cisco logging
Logging is one of the first things, that must work, for any installation.
Config your router or switch like the following sample config, and verify, that the logs are arriving on the logserver, with your selectet facility.
	!
	! service timestamps log show-timezone localtime datetime
	!
	service timestamps log datetime msec show-timezone localtime
	!
	!
	logging on
	logging buffered 50000 debugging
	logging trap debugging
	! logging trap notifications 
	! logging trap informational 
	logging facility local7
	logging source-interface loopback0
	logging host 1.2.3.4 transport udp port 514
	!
	! logging host 5.6.7.8 transport tcp port 514
	!
	logging rate-limit 10000 
	!
	!
	!
	no service sequence-numbers
	!
	! if you like sequence-numbers for syslog use this line: 
	! service sequence-numbers
	!
	
and if you what to log every change, you can config this
	!
	archive
	 log config
	  logging enable
	  logging size 1000
	  notify syslog
	  hidekeys
	!
The output looks like this, and it displays all information, for debugging and protocolling
	*Sep 16 18:59:39.059 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:chw  logged command:service timestamps log datetime msec show-timezone localtime
	*Sep 16 18:59:41.107 UTC: %SYS-5-CONFIG_I: Configured from console by chw on vty0 (192.168.2.100)
	*Sep 16 18:59:57.215 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:chw  logged command:!exec: enable
	*Sep 16 19:01:15.379 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:chw  logged command:logging facility local7
	*Sep 16 19:11:15.715 UTC: %SYS-5-CONFIG_I: Configured from console by chw on vty0 (192.168.2.100)
	*Sep 16 19:19:18.307 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:chw  logged command:!exec: enable
	*Sep 16 19:36:44.611 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:chw  logged command:!exec: enable
for setting up the correct logging level, use the command :
 evil-router(config)#logging trap ?
  <0-7>          Logging severity level
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
  <cr>
Warning: if you log to mutch , it may have a inpackt to the Logserver and/or the connection to the logserver and the speed of the Cisco Device.

Log Format

Log Format
System logging messages take the following format:
%<facility>-<severity>-<mnemonic>: <message-text>
For example:
	%LINK-5-CHANGED: Interface Serial3/3, changed state to administratively down 
Usually, these messages are proceeded by additional text, such as the timestamp and error sequence number:
<sequence-number>: <timestamp>:%<facility>-<severity>-<mnemonic>: <message-text>
For example:
	000013: Mar 18 14:52:10.039:%LINK-5-CHANGED: Interface Serial3/3, changed state to administratively down 

Log Tips

Log Time
An asterisk (*) before the time indicates that the time may be incorrect because the system clock has not synchronized to a reliable time source.
	*Sep 20 19:19:18.307 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:chw  logged command:!exec: enable
	*Sep 20 19:36:44.611 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:chw  logged command:!exec: enable

after setting a ntp server
	Sep 20 20:13:14.062 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:chw  logged command:service timestamps log datetime msec show-timezone localtime
	Sep 20 20:13:15.206 UTC: %SYS-5-CONFIG_I: Configured from console by chw on vty0 (192.168.2.100)

Manual Logentry

Manual Log Entry

	evil-router#
	evil-router#send log Hallo Syslogserver

Logfile:
	*Nov 24 21:00:35.399 UTC: %SYS-2-LOGMSG: Message from 6(chw): Hallo Syslogserver

(c) 2008 by packetlevel.ch / last update: 24.11.2008