05-17-2009 02:16 AM - edited 03-06-2019 05:45 AM
Hi. Could you tell me what are the necessary items to log using cisco devices. My concern is basically limiting the log size but still identify config changes and who was the last one who logged in and i guess critical errors on the switch/router.
Thanks in advance.
Solved! Go to Solution.
05-17-2009 04:06 AM
Mark
On Cisco IOS devices you can set the severity level of messages generated for syslog. By setting the severity level to critical you would limit the volume of messages generated and receive the most critical event messages. If you set the severity level to warning or informational you would get a larger volume of messages and messages about a wider variety of things on the device.
You might consider setting the severity level to a more restrictive level for messages sent to an external syslog server where the volume of messages impacts the requirement for disk space to store the messages and set the severity level to something more inclusive for logging buffered where the messages are stored in a wrap around buffer and the volume of messages does not impact storage requirements. This would allow you to see more messages if there were some event that you need to investigate on the device.
Note that while there is a recent feature in IOS that allows writing messages in syslog when someone logs into the device there is not any mechanism for recording config changes in syslog. Recording config changes and login history is better accomplished by using the accounting funtion of AAA in IOS.
HTH
Rick
05-17-2009 04:06 AM
Mark
On Cisco IOS devices you can set the severity level of messages generated for syslog. By setting the severity level to critical you would limit the volume of messages generated and receive the most critical event messages. If you set the severity level to warning or informational you would get a larger volume of messages and messages about a wider variety of things on the device.
You might consider setting the severity level to a more restrictive level for messages sent to an external syslog server where the volume of messages impacts the requirement for disk space to store the messages and set the severity level to something more inclusive for logging buffered where the messages are stored in a wrap around buffer and the volume of messages does not impact storage requirements. This would allow you to see more messages if there were some event that you need to investigate on the device.
Note that while there is a recent feature in IOS that allows writing messages in syslog when someone logs into the device there is not any mechanism for recording config changes in syslog. Recording config changes and login history is better accomplished by using the accounting funtion of AAA in IOS.
HTH
Rick
05-17-2009 03:46 PM
Mark
I am glad that my response helped to resolve your question. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read a response which did help to resolve the question.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
05-17-2009 06:57 PM
"Note that while there is a recent feature in IOS that allows writing messages in syslog
when someone logs into the device there is not any mechanism for recording config changes
in syslog."
This is NOT correct. In IOS version 12.4, you can record configuration changes via syslog, as seen below:
May 18 02:48:02 192.168.15.201 146: May 18 02:48:13.369: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:interface Loopback0
May 18 02:48:02 192.168.15.201 146: May 18 02:48:13.369: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:interface Loopback0
May 18 02:48:02 192.168.15.201 147: May 18 02:48:13.961: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:shutdown
May 18 02:48:02 192.168.15.201 147: May 18 02:48:13.961: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:shutdown
May 18 02:48:03 192.168.15.201 148: May 18 02:48:15.229: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:no shutdown
May 18 02:48:03 192.168.15.201 148: May 18 02:48:15.229: %PARSER-5-CFGLOG_LOGGEDCMD: User:cciesec logged command:no shutdown
May 18 02:48:07 192.168.15.201 149: May 18 02:48:18.921: %SYS-5-CONFIG_I: Configured from console by cciesec on vty0 (129.174.1.8)
May 18 02:48:07 192.168.15.201 149: May 18 02:48:18.921: %SYS-5-CONFIG_I: Configured from console by cciesec on vty0 (129.174.1.8)
That can be dowe with the following commands in the configurtion:
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
The differences between syslog and AAA accounting is that AAA is a much more powerful tool than syslog. For example, AAA can identify bad user login attempt while syslog can only log the source IP of the bad attempt.
Hope that will clarify the question you have.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide