP on the other hand is somewhat more active. SNMP uses what are known as traps. A trap is a notification that is sent as soon as an event occurs. Traps can be configured to be sent as soon as an event occurs, or an SNMP server can request particular traps, that is, the status of those elements in the device, at any particular time. SNMP v3 also includes acknowledgements to these traps, so such communication becomes reliable, something that is not available with Syslog.
SNMP is also able to send commands from the SNMP server to the device to change configuration parameters, something that syslog does not do. You can find out more about SNMP at the following lesson:

You can also learn about the various SNMP versions that add additional capabilities to the protocol.

I hope this has been helpful!

Laz

Hi Rene,

I’m looking for sh log command which can display the last 100 lines of text. Thanks!!

Shine

Hello Shine

The show logging command will show you all of the logs that have been saved on the device. The number of events it will keep in the logging buffer depends upon the size of the buffer. The default buffer size on most systems is 4096 bytes, but you can change the size of the buffer using the logging buffered command.

The output will appear on the screen and can show you all of the contents of the buffer. You can’t choose only the last lines to be displayed, however, you can output the results of a show command to a text file using the following command:

show logging | redirect

You can redirect to a local file like so:

show logging | redirect flash:my_log.txt

Or you can redirect to a remote file like so:

show logging | redirect tftp://x.x.x.x/my_log.txt

Then you can take a look at the last 100 lines.

I hope this has been helpful!

Laz

2 Likes

Hi,
Is there any specific advised/recommended amount of percentage of Ram that we should use for logging buffered ?
If logging buffered was set too high and the switch/ router needed the extra ram would the switch overwrite the logs files and take the ram or simply the switch would just be out of ram ?

Hello Sean

According to Cisco’s documentation, it seems that there is a danger of the available RAM on a device being depleted if the logging buffered command is set too high. Specifically, it states:

When you resize the logging buffer, the existing buffer is freed and a new buffer is allocated. To prevent the router from running out of memory, do not make the buffer size too large. You can use the show memory EXEC command to view the free processor memory on the router; however, the memory value shown is the maximum available and should not be approached. The default logging buffered command resets the buffer size to the default for the platform.

The command does give you a maximum buffer size of 2147483647 in bytes, which is over 2 Gigabytes in size. If this is greater than the physical memory available, then you can indeed run out of memory if this is set too high.

The recommendation is to keep the size as small as possible. Use the commands above to determine the amount of available RAM, however, if you are approaching the limit of the device and you need considerably more logging history, then use an external Syslog server.

I hope this has been helpful!

Laz

1 Like

hello, Réné thank you for the course
tell me what this course is really for and how to use it in my professional life. ?
I appreciate your interest in my question

Hello Berthol

The Syslog feature is very useful for monitoring a large network and troubleshooting. I have several large networks that I oversee and I have configured a Syslog server for each network to collect the Syslog messages that are generated by the network equipment.

Looking at individual syslog messages can be useful, but sometimes you may have hundreds or thousands of messages that you have to sort through, and that is not useful at all! That is where you can use a Syslog server to not only collect the logs, but also to analyze them, generate reports, and alerts, and provide you with useful and visual information about the current and historical state of your network.

LibreNMS is an example of a network monitoring tool that includes Syslog management.

I hope this has been helpful!

Laz

Thank you for the clear answer.

1 Like

Hello, everyone!

When it comes to logging to the VTY lines, both logging monitor level and terminal monitor must be issued, correct?

Why does it work like this? Isn’t issuing them both a little redundant? Why issue the terminal monitor command if we’ve already enabled logging to the VTY lines using the logging monitor level command?

Kind regards,
David

Hello David

While it might seem redundant, the two commands actually serve different purposes in Cisco IOS.

The command logging monitor level is used to set the severity level of messages that will be logged to the terminal lines (VTY). The level parameter specifies the types of messages to be logged. For instance, if you set the level as ‘debugging’, it will include lower severity level messages such as informational, notifications, warnings, errors, critical, alerts, and emergencies.

On the other hand, the terminal monitor command is used to enable or disable the display of logging messages to your current VTY session. By default, logging to the terminal lines is disabled. So, even if you’ve set a certain severity level with the ‘logging monitor’ command, even though those messages will be logged, you won’t see the messages on your CLI until you enable them with ‘terminal monitor’.

I hope this has been helpful!

Laz

Is there a way for us to specify a logging range?

For example what if we only wanted to see syslog messages ranging from 3-6

Instead of logging trap 6 which would display 0-6 how can we make it more granular? Or is that not possible

Hello Cameron

To achieve what you are describing, you can use the logging discriminator command. You can use it for a more granular configuration of what syslog messages to maintain. With it, you can configure not only the severity, but you can also match specific strings within the syslog messages themselves. Take a look at this Cisco command reference for more details:

I hope this has been helpful!

Laz