09-20-2019 08:12 AM
When I check my dir flash: I see a lot of files that I believe are log files but I don't know where the config to set that up is located. I have been reading about log files for the last two days and I can't figure this out. I want to stop generating these files because they are filling up the flash in all of the switches. I think it may be the archive settings. I deleted all of these files in one switch and turned off buffer logging with 'no logging buffer'. When I used 'wr' a new file was created.
-Sep-20-07-55-35.764-PST-52
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level informational, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 421278 message lines logged
Logging to x.x.x.x (udp port 514, audit disabled, link up),
421277 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Here are some possible culprits; I am just confused at this point:
service timestamps log datetime msec localtime show-timezone
logging snmp-authfail
logging monitor informational
dot1x logging verbose
archive
log config
logging enable
logging size 1000
path flash:
maximum 7
rollback filter adaptive
rollback retry timeout 60
write-memory
time-period 1440
How do I get rid of this one feature so my flash doesn't fill up? I am interested in knowing when other admins are making changes and not telling me, but I don't want to fill up my flash.
Solved! Go to Solution.
09-20-2019 08:19 AM
Send the logs to a Syslog server or if you have Splunk, send them to Splunk server. Also, if you have a TACACS or an ACS server you can audit the logs and see who logged on and what they did.
HTH
09-20-2019 08:19 AM
Send the logs to a Syslog server or if you have Splunk, send them to Splunk server. Also, if you have a TACACS or an ACS server you can audit the logs and see who logged on and what they did.
HTH
09-20-2019 08:36 AM
Ah, yes...we have ACS. I will look at that part of it.
09-20-2019 08:20 AM
adding to other post, if splunk is expensive for you, you can do syslog-ng with Elasitc Search. (ELK)
09-20-2019 08:33 AM
I agree with Balaji that Splunk can be expensive but it is an amazing tool if you have the budget for it.
HTH
09-20-2019 08:36 AM
There is also AWS version of it if you don't want to host it locally. Have a look
https://aws.amazon.com/quickstart/architecture/splunk-enterprise/
HTH
09-20-2019 08:35 AM
Yes, we have Kiwi as a log server. I will delve in to the Kiwi server and get familiar. I want to stop the flash files, though.
09-20-2019 10:17 AM
Yes, we have Kiwi as a log server. I will delve in to the Kiwi server and get familiar. I want to stop the flash files, though.
Absolutely, log files get large very quickly and putting them on flash is not a good idea. It can also cause other issues on the switch.
Good Luck!
09-20-2019 11:28 AM
Do you know of a command to get rid of the -PST files already stored in the flash? I tried 'software clean' variables and haven't had any luck. Deleting them one by one would be horrible.
09-21-2019 03:02 PM
What type of switch do you have and what version of IOS are you running?
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: