System Message Guide vA2(1.0), Cisco ACE Application Control Engine Module
Configuring System Message Logging
Downloads: This chapterpdf (PDF - 339.0KB) The complete bookPDF (PDF - 3.2MB) | Feedback

Configuring System Message Logging

Table Of Contents

Configuring System Message Logging

Understanding System Message Logging

Logging Overview

Log Message Format

Logging Severity Levels

Variables

System Message Logging Quick Start

Enabling System Message Logging

Specifying syslog Output Locations

Sending syslog Messages to a Buffer

Sending syslog Messages to a Telnet or SSH Session

Sending syslog Messages to the Console

Sending syslog Messages to a syslog Server

Sending syslog Messages to an SNMP Network Management Station

Sending syslog Messages to the Supervisor Engine

Sending syslog Messages to Flash Memory on the ACE

Enabling Time Stamps on System Messages

Identifying Messages Sent to a syslog Server

Specifying a Device ID of the ACE to a syslog Server

Changing the syslog Logging Facility

Changing the Logging Message Queue

Disabling or Changing the Severity Level of syslog Messages

Limiting the Syslog Rate

Enabling Logging on the Standby ACE

Rejecting New Connections Through thse ACE

Enabling the Logging of Connection Setup and Teardown Syslog Messages Through the Fast Path

Clearing Log Messages

Viewing Log Message Information


Configuring System Message Logging


This chapter describes how to configure system message logging on the Cisco Application Control Engine (ACE) module. Each ACE contains a number of log files that retain records of specified ACE-related activities and the performance of various ACE functions. You can access these log files using the ACE CLI to troubleshoot problems or to better understand the operation of the ACE.

This chapter includes the following major sections:

Understanding System Message Logging

System Message Logging Quick Start

Enabling System Message Logging

Specifying syslog Output Locations

Enabling Time Stamps on System Messages

Identifying Messages Sent to a syslog Server

Specifying a Device ID of the ACE to a syslog Server

Changing the syslog Logging Facility

Changing the Logging Message Queue

Disabling or Changing the Severity Level of syslog Messages

Limiting the Syslog Rate

Enabling Logging on the Standby ACE

Rejecting New Connections Through thse ACE

Enabling the Logging of Connection Setup and Teardown Syslog Messages Through the Fast Path

Clearing Log Messages

Viewing Log Message Information

Understanding System Message Logging

This section includes the following topics:

Logging Overview

Log Message Format

Logging Severity Levels

Variables

Logging Overview

The system message logging function of the ACE saves these messages in a log file and allows you to send the logging messages to one or more output locations. System log messages provide you with logging information for monitoring and troubleshooting the operation of the ACE. By default, messages are not saved in a log file. You must enable the transmission of syslog messages to a specified output location.

The logging configuration is flexible and allows you to customize many aspects of how the ACE handles system messages. Using the system message logging feature, you can do the following:

Specify one or more output locations where messages should be sent, including the console, an internal buffer, one or more syslog servers, an SNMP network management station, to Telnet or SSH sessions, the Catalyst supervisor engine, or to Flash memory on the ACE.

Specify which messages should be logged.

Specify the severity level of a message.

Enable time stamps.

Specify the unique device ID of the ACE that is sent to a syslog server.

Change the size of the logging message queue.

Limit the rate at which the ACE generates messages in the syslog.

Reject new connections if a specified condition has been reached.

Enable the logging of connection setup and teardown messages.

If the ACE is operating in multiple-context mode, you can configure the ACE to include an identifier for the virtual context and the virtual user responsible for executing the function in the log message.

To view logs generated by the ACE, you must configure an output location. You can choose to send all messages, or subsets of messages, to one or more output locations. You can limit which messages are sent to an output location by specifying the severity level of the message. Severity level values are 0 to 7; the lower the level number, the more severe the error. See Table 1-1 for a listing of the log message severity levels.


Note Not all system messages indicate an error condition. Some messages report normal events or log a configuration change.


The level you specify causes the ACE to apply the command to messages of that level or lower. For example, if you enter a command that specifies severity level 3, the ACE applies the command results to messages with a severity level of 0, 1, 2, and 3.

The ACE saves syslog messages in an internal buffer that can store up to 8192 messages. By default, the ACE can hold 80 syslog messages in the message queue while awaiting processing.

The ACE supports the EMBLEM syslog format for logging with each syslog server. The EMBLEM syslog format is consistent with the Cisco IOS software format and is compatible with CiscoWorks management applications. EMBLEM-format logging is available for UDP syslog messages only.

Log Message Format

System log messages begin with a percent sign (%) and are structured as follows:

%<ACE>-Level-[Subfacility]-Message_number: Message_text

ACE

Identifies the message facility code for messages generated by the ACE. This value is always ACE.

Level

Level reflects the severity of the condition described by the message. The levels are 0 to 7. The lower the number, the more severe the condition. See Table 1-1 for a summary of logging severity levels. See Chapter 1, Messages Listed by Severity Level for a listing of ACE system log messages by severity code.

Subfacility

(Optional) Name of the component or subcomponent that initiated the system log message (for example, IFMGR).

Message_number

Unique 6-digit number that identifies the message. See Chapter 1, System Messages, for a detailed list of the ACE system log messages. The messages are listed numerically by message code.

Message_text

A text string describing the condition. This portion of the message sometimes includes virtual context, virtual user, IP addresses, port numbers, usernames, and so on.



Note Syslog messages received at the ACE serial console contain only the code portion of the message.


For example, this syslog message shows the information that is displayed when you assign a VLAN number to the ACE from the supervisor engine:

%ACE-6-615004 : VLAN <VLAN-number> available for configuring an interface

VLAN-number identifies the VLAN number assigned to the ACE. The ACE can use that VLAN to configure an interface and receive traffic.

Logging Severity Levels

You instruct the ACE which system messages to log by specifying a logging level. The logging level designates that the ACE logs emergency, alert, critical, error, or warning messages for the various software functions. The ACE also logs notification, informational, and debugging messages. The ACE supports eight logging levels to identify a wide range of critical and noncritical logged events that may occur on an ACE.

Table 1-1 lists the log message severity levels.

Table 1-1 Log Message Severity Levels 

Level Number
Level Keyword
Description

0

emergency

System unusable (for example, the ACE has shut down and cannot be restarted, or it has experienced a hardware failure).

1

alert

Immediate action needed (for example, one of the ACE subsystems is not running).

2

critical

Critical condition (for example, the ACE has encountered a critical condition that requires immediate attention.

3

error

Error condition (for example, error messages about software or hardware malfunctions).

4

warning

Warning condition (for example, the ACE encountered an error condition that requires attention but is not interfering with the operation of the device).

5

notification

Normal but significant condition (for example, interface up/down transitions and system restart messages).

6

informational

Informational message only (for example, reload requests and low-process stack messages).

7

debugging

Appears during debugging only.


Variables

Log messages often contain variables. Table 1-2 lists most variables that are used in this guide to describe ACE log messages. Some variables that appear in only one log message are not listed.

Table 1-2 Variable Fields in Syslog Messages 

Type
Variable
Type of Information

Misc.

command

Command name.

device

Memory storage device. For example, Flash memory, TFTP, the failover standby unit, or the console terminal.

filename

Filename of the type ACE image or configuration.

Misc.
continued

privilege_level

User privilege level.

reason

Text string describing the reason for the message.

string

Text string (for example, a username).

url

URL.

user

Username.

Numbers

number

Number. The exact form depends on the log message.

bytes

Number of bytes.

code

Decimal number returned by the message to indicate the cause or source of the error, depending on the message.

connections

Number of connections.

time

Duration, in the format hh:mm:ss.

dec

Decimal number.

hex

Hexadecimal number.

octal

Octal number.

Addresses

IP_address

IP address in the form n.n.n.n, where n is an integer from 1 to 255.

MAC_address

MAC address.

global_address

Global IP address, an address on a lower security level interface.

source_address

Source address of a packet.

dest_address

Destination address of a packet.

real_address

Real IP address, before Network Address Translation (NAT).

mapped_address

Translated IP address.

gateway_address

Network gateway IP address.

netmask

Subnet mask.

Interfaces

interface_number

Interface number, 1 to n, where the number is determined by the order the interfaces load in the ACE. Use the show interface internal command to view detailed information about the interfaces.

interface_name

Name assigned to the interface. Use the show interface command to view the interfaces and their names.

Ports, Services, and Protocols

port

TCP or UDP port number.

source_port

Source port number.

dest_port

Destination port number.

real_port

Real port number, before NAT.

mapped_port

Translated port number.

global_port

Global port number.

protocol

Protocol of the packet, for example, ICMP, TCP, or UDP.

service

Service specified by the packet, for example, SNMP or Telnet.


System Message Logging Quick Start

Table 1-3 provides a quick overview of the steps required to configure system message logging on the ACE. Each step includes the CLI command required to complete the task.

Table 1-3 System Message Logging Configuration Quick Start 

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, log directly in to, or change to, the correct context.

host1/Admin# changeto C1
host1/C1# 

The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

2. Enter configuration mode by entering config.

host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#

3. Enable logging to send system log messages to one or more output locations.

host1/Admin(config)# logging enable

4. Configure the ACE system software to send system logging messages to the output locations of your choice.

For example, to set the logging buffer level to 3 for logging error messages, enter:

host1/Admin(config)# logging buffered 3

For example, to send log messages to a syslog server, enter:

host1/Admin(config)# logging host 192.168.10.1

5. (Optional) Enable the display of a time stamp on system logging messages.

host1/Admin(config)# logging timestamp

6. (Optional) Limit the number of messages sent to a syslog server based on severity.

host1/Admin(config)# logging trap 6

7. (Optional) Display a unique device ID in non-EMBLEM format syslog messages sent to the syslog server.

host1/Admin(config)# logging device-id hostname

8. (Optional) Set the syslog logging facility to a value other than the default of 20 (LOCAL4).

host1/Admin(config)# logging facility 16

9. (Optional) Change the number of syslog messages that can appear in the message queue while awaiting processing.

host1/Admin(config)# logging queue 100

10. (Optional) Disable the display of a specific syslog message or change the severity level of a specific system log message.

For example, to disable the %<ACE>-6-615004 syslog message, enter:

host1/Admin(config)# no logging message 615004 

For example, to change the level of the 615004 syslog message, enter:

(config)# logging message 615004 level 5

11. (Optional) Limit the rate at which the ACE generates messages in the syslog.

host1/Admin(config)# logging rate-limit 42 60 level 6

12. (Optional) Enable logging on the failover standby ACE.

host1/Admin(config)# logging standby

13. (Optional) Set the severity level at which syslog messages are sent to the supervisor engine in the Catalyst 6500 series chassis.

host1/Admin(config)# logging supervisor 3

14. (Optional) Define if the ACE prohibits new connections from passing through the device if a specified condition has been met.

host1/Admin(config)# logging reject-newconn rate-limit-reached

15. (Optional) Enable the logging of connection setup and teardown messages at a faster rate (that is, at the connection rate).

host1/Admin(config)# logging fastpath

16. (Optional) Save your configuration changes to Flash memory.

host1/Admin(config)# exit
host1/Admin# copy running-config startup-config

Enabling System Message Logging

Message logging is disabled by default. You must enable logging if you want to send messages to one or more output locations. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. You must set a logging output location to view any logs (see the "Specifying syslog Output Locations" section).

To enable message logging, use the logging enable configuration mode command. The syntax of this command is as follows:

logging enable

For example, to enable message logging to all output locations, enter:

host1/Admin(config)# logging enable

To stop message logging to all output locations, enter:

host1/Admin(config)# no logging enable

Specifying syslog Output Locations

You configure the ACE to send syslog messages to the output location of your choice. The ACE provides several output locations for sending syslog messages:

An internal buffer on the ACE

One or more syslog servers running on hosts

A Telnet or SSH connection

The console


Note We recommend sending syslog messages directly to the console only during testing.


An SNMP network management station

Catalyst supervisor engine

Flash memory

You must enable logging on the ACE using the logging enable command before messages are sent to the specified output device. See the "Enabling System Message Logging" section.

This section includes the following topics:

Sending syslog Messages to a Buffer

Sending syslog Messages to a Telnet or SSH Session

Sending syslog Messages to the Console

Sending syslog Messages to a syslog Server

Sending syslog Messages to an SNMP Network Management Station

Sending syslog Messages to the Supervisor Engine

Sending syslog Messages to Flash Memory on the ACE

Sending syslog Messages to a Buffer

By default, logging to the local buffer on the ACE is disabled. To enable system logging to a local buffer and to limit the messages sent to the buffer based on severity, use the logging buffered configuration mode command. New messages append to the end of the buffer. The first message displayed is the oldest message in the buffer. When the log buffer fills, the ACE deletes the oldest message to make space for new messages.

The syntax of this command is as follows:

logging buffered severity_level

The severity_level argument specifies the maximum level for system log messages sent to the buffer. The severity level that you specify indicates that you want syslog messages at that level and messages less than the level. For example, if the specified level is 3, the syslog displays level 3, 2, 1, and 0 messages.

Allowable entries are as follows:

0emergencies (System unusable messages)

1alerts (Take immediate action)

2critical (Critical condition)

3errors (Error message)

4warnings (Warning message)

5notifications (Normal but significant condition)

6informational (Information message)

7debugging (Debug messages)

To view the messages logged in the local buffer, use the show logging command. To clear the buffer so that viewing new messages is easier, use the clear logging command.

For example, to set the logging buffer level to severity level 3 for logging error messages, enter:

host1/Admin(config)# logging buffered 3

To disable message logging, enter:

host1/Admin(config)# no logging buffered

Sending syslog Messages to a Telnet or SSH Session

By default, logging to a remote connection using the Secure Shell (SSH) or Telnet is disabled on the ACE. You can display log messages on a remote SSH or Telnet connection by setting the logging preferences for Telnet and SSH sessions. To display syslog messages as they occur when accessing the ACE through an SSH or Telnet sessions, use the logging monitor configuration mode command. You can limit the display of messages based on severity.

To display system message logs during the SSH or Telnet session, use the terminal monitor Exec mode command (see the Cisco Application Control Engine Module Administration Guide). This command enables syslog messages for all sessions in the current context. The logging monitor command sets the logging preferences for all SSH and Telnet sessions, while the terminal monitor command controls logging for each individual Telnet session. However, in each session, the terminal monitor command controls whether syslog messages appear on the terminal during the session.


Note If you have not done so already, enable remote access on the ACE and establish a remote connection using the Secure Shell (SSH) or Telnet protocols from a PC. See the Cisco Application Control Engine Module Administration Guide for details.


The syntax of this command is as follows:

logging monitor severity_level

The severity_level argument specifies the maximum level for system log messages displayed during the current SSH or Telnet session. The severity level that you specify indicates that you want syslog messages at that level and messages less than the level. For example, if the specified level is 3, the syslog displays level 3, 2, 1, and 0 messages.

Allowable entries are as follows:

0emergencies (System unusable messages)

1alerts (Take immediate action)

2critical (Critical condition)

3errors (Error message)

4warnings (Warning message)

5notifications (Normal but significant condition)

6informational (Information message)

7debugging (Debug messages)

For example, to send informational system message logs to the current Telnet or SSH session, enter:

host1/Admin# terminal monitor
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)# logging monitor 6

To disable system message logging to the current Telnet or SSH session, enter:

host1/Admin(config)# no logging monitor

To disable the terminal monitor function, enter:

host1/Admin# terminal no monitor 

Sending syslog Messages to the Console

By default, the ACE does not display syslog messages during console sessions. To enable the logging of syslog messages during console sessions and to limit the display of messages based on severity, use the logging console configuration command.

Logging to the console can degrade system performance. Use the logging console command only when you are testing and debugging problems, or when there is minimal load on the network. Do not use this command when the network is busy, as it can reduce ACE performance. When the ACE is active, use the following commands:

The logging buffered command to store messages

The show logging command to view messages

The clear logging command to clear the messages displayed by the logging buffered command

The syntax of this command is as follows:

logging console severity_level

The severity_level argument specifies the maximum level for system log messages sent to the console. The severity level that you specify indicates that you want syslog messages at that level and messages less than the level. For example, if the specified level is 3, the syslog displays level 3, 2, 1, and 0 messages. We recommend that you use a lower severity level, such as 3, since logging at a high rate may impact the performance of the ACE.

Allowable entries are as follows:

0emergencies (System unusable messages)

1alerts (Take immediate action)

2critical (Critical condition)

3errors (Error message)

4warnings (Warning message)

5notifications (Normal but significant condition)

6informational (Information message)

7debugging (Debug messages)

For example, to enable the logging of syslog messages during console sessions and set the severity level to 3, enter:

host1/Admin(config)# logging console 3

To disable message logging to the console, enter:

host1/Admin(config)# no logging console

Sending syslog Messages to a syslog Server

By default, logging to a syslog server on a host is disabled on the ACE. If you choose to send log messages to a host, the ACE sends those messages using either UDP or TCP. The host must run a program (known as a server) called syslogd. syslogd is a daemon that accepts messages from other applications and the network, and writes them out to system wide log files. UNIX provides the syslog server as part of its operating system. For Microsoft Windows, you must obtain a syslog server for the Windows operating system.

To specify a host (the syslog server) that receives the syslog messages sent by the ACE, use the logging host configuration command. You can configure a maximum of two servers to receive the syslog messages.

You can use either UDP or TCP to send messages to the syslog server. UDP-based logging does not prevent the ACE from passing traffic if the syslog server fails. If you use TCP as the logging transport protocol, the ACE denies new network access sessions as a security measure if the ACE is unable to reach the syslog server, if the syslog server is misconfigured, if the TCP queue is full, or if the disk is full.

In addition, you can configure the ACE to prohibits new connections from passing through the device by using the logging-reject-newconn tcp-queue-full configuration mode command (see the "Rejecting New Connections Through thse ACE" section). Through this command, the ACE rejects new connections when syslogs can no longer reach the TCP syslog server. By default, this function is disabled.

The format emblem keyword allows you to enable EMBLEM-format logging for each syslog server. EMBLEM-format logging is available for either TCP or UDP syslog messages. If you enable EMBLEM-format logging for a particular syslog host, then the messages are sent to that host.

The syntax of this command is as follows:

logging host ip_address [tcp | udp [/port#]} | [default-udp] | [format emblem]]]

The keywords, arguments, and options are as follows:

ip_address—IP address of the host to be used as the syslog server.

tcp—(Optional) Specifies to use TCP to send messages to the syslog server. A server can only be specified to receive either UDP or TCP, not both.

udp—(Optional) Specifies to use UDP to send messages to the syslog server. A server can only be specified to receive either UDP or TCP, not both.

port#—(Optional) Port that the syslog server listens to for syslog messages. Valid values are as from 1025 to 65535. The default protocol and port are UDP/514. The default TCP port, if specified, is 1470.

default-udp—(Optional) Instructs the ACE to default to UDP if the TCP transport fails to communicate with the syslog server.

format emblem—(Optional) Enables EMBLEM-format logging for each syslog server. The Cisco Resource Management Environment (RME) is a network management application that collects syslogs. RME can process syslog messages only if they are in EMBLEM format.


Note If you enter the logging timestamp command, the messages are sent to the syslog server with a time stamp (see the "Enabling Time Stamps on System Messages" section).


For example, the EMBLEM format for a message with a time stamp appears as follows:

ipadress or dns name [Dummy Value/Counter]: [mmm dd hh:mm:ss TimeZone]: 
%FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: [vtl-ctx: context id] Message-text 

For example, to send log messages to a syslog server, enter:

host1/Admin(config)# logging host 192.168.10.1 tcp1025 format emblem default-udp

To disable logging to a syslog server, enter:

host1/Admin(config)# no logging host 192.168.10.1

Sending syslog Messages to an SNMP Network Management Station

By default, the ACE does not send traps and inform requests to an SNMP network management station (NMS). Notification traps and inform requests are system alerts that the ACE generates when certain events occur. To enable the ACE to send SNMP traps and inform requests to an NMS, use the snmp-server enable traps configuration command. For details on configuring SNMP, see the Cisco Application Control Engine Module Administration Guide.

To set the SNMP trap message severity level when sending log messages to an NMS, use the logging history configuration command.

The syntax of this command is as follows:

logging history severity_level

The severity_level argument specifies the maximum level for system log messages sent as traps to the NMS. The severity level that you specify indicates that you want syslog messages at that level and messages less than the level. For example, if the specified level is 3, the syslog displays level 3, 2, 1, and 0 messages.

Allowable entries are as follows:

0emergencies (System unusable messages)

1alerts (Take immediate action)

2critical (Critical condition)

3errors (Error message)

4warnings (Warning message)

5notifications (Normal but significant condition)

6informational (Information message)

7debugging (Debug messages)


Note We recommend that you use the debugging (7) level during initial setup and during testing. After setup, set the level from debugging (7) to a lower value for use in your network.


For example, to send informational system message logs to an SNMP NMS, enter:

host1/Admin(config)# logging history 6

To disable sending system message logs to an SNMP NMS, enter:

host1/Admin(config)# no logging history

Sending syslog Messages to the Supervisor Engine

The ACE can forward syslog messages to the supervisor engine in the Catalyst 6500 series switch or Cisco 7600 series router. To set the severity level at which syslog messages are sent to the supervisor engine, use the logging supervisor configuration mode command.

The syntax of this command is as follows:

logging supervisor severity_level


Note Use care when you send syslog messages to the supervisor engine, especially when you expect a high volume of syslog messages (for example, using logging level 6 or 7). Sending a high volume of syslog messages to the supervisor engine may slow down the operation of the ACE and the supervisor engine.


The severity_level argument specifies the maximum level for system log messages sent to the supervisor engine. The severity level that you specify indicates that you want syslog messages at that level and messages less than the level. For example, if the specified level is 3, the syslog displays level 3, 2, 1, and 0 messages. We recommend that you use a lower severity level, such as 3, since logging at a high rate to the supervisor engine may impact the performance of the Catalyst system.

Allowable entries are as follows:

0emergencies (System unusable messages)

1alerts (Take immediate action)

2critical (Critical condition)

3errors (Error message)

4warnings (Warning message)

5notifications (Normal but significant condition)

6informational (Information message)

7debugging (Debug messages)

For example, to send informational system message logs to the supervisor engine in the switch, enter:

host1/Admin(config)# logging supervisor 6

To disable system message logging to the supervisor engine, enter:

host1/Admin(config)# no logging supervisor

Sending syslog Messages to Flash Memory on the ACE

By default, logging to Flash memory is disabled on the ACE. The ACE allows you to specify that system message logs that you want to keep after a system reboot by saving them to Flash memory. To send specific log messages to Flash memory on the ACE, use the logging persistent configuration mode command.

The syntax of this command is as follows:

logging persistent severity_level

The severity_level argument sets the maximum level for system log messages sent to Flash memory. The severity level that you specify indicates that you want syslog messages at that level and messages less than the level. For example, if the specified level is 3, the syslog displays level 3, 2, 1, and 0 messages. We recommend that you use a lower severity level, such as 3, since logging at a high rate to Flash memory on the ACE may impact performance.

Allowable entries are as follows:

0emergencies (System unusable messages)

1alerts (Take immediate action)

2critical (Critical condition)

3errors (Error message)

4warnings (Warning message)

5notifications (Normal but significant condition)

6informational (Information message)

7debugging (Debug messages)

For example, to send informational system message logs to Flash memory on the ACE, enter:

host1/Admin(config)# logging persistent 6

To disable logging to Flash memory on the ACE, enter:

host1/Admin(config)# no logging persistent

Enabling Time Stamps on System Messages

By default, the ACE does not include the date and time in syslog messages. To specify that syslog messages should include the date and time that the message was generated, use the logging timestamp configuration mode command.

The syntax of this command is as follows:

logging timestamp

For example, to enable the time stamp display on system logging messages, enter:

host1/Admin(config)# logging timestamp

To disable the time stamp display from syslog messages, enter:

host1/Admin(config)# no logging timestamp

Identifying Messages Sent to a syslog Server

To identify which messages are sent to a syslog server, use the logging trap configuration command. The logging trap command limits the logging messages sent to a syslog server based on severity.

The syntax of this command is as follows:

logging trap severity_level

The severity_level argument specifies the maximum level for system log messages sent to a syslog server. The severity level that you specify indicates that you want syslog messages at that level and messages less than the level. For example, if the specified level is 3, the syslog displays level 3, 2, 1, and 0 messages.

Allowable entries are as follows:

0emergencies (System unusable messages)

1alerts (Take immediate action)

2critical (Critical condition)

3errors (Error message)

4warnings (Warning message)

5notifications (Normal but significant condition)

6informational (Information message)

7debugging (Debug messages)

To send logging messages to a syslog server, use the logging host command to specify the name or IP address of the host to be used as the syslog server (see the "Sending syslog Messages to a syslog Server" section).

For example, to send informational system message logs to the syslog server, enter:

host1/Admin(config)# logging trap 6

To disable sending message logs to the syslog server, enter:

host1/Admin(config)# no logging trap

Specifying a Device ID of the ACE to a syslog Server

The ACE allows you to include a unique device ID in non-EMBLEM format syslog messages sent to the syslog server. The message includes the specified device ID (either the hostname and IP address of the specified interface [even if the message comes from another interface] or a string) in messages sent to a syslog server. The device ID does not appear in EMBLEM-formatted messages.

Use the logging device-id configuration mode command to specify that the device ID of the ACE is included in the syslog message. Once enabled, the ACE displays the device ID in all non-EMBLEM-formatted syslog messages. The device ID specification does not affect the syslog message text that is in EMBLEM format.


Note The device ID part of the syslog message is viewed through the syslog server only and not directly on the ACE.


The syntax of this command is as follows:

logging device-id {context-name | hostname | ipaddress interface_name | string text}

The keywords, arguments, and options are as follows:

context-name—Specifies the name of the current context as the device ID to uniquely identify the syslog messages sent from the ACE.

hostname—Specifies the hostname of the ACE as the device ID to uniquely identify the syslog messages sent from the ACE.

ipaddress interface_name—Specifies the IP address of the interface as the device ID to uniquely identify the syslog messages sent from the ACE. If you use the ipaddress keyword, syslog messages sent to an external server contain the IP address of the interface specified, regardless of which interface the ACE uses to send the log data to the external server. The maximum interface_name length is 64 characters.

string text—Specifies a text string to uniquely identify the syslog messages sent from the ACE. The maximum string length is 64 characters without spaces. You cannot use the following characters: & (ampersand), ` (single quote), " (double quote), < (less than), > (greater than), or ? (question mark).

For example, to instruct the ACE to use the hostname of the ACE to uniquely identify the syslog messages, enter:

host1/Admin(config)# logging device-id hostname

To disable the use of the hostname of the ACE, enter:

host1/Admin(config)# no logging device-id hostname

Changing the syslog Logging Facility

If necessary, you can change the logging facility to a value other than the default of 20 (LOCAL4) by using the logging facility configuration mode command. Most UNIX systems expect the messages to use facility 20. The ACE allows you to change the syslog facility type to identify the behavior of the syslog daemon (syslogd) on the host. The syslog daemon uses the specified syslog facility to determine how to process messages. Each logging facility configures how the syslog daemon on the host handles a message. Syslog servers file messages based on the facility number in the message. There are eight possible facilities, 16 (LOCAL0) through 23 (LOCAL7).


Note For more information on the syslog daemon and facility levels, see your syslog daemon documentation.


The syntax of this command is as follows:

logging facility number

The number argument specifies the syslog facility. Valid values are 16 (LOCAL0) through 23 (LOCAL7). The default is 20 (LOCAL4).

For example, to set the syslog facility as 16 (LOCAL0) in syslog messages, enter:

host1/Admin(config)# logging facility 16

To change the syslog facility back to the default of 20 (LOCAL4), enter:

host1/Admin(config)# no logging facility 16

Changing the Logging Message Queue

By default, the ACE can hold 80 syslog messages in the message queue while awaiting processing. To change the number of syslog messages that can appear in the message queue, use the logging queue configuration mode command.


Note Set the queue size before the ACE processes syslog messages. When traffic is heavy, messages may be discarded.


The syntax of this command is as follows:

logging queue queue_size

The queue_size argument specifies the size of the queue for storing syslog messages. Valid values are from 1 to 8192 messages. The default is 80 messages.

For example, to change the size of the syslog message queue to 1000, enter:

host1/Admin(config)# logging queue 1000

To reset the logging queue size to the default of 80 messages, enter:

host1/Admin(config)# no logging queue 0

Disabling or Changing the Severity Level of syslog Messages

When you enable system message logging (see the "Enabling System Message Logging" section), all syslog messages are enabled. Use the logging message configuration mode command to control the following:

The display of a specific system logging message (enabled or disabled).

The severity level associated with a specific system logging message.

You can use the show logging command to determine the severity level currently assigned to a message and whether the system logging message is enabled.

The syntax of this command is as follows:

logging message syslog_id [level severity_level]

The keywords, arguments, and options are as follows:

syslog_id—Specific message that you want to disable or to enable. For example, if a message is listed in the syslog as   %<ACE>-4-411001, enter 411001 as the syslog_id. See Chapter 1, System Messages, for a detailed list of the ACE system log messages. The messages are listed numerically by message code.

level severity_level—(Optional) Changes the default severity level associated with a specific system log message. For example, the %<ACE>-4-411001 message listed in the syslog has the default severity level of 4 (warning message). You can change the assigned default severity level to a different level. See Chapter 1, System Messages, for a detailed list of the ACE system log messages and associated default severity codes.

Allowable entries are as follows:

0emergencies (System unusable messages)

1alerts (Take immediate action)

2critical (Critical condition)

3errors (Error message)

4warnings (Warning message)

5notifications (Normal but significant condition)

6informational (Information message)

7debugging (Debug messages)

For example, to disable the %<ACE>-6-615004 syslog message (VLAN available for configuring an interface), enter:

host1/Admin(config)# no logging message 615004 

To resume logging of the disabled syslog message, enter:

host1/Admin(config)# logging message 615004 level 6

For example, to change the severity level of the 615004 syslog message from the default of 6 (informational) to a severity level of 5 (notification), enter:

(config)# logging message 615004 level 5

To return the severity level of the 615004 syslog message to the default of 6, enter:

host1/Admin(config)# no logging message 615004

Limiting the Syslog Rate

By default, the ACE disables rate limiting for messages in the syslog. To limit the rate at which the ACE generates messages in the syslog, use the logging rate-limit configuration mode command. You can limit the number of syslog messages generated by the ACE for specific messages.

The syntax of this command is as follows:

logging rate-limit {num {interval | level severity_level | message syslog_id} | unlimited {level severity_level | message syslog_id}}

The keywords, arguments, and options are:

num—Number at which the syslog is to be rate limited.

interval—Time interval (in seconds) over which the system message logs should be limited. The default time interval is one second.

level severity_level—Specifies the syslog level that you want to rate limit. The severity level you enter indicates that you want all syslog messages at the specified level to be rate-limited. For example, if you specify a severity level of 7, the ACE applies a rate limit only to level 7 (debugging messages). If you want to apply a logging rate limit on a different severity level, you must configure the logging rate-limit command for that level as well.

Allowable entries are as follows:

0emergencies (System unusable messages)

1alerts (Take immediate action)

2critical (Critical condition)

3errors (Error message)

4warnings (Warning message)

5notifications (Normal but significant condition)

6informational (Information message)

7debugging (Debug messages)

message syslog_id—Identifies the ID of the specific message you want to suppress reporting. For example, if a message is listed in the syslog as   %ACE-4-411001, enter 411001 as the syslog_id. See Chapter 1, System Messages, for a detailed list of the ACE system log messages. The messages are listed numerically by message code.

unlimited—Disables rate limiting for messages in the syslog.


Note Disabled rate limiting is the default setting. In this case, the logging rate-limit unlimited command will not be displayed in the ACE running-configuration file.



Note If you configure rate limiting for syslogs 302028 through 302031 (connection setup and teardown syslogs that are formatted in the data plane), the ACE always rate-limits these syslogs at level 6. Even if you change the logging level to a different value using the logging message command and the new logging level appears on the syslog server or other destination, the ACE will continue to rate-limit these syslogs at level 6.


For example, to limit the syslog rate to a 60-second time interval for informational messages (level 6), enter:

host1/Admin(config)# logging rate-limit 42 60 level 6

For example, to suppress reporting of system message 302022, enter:

host1/Admin(config)# logging rate-limit 42 60 302022

To disable rate limiting, enter:

host1/Admin(config)# no logging rate-limit 42 60 level 6

Enabling Logging on the Standby ACE

To enable logging on the failover standby ACE, use the logging standby configuration mode command. When enabled, the standby ACE syslog messages remain synchronized should failover occur. When enabled, this command causes twice the message traffic on the syslog server. This command is disabled by default.

The syntax of this command is as follows:

logging standby

To enable logging on the failover standby ACE, enter:

host1/Admin(config)# logging standby

To disable logging on the standby ACE, enter:

host1/Admin(config)# no logging standby

Rejecting New Connections Through thse ACE

To define if the ACE prohibits new connections from passing through the device if a specified condition has been met, use the logging-reject-newconn configuration mode command.

The syntax of this command is as follows:

logging reject-newconn {cp-buffer-full | rate-limit-reached | tcp-queue-full}

The keywords, arguments, and options are as follows:

cp-buffer-full—Specifies that the ACE rejects new connections when the syslog daemon internal buffer is full.

rate-limit-reached—Specifies that the ACE rejects new connections if the syslog message rate specified through the logging rate-limit command has been reached (see the "Limiting the Syslog Rate" section).

tcp-queue-full—Specifies that the ACE rejects new connections when syslogs can no longer reach the TCP syslog server.

By default, the tcp-queue-full condition is enabled and the cp-buffer-full and rate-limit-reached conditions are disabled.

For example, to configure the ACE to reject new connections if the specified syslog message rate has been reached, enter:

host1/Admin(config)# logging reject-newconn rate-limit-reached

To disable the ACE from rejecting new connections (the default condition), enter:

host1/Admin(config)# no logging reject-newconn rate-limit-reached

Enabling the Logging of Connection Setup and Teardown Syslog Messages Through the Fast Path

By default, the ACE logs the following connection setup and teardown syslog messages through the control plane:

106023

302022

302023

302024

302025

Because of the large number of these syslog messages that are generated by connection setup and teardown, you can instruct the ACE to send these syslogs through the fast path instead of the control plane. The fast path supports a much higher rate of syslogs than the control plane does. When you instruct the ACE to send these syslogs through the fast path, the message formatting changes (different message spacing) and the syslog IDs change to 106028, 302028, 302029, 302030, and 302031, respectively.

To enable the logging of connection setup and teardown messages through the fast path, use the logging fastpath configuration mode command. When you enable this command, the syslog messages do not arrive at the output destination in the correct order. In addition, the syslog messages are sent only to the external syslog servers and are not seen on the other enabled syslog output destinations, such as the local buffer, the console, or the supervisor module.

The syntax of the logging fastpath command is as follows:

logging fastpath

For example, to configure the ACE to log connection setup and teardown syslog messages through the fast path, enter:

host1/Admin(config)# logging fastpath

To reset the ACE behavior to the default of logging connection setup and teardown syslog messages through the control plane, enter:

host1/Admin(config)# no logging fastpath

Clearing Log Messages

To clear the syslog messages contained in the message buffer created with the logging buffered configuration mode command, use the clear logging command.

The syntax of this command is as follows:

clear logging [disabled | rate-limit]

The keywords, arguments, and options are as follows:

disabled—(Optional) Clears all disabled syslog messages.

rate-limit—(Optional) Clears the rate-limit configuration at which the ACE generates the syslog, as specified by the logging rate-limit command.

For example, to clear all syslog messages, enter:

host1/Admin# clear logging

Viewing Log Message Information

Use the show logging configuration mode command in privileged Exec mode to view the current severity level and state of all syslog messages stored in the buffer or to display information related to specific syslog messages. This command lists the current syslog messages and identifies which logging command options are enabled. To view the contents of the syslog buffer, configure the buffer output location (see the "Sending syslog Messages to a Buffer" section).

The syntax of this command is as follows:

show logging [disabled | history | internal {event-history dbg | facility} | message [syslog_id | all | disabled] | persistent | queue | rate-limit | statistics]]

The keywords, arguments, and options are as follows:

disabled—Displays the status of disabling syslog messages.

history—Displays the syslog message history file.

internal—Displays syslog internal messages.

event-history db—Displays the debug history for the syslog server.


Note The ACE debug commands are intended for use by trained Cisco personnel only.


facility—Lists the various internal facilities contained within the ACE.

message—Displays a list of syslog messages that have been modified from the default settings. These are syslog messages that have been assigned a different severity level or messages that have been disabled.

syslog_id—Specific system log message (by message ID), the assigned default severity level, and whether the message is enabled or disabled. See Chapter 1, System Messages, for a detailed list of the ACE system log messages. The messages are listed numerically by message code.

all—Displays all system log message IDs, the assigned default severity level, and identifies whether each message is enabled or disabled.

disabled—Displays a complete list of disabled syslog messages.

persistent—Displays statistics for the log messages sent to Flash memory on the ACE.

queue—Displays statistics for the internal syslog queue.

rate-limit—Displays the current syslog rate-limit configuration.

statistics—Displays syslog statistics.

For example, to display the message configuration detail for syslog message 615004 (VLAN available for configuring an interface), enter:

host/Admin# show logging message 615004
Message logging:
                message 615004: default-level 6 (enabled)

Table 1-4 describes the fields in the show logging command output.

Table 1-4 Field Descriptions for the show logging Command 

Field
Description

Syslog Logging

Status of system message logging for the ACE: Enabled or Disabled.

Facility

System message logging facility setting.

History Logging

Status of the system message logging history setting: Enabled or Disabled.

Supervisor Logging

Status of the supervisor engine logging trap level setting: Enabled or Disabled.

Trap Logging

Status of the syslog server trap level setting: Enabled or Disabled.

Timestamp Logging

Status of including the date and time on syslog messages: Enabled or Disabled.

Fastpath Logging

Status of syslog fastpath logging: Enabled or Disabled.

Persist Logging

Status of logging to Flash memory on the ACE: Enabled or Disabled.

Standby Logging

Status of logging to the failover standby ACE: Enabled or Disabled.

Rate-limit logging

Status of limiting the rate at which the ACE generates syslog messages: Enabled or Disabled.

Console Logging

Status of logging to the console: Enabled or Disabled.

Monitor Logging

Status of logging to a remote connection using the Secure Shell (SSH) or Telnet: Enabled or Disabled.

Device ID

Status of including a unique device ID in non-EMBLEM format syslog messages sent to the syslog server: Enabled or Disabled.

Reject-newconn

Defines if the ACE prohibits new connections from passing through the device if a specified condition has been met.

rate-limit-reached

Status on whether the ACE rejects new connections if the syslog message rate specified through the logging rate-limit command has been reached. The state is either Enabled or Disabled.

tcp-queue-full

Status on whether the ACE rejects new connections when syslogs can no longer reach the TCP syslog server. The state is either Enabled or Disabled.

cp-buffer-state

Status on whether the ACE rejects new connections when the syslog daemon internal buffer is full. The state is either Enabled or Disabled.

Message Logging

Status of disabled syslog messages or syslog messages with a modified severity level. The state is either Enabled or Disabled.

Buffered Logging

Status of logging to the local buffer on the ACE is disabled: Enabled or Disabled.

Buffer Info

Presents information about the syslog message buffer.

Current Size

The current size of the syslog buffer memory on the ACE.

Global Pool

Total size of available syslog buffer memory.

Used Pool

Total size of used syslog buffer memory.

Min.

The minimum available syslog buffer memory.

Max.

The maximum available syslog buffer memory.

Cur Ptr

Current pointer location in syslog buffer memory. Cur Ptr is automatically advanced after each buffer memory read or write.

Wrapped

Indicates if wraparound has occurred to the data in the syslog buffer memory.


Table 1-5 describes the fields in the show logging disabled command output.

Table 1-5 Field Descriptions for the show logging disabled Command 

Field
Description

Message Logging

Status of disabled syslog messages in the ACE: Enabled or Disabled.


Table 1-6 describes the fields in the show logging history command output.

Table 1-6 Field Descriptions for the show logging history Command 

Field
Description

syslog_trinity_show_
history for context x

Status of the syslog message history setting for the active user context: Enabled or Disabled.


Table 1-7 describes the fields in the show logging internal facility command output.

Table 1-7 Field Descriptions for the show logging internal facility Command 

Field
Description

Syslog registered x facilities

Displays a list of all syslog registered facilities.


Table 1-8 describes the fields in the show logging persistent command output.

Table 1-8 Field Descriptions for the show logging persistent Command 

Field
Description

Current Size

Current size of the syslog buffer memory on the ACE.

Global Pool

Total size of available syslog buffer memory.

Used Pool

Total size of used syslog buffer memory.

Min.

Minimum available syslog buffer memory.

Max.

Maximum available syslog buffer memory.

Cur Ptr

Current pointer location in syslog buffer memory. Cur Ptr is automatically advanced after each buffer memory read or write.

Wrapped

Indicates if wraparound has occurred to the data in the syslog buffer memory.



Table 1-9 describes the fields in the show logging queue command output.

Table 1-9 Field Descriptions for the show logging queue Command 

Field
Description

Logging Queue length limit

Number of syslog messages that can appear in the message queue along with the number of discarded messages.

Current x msg on queue, xxx msgs most on queue

Number of messages currently in the logging queue along with the default number of syslog messages that can appear in the message queue.

CP messages received

Number of messages received from the control plane along with the number of discarded messages.

IXP messages received

Number of messages received from the IXP2800 Network Processor along with the number of discarded messages.

Xscale messages received

Number of messages received from the Xscale CPU.

System Max Queue size

Maximum size of the logging queue.

System Free Queue size for allocation

Available space in the logging queue.


Table 1-10 describes the fields in the show logging rate-limit command output.

Table 1-10 Field Descriptions for the show logging rate-limit Command 

Field
Description

Rate-limit Logging

Current syslog rate-limit configuration.


Table 1-11 describes the fields in the show logging statistics command output.

 
   

Table 1-11 Field Descriptions for the show logging statistics Command 

Field
Description

Syslog Statistics

System message log-specific statistics.

Messages sent

 

Console

Total number of messages sent to the console.

Buffer

Total number of messages sent to the local buffer on the ACE.

Persistent

Total number of messages sent to Flash memory on the ACE.

Supervisor

Total number of messages sent to the supervisor engine.

History

Total number of SNMP messages sent to an NMS.

Host

Total number of messages sent to a syslog server on a host.

Misc

Total number of miscellaneous system logging messages.

Messages Discarded

 

Cfg rate-limit

Total number of messages discarded due to the syslog message rate specified through the logging rate-limit command.

Hard rate-limit

Total number of messages discarded due to the internally set syslog message rate.

Server down

Total number of messages discarded due to a syslog server failure on a host.

Queue full

Total number of messages discarded because the message queue is full.

Errors

Total number of messages discarded due to an error condition.

SNMP-related Counters

 

Notifications sent

Total number of times the ACE sent SNMP traps (event notifications) to an NMS.

History table flushed

Total number of times the syslog message trap history table has been flushed.

Messages ignored

Total number of SNMP messages ignored by the ACE.

NP-related Counters

Network processor-related message counters.

To-CP dropped

Total number of messages sent by the network processor that were dropped by the control plane.

Fastpath sent

Total number of connection setup and teardown messages sent by the ACE.

Fastpath dropped

Total number of connection setup and teardown messages dropped by the ACE.

.