04-27-2015 08:28 AM - edited 03-07-2019 11:45 PM
Hi gurus,
Below are my logging configurations
R2#show log Syslog logging: enabled (12 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 70 messages logged, xml disabled, filtering disabled Monitor logging: disabled Buffer logging: disabled, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. ESM: 0 messages dropped Trap logging: level informational, 74 message lines logged
Q1) Is there anyway to view history logs ? (i see that there are 70 messages logged in the console logging) -- how do i see them ?
Q2) Is logging a global setting ? I mean beside setting where to send the logging information to; Can we set what are the things we want to have logging (such as certain interface i want to have logs, but certain interface i don't want any logs)
Q3) When we set the logging console 7, does it means all severity level 0 to 7 will be logged or only severity 7 will be logged ?
can we logged all severity information from 0 to 7 ?
Q4) You can see that the syslog is turned on, but i cant disable it as there is no host/IP information in show log.. Why ?
no logging host ?.?.?.?
Regards,
Noob
Solved! Go to Solution.
04-27-2015 01:35 PM
To capture what's happening on each router you can use debug ip icmp detail and debug ip packet detail, increase the buffers and record it or send it to the console and view it in real time , if your coming over the vty log to the monitor or use term mon which replicates like logging to the console either , logging to monitor is on by default in ios so you will see debug if you enable for a specific feature even if buffer is not set, other than that you could setup span session and capture the traffic on either side in wireshark
Again syslog is on by default in ios it can't be disabled but if you don't have logging host set it won't actually do anything
04-29-2015 07:12 AM
Hi
yes that's correct it will not capture any traffic on R2 as its does not have an interface that's participating as source or destination to debug at layer 3 , there are few useful layer 2 debugs that will help here as traffic is flowing through device and any layer 2 information will be encapsulated in the layer 3 as your routing the packet , really you should use span session or embedded packet capture if your device supports it for R2 to capture passing traffic, i would put a layer 3 switch in between with routed links back to R1 & R3 giving you the same setup and this will allow you to run either SPAN or EPC and export the pcap and view in wireshark as routers do not support this , this will show all traffic at all layers that enters or leaves the interfaces, you can filter the pcap then to suit for any type of traffic arp,ip etc
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/15-mt/epc-15-mt-book/nm-packet-capture.html
04-27-2015 09:11 AM
Q1) Your switch is set to log to console set it to log to buffer to store in the switch so you can view them , you will only see console logs as they come in on your screen as your logged in by console , set more than the default of 4096 as well to avoid overwriting any alarms , as well these logs wipe after reboot that's why syslog is a good idea to configure
Q2) Yes you can log a specific interface or not ------logging event under the interface
Q3) yes just 7 , logging buffered without any number attached gives you everything
Q4) Its on but its not doing anything until you configure the ip address for it to send the information too
Make sure to set your service timestamps see this link
http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3
04-27-2015 10:53 AM
Hi Mark,
Thanks for coming back.
Q3) Can I check with you, by setting the severity level, it just means that events that met the severity level will logged accordingly. But how do we specify that we want to capture the occurrence of such events. (e.g. by setting severity 7 , means debugging information will be logged to whichever location specify, but no debug information will be logged, unless i turn on debug (e.g. debug arp), am i right ?)
In that case, if i want to capture information on what is happening when a packet enter a router. what should i do ? (I am trying to ping from R1 to R3, packet is entering into R2 but not coming out of it)
For Q4) is there anyway i can turn off syslog logging without configuring ip address ? It seems to be always on even without host ip information.
Thanks a million.
Regards,
Noob
04-27-2015 10:55 AM
Hi Mark,
Thanks for coming back.
Q3) Can I check with you, by setting the severity level, it just means that events that met the severity level will logged accordingly. But how do we specify that we want to capture the occurrence of such events. (e.g. by setting severity 7 , means debugging information will be logged to whichever location specify, but no debug information will be logged, unless i turn on debug (e.g. debug arp), am i right ?)
In that case, if i want to capture information on what is happening when a packet enter a router. what should i do ? (I am trying to ping from R1 to R3, packet is entering into R2 but not coming out of it)
For Q4) is there anyway i can turn off syslog logging without configuring ip address ? It seems to be always on even without host ip information.
Thanks a million.
Regards,
Noob
04-27-2015 01:35 PM
To capture what's happening on each router you can use debug ip icmp detail and debug ip packet detail, increase the buffers and record it or send it to the console and view it in real time , if your coming over the vty log to the monitor or use term mon which replicates like logging to the console either , logging to monitor is on by default in ios so you will see debug if you enable for a specific feature even if buffer is not set, other than that you could setup span session and capture the traffic on either side in wireshark
Again syslog is on by default in ios it can't be disabled but if you don't have logging host set it won't actually do anything
04-28-2015 12:57 PM
Hi Mark,
Thanks a million.
Regards,
Noob
04-29-2015 06:36 AM
Hi mark,
I just done a lab test, it seems like with the 2 debug command on, the router can capture any information that is send to the IPs on its interfaces or replied from the IPs on its interfaces.
But it does not capture any information about packets that went through it (if it wasn't address to its ips).
E.g. R2 has this 2 debug on and its interfaces ips are 192.168.3.2 (fe0/0) and 192.168.5.1 (fe0/1). It is directly connected to 192.168.5.0/24 network and is directly connected to 192.168.5.2 (on R3)
Hence I ping from 3.1 (on R1) to .5.2 (on R3), even though it went pass R2. The debug above will not capture anything.
q1) Can I capture information that is address to the Router on its mac address level instead of IP ?
Regards,
Noob
04-29-2015 07:12 AM
Hi
yes that's correct it will not capture any traffic on R2 as its does not have an interface that's participating as source or destination to debug at layer 3 , there are few useful layer 2 debugs that will help here as traffic is flowing through device and any layer 2 information will be encapsulated in the layer 3 as your routing the packet , really you should use span session or embedded packet capture if your device supports it for R2 to capture passing traffic, i would put a layer 3 switch in between with routed links back to R1 & R3 giving you the same setup and this will allow you to run either SPAN or EPC and export the pcap and view in wireshark as routers do not support this , this will show all traffic at all layers that enters or leaves the interfaces, you can filter the pcap then to suit for any type of traffic arp,ip etc
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/15-mt/epc-15-mt-book/nm-packet-capture.html
04-29-2015 11:52 AM
Hi Mark,
Thanks for introducing me to the 2 features below (span and EPC)!
I check my current router cisco 3725, it doesnt support EPC and as it is in a lab environment, they are directly connected to another router and doesn't have switches in between them (hence i believe SPAN cant work here as well, as it is meant for switches)
Am i able to enable any debug on L2 in R2 just to see if there are anything coming into it ?
Regards,
Noob
04-30-2015 01:32 AM
Yes SPAN wont work on 3725 , you could try RITE its a router feature see if that's supported on your IOS , other than that maybe setup an access-list on your port inbound/outbound and set them to log it will show you whats hitting the interface and you can then debug the ACL for a bit more information , the problem is trying to debug layer 2 on a purely layer 3 device its not really possible but as a last resort you could try debug all but make sure your logging to the buffer as there could be a lot of information and it may crash the console , , i would never advise it in real world scenario but as its a LAB you can always reboot just save your config 1st :)
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1051807
04-30-2015 11:47 AM
Hi Mark,
Duly noted. Will try them out, thanks alot.
I am just wondering, how do you manage to know what are the functions available for each different kind of routers and their versions. (e.g. EPC vs RITE)
Regards,
Noob
05-01-2015 12:24 AM
The quickest way is to probably just check is the syntax available when your in config mode , but if you want to know exactly whats available you need to go to your software release for that model on the Cisco website where you would download the software ,below the download the section there are a few buttons you can select documentation , command line , the docs should appear when you select these in the box giving you full guides
easiest way to find your model is use the drop down support bar and just put in something generic like 2960 or 3750 the search should then bring up all the models available for that platform you can pick your 1 , the next tab says ios software download click that to get you into the correct section for above
05-01-2015 01:38 AM
Noted.
Thanks mark.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide