Information About Configuring System Message Logs and Smart Logs
System Messsage Logging
By default, a switch sends the output from system messages and debug privileged EXEC commands to a logging process. Stack members can trigger system messages. A stack member that generates a system message appends its hostname in the form of hostname-n, where n is a switch range from 1 to 8, and redirects the output to the logging process on the active switchstack's active switch. Though the active switchstack's active switch is a stack member, it does not append its hostname to system messages. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The process also sends messages to the console.
When the logging process is disabled, messages are sent only to the console. The messages are sent as they are generated, so message and debug output are interspersed with prompts or output from other commands. Messages appear on the active consoles after the process that generated them has finished.
You can set the severity level of the messages to control the type of messages displayed on the consoles and each of the destinations. You can time-stamp log messages or set the syslog source address to enhance real-time debugging and management. For information on possible messages, see the system message guide for this release.
You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. The switch software saves syslog messages in an internal buffer on a standalone switch, and in the case of a switch stack, on the active switchstack's active switch. If a standalone switch or the stack master fails, the log is lost unless you had saved it to flash memory.
You can remotely monitor system messages by viewing the logs on a syslog server or by accessing the switch through Telnet, through the console port, or through the Ethernet management port. In a switch stack, all stack member consoles provide the same console output.
Note |
The syslog format is compatible with 4.3 BSD UNIX. |
System Log Message Format
System log messages can contain up to 80 characters and a percent sign (%), which follows the optional sequence number or time-stamp information, if configured. Depending on the switch, messages appear in one of these formats:
-
seq no:timestamp: %facility-severity-MNEMONIC:description (hostname-n)
-
seq no:timestamp: %facility-severity-MNEMONIC:description
-
service sequence-numbers
-
service timestamps log datetime
-
service timestamps log datetime [localtime] [msec] [show-timezone]
-
service timestamps log uptime
Element |
Description |
---|---|
seq no: |
Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. |
timestamp formats: mm/dd h h:mm:ss or hh:mm:ss (short uptime) or d h (long uptime) |
Date and time of the message or event. This information appears only if the service timestamps log [datetime | log] global configuration command is configured. |
facility |
The facility to which the message refers (for example, SNMP, SYS, and so forth). |
severity |
Single-digit code from 0 to 7 that is the severity of the message. |
MNEMONIC |
Text string that uniquely describes the message. |
description |
Text string containing detailed information about the event being reported. |
hostname-n |
Hostname of a stack member and its switch number in the stack. Though the active switchstack's active switch is a stack member, it does not append its hostname to system messages. |
Default System Message Logging Settings
Feature |
Default Setting |
---|---|
System message logging to the console |
Enabled. |
Console severity |
Debugging. |
Logging file configuration |
No filename specified. |
Logging buffer size |
4096 bytes. |
Logging history size |
1 message. |
Time stamps |
Disabled. |
Synchronous logging |
Disabled. |
Logging server |
Disabled. |
Syslog server IP address |
None configured. |
Server facility |
Local7 |
Server severity |
Informational. |
Syslog Message Limits
If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You also can change the number of messages that are stored in the history table.
Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination. By default, one message of the level warning and numerically lower levels are stored in the history table even if syslog traps are not enabled.
When the history table is full (it contains the maximum number of message entries specified with the logging history size global configuration command), the oldest message entry is deleted from the table to allow the new message entry to be stored.
The history table lists the level keywords and severity level. For SNMP usage, the severity level values increase by 1. For example, emergencies equal 1, not 0, and critical equals 3, not 2.
Smart Logging
Smart logging provides a mechanism to capture and export packet flows based on predefined or user-configured triggers. The switch supports smart logging for these events:
-
DHCP snooping violations
-
Dynamic ARP inspection violations
-
IP source guard denied traffic
-
ACL permitted or denied traffic
To use smart logging, you must first configure a NetFlow exporter that you identify when you enable smart logging. For information on configuring the NetFlow feature, see the Catalyst 2960-XR Switch NetFlow Lite Configuration Guide.
Smart logging processing creates a NetFlow packet for the configured event and sends the packet to the external NetFlow collector. Smart logging counters reflect the number of packets that are logged. This number is the same as the number of packets sent to the collector if no packets are dropped between the switch and the NetFlow collector. You enable smart logging globally on the switch, and you can then configure specific events to be smart logged.
Smart Logging for Port ACL Deny or Permit Actions
The switch supports port ACLs, router ACLs, and VLAN ACLs.
-
Port ACLs are IP or MAC ACLs applied to a Layer 2 port. Logging is not supported on port ACLs, but smart logging is supported on IP ACLs applied to Layer 2 ports.
-
Router ACLs are ACLs applied to Layer 3 ports. Router ACLs support logging but not smart logging.
-
VLAN ACLs or VLAN maps are ACLs applied to VLANs. You can configure logging on VLAN maps, but not smart logging.
When you configure any permit or deny ACL, you can configure logging or smart logging as part of the access list, to take place on all traffic that the ACL permits or denies. The type of port that you attach the ACL to determines the type of logging. If you attach an ACL with smart log configured to a router or a VLAN, the ACL is attached, but smart logging does not take affect. If you configure logging on an ACL attached to a Layer 2 port, the logging keyword is ignored.