Timestamps

 If a router is configured to receive time from an NTP server, the time in the router log entry can be different from the system clock time if the option is not in the service timestamps log command.

To configure timestamps for debugs or logs use the privileged-exec command service timestamps <log | debug > command.

To specify which timestamp to append;

#service timestamps log datetime localtime

OR

#service timestamps debug uptime

To disable timestamps for debugs and logs

#no service timestamps

Sequence Numbers

To display sequence numbers; #service sequence-numbers

sequence number is displayed in hundred of thousands; 000001

Logging, Debugging, Timestamps, Sequence Numbers

Introduction and Overview

Logging aims to answer the three questions: what, when, who? Log messages are generated by the various services and protocols running on a network device. By default, output from system messages and debug commands is sent to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, syslog server. Messages are also sent to the console. These are then viewed using syslog, local logging, debugs, conditional debugs.

Logging can be used for fault identification, security auditing and network forensics; for monitoring the network and performance of network devices. Additional purposes include regulatory compliance.

Log messages include a timestamp that indicates the time when the log was generated. It is important to note that the time must be accurate. This can be done by configuring NTP to provide accurate datetime values. The time must be consistent across all network devices; troubleshooting can be difficult if you cannot correlate timestamps across devices.

Logging Messages

Syslog messages can be output to the console, local buffer or remote syslog server. The messages follow this format:

%FACILITY-SUBFACILITY-SEVERITY-MNEMONIC: message text

Where:

• FACILITY-SUBFACILITY: protocol, module or process that generated the message.
• SEVERITY: This is a level from 0 - 7 that specifies how important the message is. The following table displays all the logging severity levels available:

  Level Number	Severity	Description	Syslog Definition
  0	Emergencies	System is unusable	LOG_EMERG
  1	Alerts	Action must be taken immediately	LOG_ALERT
  2	Critical	Critical conditions	LOG_CRIT
  3	Errors	Error conditions	LOG_ERR
  4	Warnings	Warning conditions	LOG_WARNING
  5	Notifications	Normal but significant conditions	LOG_NOTICE
  6	Informational	Informational messages	LOG_INFO
  7	Debugging	Debug-level messages	LOG_DEBUG

  When you enable logging for a specific level, it also enables all levels above it. For example, if you enable level 4(warnings), it also will enable levels 0 - 3.

• MNEMONIC: a code that identifies the action reported
• Message text: A plain text description of the event

Local Logging

By default, logging on the console includes all severity levels 7 - 0. Logging on the console can be disabled using the command no logging. By default, monitor and buffer logging display messages with severity levels of debugging and lower.

Logging Console

To enable logging to console, use the command logging console. By default, the logging severity level for console is debugging. To control the logging options, use the command logging console <level>.

Logging Buffer

For local logging, Cisco IOS can save syslog messages to an internal buffer i.e., all the logs are saved on the device itself. You can display these messages by using the show logging command.

These messages are lost when the device is rebooted. The default buffer size is 8192 bytes. When the buffer is full, the older logs get overwritten by the newer ones. The size of the buffer can be increased using the command: logging buffered <size>.

Logging Monitor

By default, the log messages do not appear in the login session of a remote connection through SSH or telnet. To enable logging to remote logins via SSH or telnet, use the command terminal monitor. The default logging severity for the command terminal monitor is debugging. To change the logging severity level of a remote login session, use the command logging monitor <level>.

Logging messages can be disabled from a vty login session using the command terminal no monitor.

Logging Synchronous

By default, logging messages in a login session are displayed in the console session or VTY session as soon as they are generated. This can be a nuisance as the log messages distract a user who is typing at the command line from a console or VTY session as the log messages get displayed inline. The command logging synchronous [level <severity-level>|all] | limit <0-2147483647> enables synchronous logging of messages; where log messages are displayed at the login session but a new line is created for the logging messages so the logging messages do not appear in the middle of a typing session; the command being typed is placed into a new line below the displayed log message. The optional values:

• level: indicates that messages with a severity level equal to or lower are printed asynchronously. The default is 2.
• limit: specifies the number of buffers to be queued for the terminal after which new messages are dropped. The default is 20.

Logging Flash

Logs can be stored as files on flash memory. This is accomplished using the command logging file flash:<file-name> <max-file-size> <min-file-size> <severity-level> where:

• The maximum file size is in the range 4096 - 2147483647 bytes.
• The default size is 4096.
• The minimum file-size is in the range 1024 - 2147483647 bytes.
• The severity-level is in the range 0 - 7.

The command logging file flash:log_message.txt 40960 4096 3 stores log messages in a file in a flash memory.

Debug

Debugging is a powerful tool for troubleshooting complex network issues. It displays detailed information about all events in real-time. Use the debug command with caution on production networks as it is a resource intensive tool and may impact operations. Debugging can disrupt operations under high-CPU load conditions because it is processed by the CPU.

Best practices when using debugging include the following:

• show process cpu sorted: helps understand current CPU utilization. If the router is already loaded, debugging may impact the router.
• Consider output volume and time before enabling debug. If output is voluminous, this may impact router performance.
• Excessive console logging can cause the network device to hang as its CPU prioritizes this output. Use vty terminal monitor or logging buffered instead.
• Disable debug commands after troubleshooting using no debug all or undebug all.

Debugging messages can be enabled using the command debug <command>. The debugging messages can then be sent to a logging service, in this case the console using the command logging console.

Debug using IP Access Lists

Debugging by referencing an IP ACL allows debugging information that matches a configured IP access control list.

access-list 100 permit ip any 192.168.1.1 0.0.0.0
debug ip packet 100

Any debugs that do not match the access control list are not logged.

Conditional Debugs

Conditional debugs generate detailed information about a specific object such as matching a specific interface, username, MAC address, VLAN, etc. Conditional debugs limit the number of debugging messages punted to the CPU. Conditional debugs are configured using the command debug condition <interface>. Conditional debugs can be stacked as such that the debugging messages that are displayed match all conditions in the stack.

debug condition gigabitethernet1/0
debug condition ip 192.168.1.1
debug ip ospf hello

The above configuration will generate debug messages if they match all three commands.

To log debug messages for packets matching an ACL and specific interface: debug interface <interface-id>. Verify with show debug.

With conditional debugs, you can attach an access-list to filter debug traffic to permitted traffic in the access-list.

Verification

show debug

To view the debugging messages, use the command show debug. After disabling the debug, ensure that the debug condition is disabled as well.

Syslog

Logs generated by a device can be sent to the logging buffer whose size can be modified, or an off-box syslog collector. Syslog listens for log messages on UDP port 514. Syslog is the standard for computer message logging. It allows the separation of software which generates messages from the systems that store it and the software that analyzes and reports it. It can be used for the security auditing and system management, debugging messages and analysis. The syslog is supported by a wide range of devices, including routers and receivers over multiple platforms. The syslog is used to integrate the log data from many various types of systems into the central repository.

A rate-limit can be configured for syslogs to limit the rate of messages per second.

The syslogs can be forwarded to a syslog server using the following process

1. Specify the syslog server: logging host <ip-address>.
2. Specify the type of messages: the message type to be logged is specified using the command logging trap <severity>.

Filtering Logs

Logging Discriminator

A logging discriminator can be used to filter generated logs based on the text in the log. Log discriminators can be used to filter out specific logs that are repeatedly generated consuming the device log buffer. Some logs have a high severity level but are not so consequential such as up-down messages. It can be applied to the console, monitor, buffer or syslog server.

When creating a log discriminator, be as specific as possible and test the discriminator extensively before deploying it in a production environment. This will minimize the risk of filtering important messages.

To configure a logging discriminator:

1. Configure the logging discriminator name and filtering options using the command logging discriminator <discriminator-name> <facility> <mnemonics> <message-body> <includes> <severity> <rate-limit> where:
   • facility: (Optional) Message sub-filter for the facility pattern in an event message.
   • mnemonics: (Optional) Message subifilter for the mnemonic pattern in an event message.
   • msg-body: (Optional) Message sub-filter for the msg-body pattern in an event message.
   • drops: Drops messages that match the pattern, including the specified regular expression.
   • includes: Delivers messages that match the pattern, including the specified regular expression string.
   • string: (Optional) Expression used for message filtering.
   • severity: (Optional) Message sub-filter by severity level or group.
   • sev-num: (Optional) Integer that identifies the severity level or multiple levels. Multiple levels must be separated with a comma (,)/
   • rate-limit: (Optional) Specifies a number of messages to be processed within a unit of time.
   • msglimit: (Optional) Integer in the range of 1 to 10000 that identifies the number of messages not to be exceeded.
   logging discriminator msg-body drops Configured from console by console

2. Application:
   • To apply the logging discriminator to the console, use the command logging console discriminator <discriminator-name>
   • To apply the logging discriminator to the monitor, use the command logging monitor discriminator <discriminator>.

Verification

Configured logging settings can be viewed using the command show logging.

Timestamps

Timestamps are controlled by the service timestamps command. This command by itself enables the adding of timestamps to debug messages and, by default, sets the timestamps to uptime.

Having logs and debug messages timestamped is extremely important when troubleshooting particularly across different devices. To enable timestamps on logging and debug messages:

• Debugging messages: the command service timestamps debug datetime msec adds timestamps to debug messages including milliseconds. The datetime option includes the date and the time.
• Log messages: the command service timestamps log datetime msec adds the timestamps to logging messages. Options include:
  • datetime: This option alone enables the date (day of month and month) and time(hours, minutes and seconds). Additional options include:
    • localtime: use the local timezone for timestamps.
    • msec: include milliseconds in the timestamp.
    • show-timezone: add timezone information to the timestamp.
    • year: include the current year in the timestamp.
  • uptime: does not include additional options as does datetime.

Sequence Numbers

Sequence numbers can be added to log messages based on the time that they were generated. The sequence numbers increment from 1, 2, onwards. If there is more than one log message with the same time stamp, you can display messages with sequence numbers to view these messages. By default, sequence numbers are not added to log messages. Sequence numbers can be added to log messages using the command service sequence-numbers. When enabled, they are prepended to the log message appearing at the start of a log message.