Implementing System Logging

This module describes the tasks you need to implement logging services on the router.
The Cisco IOS XR Software provides basic logging services. Logging services provide a means to gather
logging information for monitoring and troubleshooting, to select the type of logging information captured,
and to specify the destinations of captured system logging (syslog) messages.
• Implementing System Logging , on page 1

Implementing System Logging

System Logging (Syslog) is the standard application used for sending system log messages. Log messages
indicates the health of the device and point to any encountered problems or simplify notification messages
according to the severity level. The IOS XR router sends its syslog messages to a syslog process. By default,
syslog messages will be sent to the console terminal. But, syslog messages can be send to destinations other
than the console such as the logging buffer, syslog servers, and terminal lines.

Syslog Message Format

By default, the general format of syslog messages generated by the syslog process on the Cisco IOS XR
software is as follows:
node-id : timestamp : process-name [pid] : % message category -group -severity -message
-code : message-text

The following table describes the general format of syslog messages on Cisco IOS XR software.

Table 1: Format of Syslog Messages

Field Description

node-id Node from which the syslog message originated.

timestamp Time stamp in the month day HH:MM:SS format,

indicating when the message was generated.
Note The time-stamp format can be modified
using the service timestamps command.

process-name Process that generated the syslog message.

Implementing System Logging

1
 Implementing System Logging
Prerequisites for Configuring System Logging

Field Description

size Process ID (pid) of the process that generated the

syslog message.

[ pid ] Message category, group name, severity, and message

code associated with the syslog message.

message-text Text string describing the syslog message.

Syslog Message Severity Levels

In the case of logging destinations such as console terminal, syslog servers and terminal lines, you can limit
the number of messages sent to a logging destination by specifying the severity level of syslog messages.
However, for the logging buffer destination, syslog messages of all severity will be sent to it irrespective of
the specified severity level. In this case, the severity level only limits the syslog messages displayed in the
output of the command show logging, at or below specified value. The following table lists the severity level
keywords that can be supplied for the severity argument and the corresponding UNIX syslog definitions in
order from the most severe level to the least severe level.

Table 2: Syslog Message Severity Levels

Severity Keyword Level Description

emergencies 0 System unusable

alert 1 Immediate action needed

critical 2 Critical conditions

errors 3 Error conditions

warnings 4 Warning conditions

notifications 5 Normal but significant

condition

informational 6 Informational messages only

debugging 7 Debugging messages

Prerequisites for Configuring System Logging

These prerequisites are required to configure the logging of system messages in your network operating center
(NOC):
• You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
• You must have connectivity with syslog servers to configure syslog server hosts as the recipients for
syslog messages.

Implementing System Logging

2
 Implementing System Logging
Configuring System Logging

Configuring System Logging

Perform the tasks in this section for configuring system logging as required.

Configuring Logging to the Logging Buffer

Syslog messages can be sent to multiple destinations including an internal circular buffer known as logging
buffer. You can send syslog messages to the logging buffer using the logging buffered command.

Configuration Example
This example shows the configuration for sending syslog messages to the logging buffer. The size of the
logging buffer is configured as 3000000 bytes. The default value for the size of the logging buffer is 2097152
bytes.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging buffered 3000000
RP/0/RP0/CPU0:Router(config)# commit

Configuring Logging to a Remote Server

Syslog messages can be sent to destinations other than the console, such as logging buffer, syslog servers,
and terminal lines. You can send syslog messages to an external syslog server by specifying the ip address or
hostname of the syslog server using the logging command. Also you can configure the syslog facility in
which syslog messages are send by using the logging facility command.
The following table list the features supported by Cisco IOS XR Software to help managing syslog messages
sent to syslog servers.

Table 3: Features for Managing Syslog Messages

Features Description

UNIX system log facility Facility is the identifier used by UNIX to describe the
application or process that submitted the log message.
You can configure the syslog facility in which syslog
messages are sent by using the logging facility
command.

Hostname prefix logging Cisco IOS XR Software supports hostname prefix

logging. When enabled, hostname prefix logging
appends a hostname prefix to syslog messages being
sent from the router to syslog servers. You can use
hostname prefixes to sort the messages being sent to
a given syslog server from different networking
devices. Use the logging hostname command to
append a hostname prefix to syslog messages sent to
syslog servers

Implementing System Logging

3
 Implementing System Logging
Configuring Logging to Terminal Lines

Features Description

Syslog source address logging By default, a syslog message sent to a syslog server
contains the IP address of the interface it uses to leave
the router. Use the logging source-interface
command to set all syslog messages to contain the
same IP address, regardless of which interface the
syslog message uses to exit the router.

Configuration Example
This example shows the configuration for sending syslog messages to an external syslog server. The ip address
10.3.32.154 is configured as the syslog server and the logging trap command is used to limit the syslog
messages sent to syslog servers based on severity.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging 10.3.32.154
RP/0/RP0/CPU0:Router(config)# logging trap warnings
RP/0/RP0/CPU0:Router(config)# logging facility kern (optional)
RP/0/RP0/CPU0:Router(config)# logging hostnameprefix 123.12.35.7 (optional)
RP/0/RP0/CPU0:Router(config)# logging source-interface TenGigE 0/0/0/10(optional)
RP/0/RP0/CPU0:Router(config)# commit

Configuring Logging to Terminal Lines

By default syslog messages will be sent to the console terminal. But, syslog messages can also be send to
terminal lines other than the console. You can send syslog messages to the logging buffer using the logging
monitor command.

Configuration Example
This example shows the configuration for sending syslog messages to terminal lines other than console. In
this example, severity level is configured as critical. The terminal monitor command is configured to display
syslog messages during a terminal session. The default severity level is debugging.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging monitor critical
RP/0/RP0/CPU0:Router(config)# commit
RP/0/RP0/CPU0:Router# terminal monitor

Modifying Logging to Console Terminal

By default syslog messages will be sent to the console terminal. You can modify the logging of syslog messages
to the console terminal

Configuration Example
This example shows how to modify the logging of syslog messages to the console terminal.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging console alerts
RP/0/RP0/CPU0:Router(config)# commit

Implementing System Logging

4
 Implementing System Logging
Modifying Time Stamp Format

Modifying Time Stamp Format

By default, time stamps are enabled for syslog messages. Time stamp is generated in the month day HH:MM:SS
format indicating when the message was generated.

Configuration Example
This example shows how to modify the time-stamp for syslog and debugging messages.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# service timestamps log datetime localtime msec or service
timestamps log uptime
RP/0/RP0/CPU0:Router(config)# service timestamps debug datetime msec show-timezone or service
timestamps debug uptime
RP/0/RP0/CPU0:Router(config)# commit

Suppressing Duplicate Syslog Messages

Suppressing duplicate messages, especially in a large network, can reduce message clutter and simplify the
task of interpreting the log. The duplicate message suppression feature substantially reduces the number of
duplicate event messages in both the logging history and the syslog file.

Configuration Example
This example shows how to suppress the consecutive logging of duplicate syslog messages.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging suppress duplicates
RP/0/RP0/CPU0:Router(config)# commit

Archiving System Logging Messages to a Local Storage Device

Syslog messages can also be saved to an archive on a local storage device, such as the hard disk or a flash
disk. Messages can be saved based on severity level, and you can specify attributes such as the size of the
archive, how often messages are added (daily or weekly), and how many total weeks of messages the archive
will hold. You can create a logging archive and specify how the logging messages will be collected and stored
by using the logging archive command.
The following table lists the commands used to specify the archive attributes once you are in the logging
archive submode.

Table 4: Commands Used to Set Syslog Archive Attributes

Features Description

archive-length weeks Specifies the maximum number of weeks that the

archive logs are maintained in the archive. Any logs
older than this number are automatically removed
from the archive.

archive-size size Specifies the maximum total size of the syslog

archives on a storage device. If the size is exceeded
then the oldest file in the archive is deleted to make
space for new logs.

Implementing System Logging

5
 Implementing System Logging
Archiving System Logging Messages to a Local Storage Device

Features Description

device {disk0 | disk1 | harddisk} Specifies the local storage device where syslogs are
archived. By default, the logs are created under the
directory device/var/log. If the device is not
configured, then all other logging archive
configurations are rejected. We recommend that
syslogs be archived to the harddisk because it has
more capacity than flash disks.

file-size size Specifies the maximum file size (in megabytes) that
a single log file in the archive can grow to. Once this
limit is reached, a new file is automatically created
with an increasing serial number.

frequency {daily | weekly} Specifies if logs are collected on a daily or weekly

basis.

severity severity Specifies the minimum severity of log messages to

archive. All syslog messages greater than or equal to
this configured level are archived while those lesser
than this are filtered out.

Configuration Example
This example shows how to save syslog messages to an archive on a local storage device.
RP/0/RP0/CPU0:Router# configure
RP/0/RP0/CPU0:Router(config)# logging archive
RP/0/RP0/CPU0:Router(config-logging-arch)# device disk1
RP/0/RP0/CPU0:Router(config-logging-arch)# frequency weekly
RP/0/RP0/CPU0:Router(config-logging-arch)# severity warnings
RP/0/RP0/CPU0:Router(config-logging-arch)# archive-length 6
RP/0/RP0/CPU0:Router(config-logging-arch)# archive-size 50
RP/0/RP0/CPU0:Router(config-logging-arch)# file-size 10
RP/0/RP0/CPU0:Router(config)# commit

Implementing System Logging

6