cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
349776
Views
30
Helpful
12
Replies

cisco show logs - view history logs

SJ K
Level 5
Level 5

Hi gurus,

 

Below are my logging configurations

 

R2#show log
Syslog logging: enabled (12 messages dropped, 0 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.
No Inactive Message Discriminator.

    Console logging: level debugging, 70 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: disabled
    Buffer logging:  disabled, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.
ESM: 0 messages dropped
    Trap logging: level informational, 74 message lines logged

Q1) Is there anyway to view history logs ?  (i see that there are 70 messages logged in the console logging) -- how do i see them ?

 

Q2) Is logging a global setting ? I mean beside setting where to send the logging information to;  Can we set what are the things we want to have logging (such as certain interface i want to have logs, but certain interface i don't want any logs)

 

Q3) When we set the logging console 7, does it means all severity level 0 to 7 will be logged or only severity 7 will be logged ?
can we logged all severity information from 0 to 7 ?

 

Q4) You can see that the syslog is turned on, but i cant disable it as there is no host/IP information in show log.. Why ?
no logging host ?.?.?.?

 

Regards,
Noob

2 Accepted Solutions

Accepted Solutions

To capture what's happening on each router you can use debug ip icmp detail and debug ip packet detail, increase the buffers and record it or send it to the console and view it in real time , if your coming over the vty log to the monitor or use term mon  which replicates like logging to the console either , logging to monitor is on by default in ios so you will see debug if you enable for a specific  feature even if buffer is not set, other than that you could setup span session and capture the traffic on either side in wireshark 

 

Again syslog is on by default in ios it can't be disabled but if you don't have logging host set it won't actually do anything 

View solution in original post

Hi

yes that's correct it will not capture any traffic on R2 as its does not have an interface that's participating as source or destination to debug at layer 3 , there are few useful layer 2 debugs that will help here as traffic is flowing through device and any layer 2 information will be encapsulated in the layer 3 as your routing the packet , really you should use span session or embedded packet capture if your device supports it for R2 to capture passing traffic, i would put a layer 3 switch in between with routed links back to R1 & R3 giving you the same setup and this will allow you to run either SPAN or EPC and export the pcap and view in wireshark as routers do not support this , this will show all traffic at all layers that enters or leaves the interfaces, you can filter the pcap then to suit for any type of traffic arp,ip etc

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/15-mt/epc-15-mt-book/nm-packet-capture.html

View solution in original post

12 Replies 12

Mark Malone
VIP Alumni
VIP Alumni

Q1)  Your switch is set to log to console set it to log to buffer to store in the switch so you can view them  , you will  only see console logs as they come in on your screen as your logged in by console , set more than the default of 4096 as well to avoid overwriting any alarms , as well these logs wipe after reboot that's why syslog is a good idea to configure

Q2) Yes you can log a specific interface or not ------logging event under the interface

Q3) yes just 7 ,  logging buffered without any number attached gives you everything

Q4) Its on but its not doing anything until you configure the ip address for it to send the information too

Make sure to set your service timestamps see this link

http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3

 

 

 

Hi Mark,

Thanks for coming back.

Q3) Can I check with you, by setting the severity level, it just means that events that met the severity level will logged accordingly.  But how do we specify that we want to capture the occurrence of such events.  (e.g. by setting severity 7 , means debugging information will be logged to whichever location specify, but no debug information will be logged, unless i turn on debug (e.g. debug arp), am i right ?)

 

In that case, if i want to capture information on what is happening when a packet enter a router. what should i do ? (I am trying to ping from R1 to R3, packet is entering into R2 but not coming out of it)

 

For Q4) is there anyway i can turn off syslog logging without configuring ip address ? It seems to be always on even without host ip information.

 

Thanks a million.

 

Regards,
Noob

Hi Mark,

Thanks for coming back.

Q3) Can I check with you, by setting the severity level, it just means that events that met the severity level will logged accordingly.  But how do we specify that we want to capture the occurrence of such events.  (e.g. by setting severity 7 , means debugging information will be logged to whichever location specify, but no debug information will be logged, unless i turn on debug (e.g. debug arp), am i right ?)

 

In that case, if i want to capture information on what is happening when a packet enter a router. what should i do ? (I am trying to ping from R1 to R3, packet is entering into R2 but not coming out of it)

 

For Q4) is there anyway i can turn off syslog logging without configuring ip address ? It seems to be always on even without host ip information.

 

Thanks a million.

 

Regards,
Noob

To capture what's happening on each router you can use debug ip icmp detail and debug ip packet detail, increase the buffers and record it or send it to the console and view it in real time , if your coming over the vty log to the monitor or use term mon  which replicates like logging to the console either , logging to monitor is on by default in ios so you will see debug if you enable for a specific  feature even if buffer is not set, other than that you could setup span session and capture the traffic on either side in wireshark 

 

Again syslog is on by default in ios it can't be disabled but if you don't have logging host set it won't actually do anything 

Hi Mark,

 

Thanks a million.

 

Regards,

Noob

Hi mark,

I just done a lab test, it seems like with the 2 debug command on, the router can capture any information that is send to the IPs on its interfaces or replied from the IPs on its interfaces.


But it does not capture any information about packets that went through it (if it wasn't address to its ips).

 

E.g. R2 has this 2 debug on and its interfaces ips are 192.168.3.2 (fe0/0) and 192.168.5.1 (fe0/1). It is directly connected to 192.168.5.0/24 network and is directly connected to 192.168.5.2 (on R3)

 

Hence I ping from 3.1 (on R1) to .5.2 (on R3), even though it went pass R2. The debug above will not capture anything.

 

q1) Can I capture information that is address to the Router on its mac address level instead of IP ?

 

Regards,

Noob

 

 

Hi

yes that's correct it will not capture any traffic on R2 as its does not have an interface that's participating as source or destination to debug at layer 3 , there are few useful layer 2 debugs that will help here as traffic is flowing through device and any layer 2 information will be encapsulated in the layer 3 as your routing the packet , really you should use span session or embedded packet capture if your device supports it for R2 to capture passing traffic, i would put a layer 3 switch in between with routed links back to R1 & R3 giving you the same setup and this will allow you to run either SPAN or EPC and export the pcap and view in wireshark as routers do not support this , this will show all traffic at all layers that enters or leaves the interfaces, you can filter the pcap then to suit for any type of traffic arp,ip etc

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/15-mt/epc-15-mt-book/nm-packet-capture.html

Hi Mark,

 

Thanks for introducing me to the 2 features below (span and EPC)!

I check my current router cisco 3725, it doesnt support EPC and as it is in a lab environment, they are directly connected to another router and doesn't have switches in between them (hence i believe SPAN cant work here as well, as it is meant for switches)

 

Am i able to enable any debug on L2 in R2 just to see if there are anything coming into it ?

 

Regards,
Noob

 

Yes SPAN wont work on 3725 , you could try RITE its a router feature see if that's supported on your IOS , other than that maybe setup an access-list on your port inbound/outbound and set them to log it will show you whats hitting the interface and you can then debug the ACL for a bit more information , the problem is trying to debug layer 2 on a purely layer 3 device its not really possible but as a last resort you could try debug all but make sure your logging to the buffer as there could be a lot of information and it may crash the console , , i would never advise it in real world scenario but as its a LAB you can always reboot just save your config 1st  :)

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1051807

Hi Mark,

 

Duly noted. Will try them out, thanks alot.

I am just wondering, how do you manage to know what are the functions available for each different kind of routers and their versions. (e.g. EPC vs RITE)

 

Regards,
Noob

The quickest way is to probably just check is the syntax available when your in config mode , but if you want to know exactly whats available you need to go to your software release for that model on the Cisco website where you would download the software ,below the download the section there are a few buttons you can select documentation , command line , the docs should appear when you select these in the box giving you full guides

easiest way to find your model is use the drop down support bar and just put in something generic like 2960 or 3750 the search should then bring up all the models available for that platform you can pick your 1 , the next tab says ios software download click that to get you into the correct section for above

 

 

 

Noted.

Thanks mark.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: