09-20-2019 08:12 AM
When I check my dir flash: I see a lot of files that I believe are log files but I don't know where the config to set that up is located. I have been reading about log files for the last two days and I can't figure this out. I want to stop generating these files because they are filling up the flash in all of the switches. I think it may be the archive settings. I deleted all of these files in one switch and turned off buffer logging with 'no logging buffer'. When I used 'wr' a new file was created.
-Sep-20-07-55-35.764-PST-52
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level informational, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 421278 message lines logged
Logging to x.x.x.x (udp port 514, audit disabled, link up),
421277 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Here are some possible culprits; I am just confused at this point:
service timestamps log datetime msec localtime show-timezone
logging snmp-authfail
logging monitor informational
dot1x logging verbose
archive
log config
logging enable
logging size 1000
path flash:
maximum 7
rollback filter adaptive
rollback retry timeout 60
write-memory
time-period 1440
How do I get rid of this one feature so my flash doesn't fill up? I am interested in knowing when other admins are making changes and not telling me, but I don't want to fill up my flash.
Solved! Go to Solution.
09-20-2019 08:19 AM
Send the logs to a Syslog server or if you have Splunk, send them to Splunk server. Also, if you have a TACACS or an ACS server you can audit the logs and see who logged on and what they did.
HTH
09-20-2019 08:19 AM
Send the logs to a Syslog server or if you have Splunk, send them to Splunk server. Also, if you have a TACACS or an ACS server you can audit the logs and see who logged on and what they did.
HTH
09-20-2019 08:36 AM
Ah, yes...we have ACS. I will look at that part of it.
09-20-2019 08:20 AM
adding to other post, if splunk is expensive for you, you can do syslog-ng with Elasitc Search. (ELK)
09-20-2019 08:33 AM
I agree with Balaji that Splunk can be expensive but it is an amazing tool if you have the budget for it.
HTH
09-20-2019 08:36 AM
There is also AWS version of it if you don't want to host it locally. Have a look
https://aws.amazon.com/quickstart/architecture/splunk-enterprise/
HTH
09-20-2019 08:35 AM
Yes, we have Kiwi as a log server. I will delve in to the Kiwi server and get familiar. I want to stop the flash files, though.
09-20-2019 10:17 AM
Yes, we have Kiwi as a log server. I will delve in to the Kiwi server and get familiar. I want to stop the flash files, though.
Absolutely, log files get large very quickly and putting them on flash is not a good idea. It can also cause other issues on the switch.
Good Luck!
09-20-2019 11:28 AM
Do you know of a command to get rid of the -PST files already stored in the flash? I tried 'software clean' variables and haven't had any luck. Deleting them one by one would be horrible.
09-21-2019 03:02 PM
What type of switch do you have and what version of IOS are you running?
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide