cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18201
Views
36
Helpful
15
Replies

Maximum log buffer sizes

Eric Marshott
Level 1
Level 1

Syslog is great, but it is much easier in a pinch to see log messages right in console/buffer.

 

Is it safe practice to use the maximum log buffer size shown in Cisco IOS and IOS-XE?

 -3850 running 3.6.6 shows range of value for `logging buffered ` as 4,096-2,147,483,647 
Where is log buffer stored on the device?

 -i dont see any files in any of the filesystems that are the same size as my max-sized log buffer

If the log buffer gets too large, could it overload the management plane?

Much appreciated

-Eric

15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

Here is my notes and cisco best practice ;

 

usage: logging buffered buffer_size severity_level

 

example: logging buffered 10000 debugging

 

- The "logging buffered" argument will log messages to internal buffer

- The "debugging" argument will log messages up to Level 7 (debugging)

- The "buffer-size" argument is the size of the buffer from 4096 to 4,294,967,295 bytes. The default size varies by platform. Most commonly use is 10000 or 16384

 

If you don't have a syslog server and is logging local to the device, I advice the following to minimize the logs;

- Don't create a config that will generate logs, like putting log in an ACL

- Try not to use severity_level debugging. Use severity_level warnings - this includes important messages like emergencies, alerts, critical, errors, and warnings, it does not includes notifications and informational

 

I always suggest to Offload the Logs to SYSLOG Server Reasons :

- After buffer full, it will overwride the logs, so evidence is gone.

- Once device rebooted the buffer logs will be no longer able to retrievable.

- when the Device reboots accedentally or due to some issue, you do not have clue why it was reboot.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi @balaji.bandi 

Always grateful to come across your much-valued contributions. Just seeking to if the logs are overwritten once the set size is reached. I am winding up on my project and logging is the last task. I do not have a syslog server.

 

Regards & Respect.

Shaqx

Hello,

 

indeed, once the maximum size of the log buffer is reached, the oldest entries will be overwritten in order.

Hello @Georg Pauwen 

Thank you so much for the confirmation I do deeply appreciate. I have duly increased my buffer size. My questtion is how do I see this messages (text in bold 499 messages logged).

 

SWI-GF-004#sh log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


Console logging: level debugging, 499 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 6 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: enabled
File logging: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 486 message lines logged
Logging Source-Interface: VRF Name:

Log Buffer (200000 bytes):

Dec 23 2020 14:28:40 CAT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Administrator logged command:logging console 7
Dec 23 2020 14:28:40 CAT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Administrator logged command:logging monitor 7
Dec 23 2020 14:28:40 CAT: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level debugging, xml disabled, filtering disabled, size (200000)
Dec 23 2020 14:28:40 CAT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Administrator logged command:logging buffered 200000 7
Dec 23 2020 14:28:40 CAT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Administrator logged command:logging count
Dec 23 2020 14:28:40 CAT: %SYS-5-CONFIG_I: Configured from console by Administrator on vty0 (172.16.0.50)
SWI-GF-004# 

Regards & Respect,

Shaqx

Hello,

 

--> I have duly increased my buffer size. 

 

That is the problem. Adjusting the size of the router’s logging buffer wipes out all of the current contents of the buffer. That is why the console logging shows a different number than the buffer. There is unfortunately no way to retrieve the lost buffer logs.

Thanks so much @Georg Pauwen 

The power issue (today) was after the buffer size increase (yesterday). Shouldn't have been captured?

Regards & Respect,

Shaqx.

Hello,

 

was the device powered off ? If so, the buffered logs would be lost as well...

yes once the buffer full, last messages gone, depends on buffer available increase the value and monitor.

 

for large environment we suggest to have syslog always best, but some time being consultant we do not have authority to mandatory business requirement, we suggest and leave business to take a call, adding note in the hand over project as risk.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi @balaji.bandi 

Thank you so much for your response, always with invaluable pointers. Even as I hand over the project I have already pointed out the need of a Syslog server to the client. I do hope they will take it up (the project has 32 switches).

 I have duly increased my buffer size. My question is how do I see this messages (text in bold 499 messages logged).

 

SWI-GF-004#sh log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


Console logging: level debugging, 499 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 6 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: enabled
File logging: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 486 message lines logged
Logging Source-Interface: VRF Name:

Log Buffer (200000 bytes):

Dec 23 2020 14:28:40 CAT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Administrator logged command:logging console 7
Dec 23 2020 14:28:40 CAT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Administrator logged command:logging monitor 7
Dec 23 2020 14:28:40 CAT: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level debugging, xml disabled, filtering disabled, size (200000)
Dec 23 2020 14:28:40 CAT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Administrator logged command:logging buffered 200000 7
Dec 23 2020 14:28:40 CAT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Administrator logged command:logging count
Dec 23 2020 14:28:40 CAT: %SYS-5-CONFIG_I: Configured from console by Administrator on vty0 (172.16.0.50)
SWI-GF-004# 

Regards & Respect,

Shaqx

Buffer logging: level debugging, 6 messages logged, xml disabled, 

 

that is the reason you seeing 6 messages.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi 

Thanks @balaji.bandi I Think I Get You Now

Let Me Explain A Scenario I Am In Right Now As We Speak The Client Is Disputing A Power Issue Yet The Uptime Clearly Indicates Otherwise. 

How Can I View This On The Logs? I Have Configured Logging Level 7 With An Intent To Capture Everything. Kindy Assist I Knw You Can. 

Output For Show Log Is As Below.

F1-SWI-002#sh log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


Console logging: level debugging, 154 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 6 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: enabled
File logging: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 144 message lines logged
Logging Source-Interface: VRF Name:

Log Buffer (200000 bytes):

Dec 23 12:55:56.447: %PARSER-5-CFGLOG_LOGGEDCMD: User:administrator logged command:logging console 7
Dec 23 12:55:56.461: %PARSER-5-CFGLOG_LOGGEDCMD: User:administrator logged command:logging monitor 7
Dec 23 12:55:56.489: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level debugging, xml disabled, filtering disabled, size (200000)
Dec 23 12:55:56.489: %PARSER-5-CFGLOG_LOGGEDCMD: User:administrator logged command:logging buffered 200000 7
Dec 23 12:55:56.503: %PARSER-5-CFGLOG_LOGGEDCMD: User:administrator logged command:logging count
Dec 23 12:55:56.507: %SYS-5-CONFIG_I: Configured from console by administrator on vty0 (172.16.0.50)
F1-SWI-002#

Regards & Respect,

Shaqx

Console logging: level debugging, 154 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 6 messages logged, xml disabled,

as per the above you have 154 console message, which you can view in console.

you have only 6 buffer messages.

 

7 - is the debug, only appears debugging mode.

 

can you post your logging config to understand (also give us what is this device running IOS or NEXUS OS ?) or try below suggested method to work optimally.

 

logging buffered XXXX ( value of bytes)
logging buffered warnings

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello @balaji.bandi 

 

Please do see below the IOS Image is c2960x-universalk9-mz.152-7.E3.bin.

 

configure terminal
logging console 7
logging monitor 7
logging buffered 200000 7
logging count
end

 

Regards & Respect,

Shaqx

 

this syntax ok, check show version uptime. if the revise reload and rebooted, all logs will be gone. so advised syslog to retain all logs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card