Keep on top of network issues with the help of Cisco router logs

This article is aimed at helping you get on top of network issues by showing you how to monitor Cisco router and switch informational messages, which inform you of the health and status of your network.

Getting caught up in day-to-day tasks is just part of being an administrator. So how do you get to the point where you’re planning and controlling the network instead of continuously reacting to it? This article is aimed at helping you get on top of network issues by showing you how to monitor Cisco router and switch informational messages, which inform you of the health and status of your network. Few of us have time to routinely watch the console for important messages, but we can log these messages en masse. Then, the logs can be parsed on a regular basis to search for potential problems before they happen, rather than awaiting their arrival in the form of a crisis.

View logging settings on your router
The router can log messages to a buffer, but the number of messages and size of the log is somewhat limited by available memory. You can view the logging settings of your router by using the following command:

Router# show log

A more effective method involves logging messages to a server, where they can be stored in a file. To capture this information, we can use the logging feature on a Cisco router to direct system messages to a SYSLOG server, where they’re then stored. SYSLOG server software with varying capabilities is readily available for most server operating systems (more about this later). To accomplish logging to a SYSLOG server, we must first enable logging on the router with the following command:

Router(config)# logging 

Then, after enabling the logging feature, we can tell it where to send the system messages with this command:
Router(config)# logging

Here, we have specified the actual IP address of the SYSLOG server. Logging can be set for different message levels from 0 to 7, as shown in Figure A.

Figure A

The most critical messages occur at level 0 and decrease in severity as the level increases.

Severity level is especially relevant if you’re interested in logging only certain types of system messages. Under most circumstances, you won’t want to log some message types. For instance, debug messages are generally used only during troubleshooting and will need to be displayed at the console, rather than being redirected to a SYSLOG server. With this in mind, we can now set the level of messages that we want logged to the SYSLOG server for storage, as follows:

Router(config)# logging trap 

As a result of this command, all system messages up to and including informational (severity 0-6) will be trapped to the SYSLOG server.
After you’ve enabled logging, you may notice that the times listed in the system messages are incorrect. The time must be set on the router for the messages to be written with the correct time. To set the time, you can use the clock set command:
Router# clock set 20:03:00 10 
October 2001

Here, we’ve set the time using the following format: hh:mm:ss day month year. If you execute the show clock command, your logs will now display the current time. Another issue associated with time and logging is the timestamp. For system messages to be written with time information, timestamps must be enabled, as follows:
Router(config)# service timestamps log uptime

This command is generally found at or near the beginning of the router configuration and can easily be viewed with the show run command. At this point, we have completed all the router configuration tasks necessary to perform logging to a SYSLOG system. Again, you can verify the logging configuration using the show logging command.

SYSLOG server thoughts
Now, we simply need a SYSLOG server to receive the system messages. As previously mentioned, the options are plentiful and diverse in capability. You can find a whole list of SYSLOG software by searching CNET’s Some are free utilities offered by network equipment suppliers, and others are provided by third-party network software vendors. Most are quite simple to install and configure.

One of the more impressive offerings is the Router IP Console from Innerdive. This software has a great deal of features, some specific to Cisco routers. The Cisco-specific features include:

  • Show current running config.
  • CPU and memory load monitoring.
  • Environmental monitoring.
  • IP accounting monitoring.
  • Descriptions of the router's interfaces.
  • Interface load monitoring.
  • Basic support for voice interfaces.

The key issue for the SYSLOG server you choose is log file setup. In most cases, you’ll want to be able to set up separate log files for each network device you’ll be logging. You’ll also need to decide when the log files roll over or break because of size issues. Remember: Allowing enormous log files can slow down your SYSLOG server, which in turn will slow down your routers and can eventually even cause an entire network to bog down. Another consideration is how long to keep the logs. Often, this is governed by the amount of available disk space.

Putting the logs to work
Of course, the final and most important step in this process is to actually view the log files to ferret out potential network problems. In most cases, these files can easily be imported into a spreadsheet or database for sophisticated querying. There is nothing complex here, as these are simply columnar text files.

That’s all there is to it. If you want to transcend the day-to-day problem/response cycle, I think you’ll find the logging facility a productive tool in the management of your network environment.