Home‎ > ‎cisco‎ > ‎IOS Switch Configs‎ > ‎

Logging to local and Syslog servers


The following changes will setup your switch to save a small amount of logs locally, and to ship out all the logs to a remote syslog server.

Enable Logging:

First set the size (in bites) for how much logs should stored on the local switch.  The range is 4096(def)-2147483647, and is entered with the logging buffered size {#} command.  To send logging data to off site storage (external syslog boxes), use the logging {host} command.  The default logging transport it udp 514, but if you add the transport part to the logging command, you can specify the port and protocol.  To specify what interface the logging data goes out, use the source-interface command.

conf t
logging buffered size 256000
logging source-interface Vlan950
logging transport tcp port 5150 

logging transport tcp port 5150

We can control how much(what kind of) data is sent to logging.  Limit the type of data sent to a terminal, use the logging monitor {level} command.  To limit the logging sent to a syslog server, use the logging trap {level} command.   When logs are sent to a syslog server, they are identified as to "where" they come from via the logging facility {facility} command.  For more on syslog theory, see syslog notes, and as a reference for the logging levels and facility's, see below. 

logging monitor 1
logging trap 6
logging facility local6

As well as logging system information, you can also log config changes made to the device.  You would do this through the archive series of commands.  You can control the number of previous commands stored.  This is done through the logging size {lines} command, where the number is the number of commands stored, with the default being 100.

 log config
  logging enable
  logging size 100

You can also add more logging for a specific PORT related to some specific things on the switch.  This includes switch port link state, spanning-tree events and status changes to spanning tree, as well as changes to trunk ports.
interface Port-channel1
 logging event link-status

 logging event spanning-tree
 logging event status
 logging event trunk-status

Controlling logging to terminals:

Logging to either the terminal or console can be helpful for you to see what is happening at the time, but can also be a hassle if there is too much getting in the way of the work you are doing.  Above we discussed how to control what is sent to the devices, here we review how to display or not to display the logs, on your session. 

To have logging spit directly to your terminal use the term monitor statement.  (note the above logging monitor {level} command as a way to limit how much spooge goes to your terminal .)

term monitor

If you are on the console, and being blinded by lots of logs popping up on the screen, you can disable this with the command:
no logging console

Viewing local logging:

To view the buffered logs on the switch
sh logg

To view the config change history
sh archive log config

Confirming logging:

Other then viewing the logs on the syslog server, or running a tcpdump on the syslog server, you can also confirm syslog is setup properly on the switch by running  the command sh logg.  Note that in this example, the first server is not up, but the second is, and logs are being sent to it. 

sw#sh logg
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: disabled
    Monitor logging: level alerts, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 100265 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 100265 message lines logged
        Logging to  (tcp port 5150, audit disabled,
              link down),
              0 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging to  (tcp port 5150, audit disabled,
              link up),
              4527 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

Log Buffer (256000 bytes):
*Apr 10 06:40:31.034: %LINK-3-UPDOWN: Interface GigabitEthernet0/41, changed state to down



Overview of the Logging Levels

How important the issue is

Level Keyword Level Description Syslog Definition
emergencies 0 System unstable LOG_EMERG
alerts 1 Immediate action needed LOG_ALERT
critical 2 Critical conditions LOG_CRIT
errors 3 Error conditions LOG_ERR
warnings 4 Warning conditions LOG_WARNING
notifications 5 Normal but significant condition LOG_NOTICE
informational 6 Informational messages only LOG_INFO
debugging 7 Debugging messages LOG_DEBUG

Overview of the logging facilities

The "who"

Facility Type Keyword Description
auth Authorization system
cron Cron facility
daemon System daemon
kern Kernel
local0-7 Locally defined messages
lpr Line printer system
mail Mail system
news USENET news
sys9-14 System use
syslog System log
user User process
uucp UNIX-to-UNIX copy system