Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4240
Views
4
Helpful
6
Replies

Logging on Cisco routers

Go to solution
Mmiselo
Level 1
Level 1

‎02-19-2015 04:25 AM - edited ‎03-07-2019 10:45 PM

Good day,

 

I have configured logging on our Cisco routers as below,

logging on
logging trap 6
logging host *.*.*.*
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec

 

The logs are sent to a Syslog server.

Is there a way that we can make logging more aggressive so we can get more details on the events occurring on the router?

The only information we are getting is when an interface status has changed from up or down.

 

Regards

Nelson

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Johannes Botha
Level 1
Level 1

‎02-19-2015 10:41 PM

You could try the following config on your router. It will allow you to see what commands have been entered. Another way todo it is to enable tacacs login/accounting on the router.

 

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

!

 

*Feb 20 06:30:01.771: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:notify syslog 

*Feb 20 06:30:45.943: %SYS-5-CONFIG_I: Configured from console by console

*Feb 20 06:35:45.517: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:ntp server 10.1.1.1

*Feb 20 06:36:10.805: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:username test secret *

*Feb 20 06:36:10.805: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:!config: USER TABLE MODIFIED

*Feb 20 06:36:28.856: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no username test

*Feb 20 06:36:38.221: %SYS-5-CONFIG_I: Configured from console by console

View solution in original post

0 Helpful

Go to solution
Cisco Freak
Level 4
Level 4
In response to Mmiselo

‎02-20-2015 03:34 AM

Any traffic which is passing through the router will NOT be shown in the debug commands. Only CPU switched packets will be show in the debug output. Any traffic that is destined towards the router is CPU switched and it will be shown in the debug output. And some other special types of packets are always CPU switched.

Most of traffic passing through the router is CEF switched. If you turn off CEF in the router, it will show the details of the entire packets which is passing through. But its NOT recommended.

 

CF

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Johannes Botha
Level 1
Level 1

‎02-19-2015 10:41 PM

You could try the following config on your router. It will allow you to see what commands have been entered. Another way todo it is to enable tacacs login/accounting on the router.

 

archive

 log config

  logging enable

  notify syslog contenttype plaintext

  hidekeys

!

 

*Feb 20 06:30:01.771: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:notify syslog 

*Feb 20 06:30:45.943: %SYS-5-CONFIG_I: Configured from console by console

*Feb 20 06:35:45.517: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:ntp server 10.1.1.1

*Feb 20 06:36:10.805: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:username test secret *

*Feb 20 06:36:10.805: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:!config: USER TABLE MODIFIED

*Feb 20 06:36:28.856: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no username test

*Feb 20 06:36:38.221: %SYS-5-CONFIG_I: Configured from console by console

0 Helpful

Go to solution
Mmiselo
Level 1
Level 1
In response to Johannes Botha

‎02-20-2015 12:41 AM

Thanks Johannes!

 

Is there a way we can log traffic that is allowed through the router? Sometimes when the router hangs or locks remote sessions, we can't see anything on logs to help us identify the cause of the problem.

 

On the firewall, logging works like a charm because we can configure specific message id's.

0 Helpful

Go to solution
Johannes Botha
Level 1
Level 1
In response to Mmiselo

‎02-20-2015 02:53 AM

You can do debug ip traffic but i wouldn't recommend it. its will kill your router if there is alot of traffic passing thru it

Go to solution
Mmiselo
Level 1
Level 1
In response to Johannes Botha

‎02-20-2015 04:23 AM

That means logging is limited on cisco routers.One should maybe consider other network tools to be able to log allowed traffic to a server.

0 Helpful

Go to solution
Mmiselo
Level 1
Level 1
In response to Mmiselo

‎02-26-2015 12:09 AM

Thank you very much for your advice!

0 Helpful

Go to solution
Cisco Freak
Level 4
Level 4
In response to Mmiselo

‎02-20-2015 03:34 AM

Any traffic which is passing through the router will NOT be shown in the debug commands. Only CPU switched packets will be show in the debug output. Any traffic that is destined towards the router is CPU switched and it will be shown in the debug output. And some other special types of packets are always CPU switched.

Most of traffic passing through the router is CEF switched. If you turn off CEF in the router, it will show the details of the entire packets which is passing through. But its NOT recommended.

 

CF

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card