The minimum you should know
Severity-levels Router(config)#logging trap? <0-7> Logging severity level alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) <cr> http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 2
Logging destinations host (syslog) console monitor (ssh/telnet) buffered snmp http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 3
Logging destinations host (syslog) Router#sh run i logg logging trap warnings logging 150.100.1.60 default udp/514; can also use tcp for transport: logging host 150.100.1.60 transport tcp port 1234 Syslog-messages should always be send from the same source-address: Router(config)#logging source-interface loopback 0 http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 4
Logging destinations console Router#sh logging i Console Console logging: level debugging, 19 messages logged, xml disabled Router(config)#logging console notifications Router(config)#no logging console http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 5
Logging destinations monitor Router#sh logging i Monitor Monitor logging: level debugging, 0 messages logged, xml disabled Router(config)#logging monitor informational Router#terminal monitor Router#terminal no monitor http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 6
Logging destinations buffered Router#sh logging i Buffer Buffer logging: disabled, xml disabled, Needs to be enabled: Router(config)#logging buffered Router#sh run i buff logging buffered 4096 debugging Router#sh logging i Buffer Buffer logging: level debugging, 1 messages logged, xml disabled, Log Buffer (4096 bytes): http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 7
Logging destinations buffered Router#sh logging... Log Buffer (4096 bytes): *Mar 1 00:52:05.107: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Mar 1 00:52:06.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up *Mar 1 00:52:11.115: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 150.100.1.60 started - reconnection *Mar 1 00:53:20.411: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 00:54:59.431: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 8
More things to consider for correlation you need an accurate time use NTP http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 9
More things to consider The router can count the number of messages: Router(config)#logging count Router#sh logging count Facility Message Name Sev Occur Last Time ================================================================================== SYS CONFIG_I 5 1 *Mar 1 00:08:28.223 ------------- ------------------------------- ---------------------------------- SYS TOTAL 1 LINEPROTO UPDOWN 5 1 *Mar 1 00:08:19.211 ------------- ------------------------------- ---------------------------------- LINEPROTO TOTAL 1 LINK UPDOWN 3 1 *Mar 1 00:08:18.211 ------------- ------------------------------- ---------------------------------- LINK TOTAL 1 OSPF ADJCHG 5 1 *Mar 1 00:09:25.319 ------------- ------------------------------- ---------------------------------- OSPF TOTAL 1 http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 10
More things to consider logg-messages should include a timestamp Router(config)#service timestamps log datetime? localtime Use local time zone for timestamps msec Include milliseconds in timestamp show-timezone Add time zone information to timestamp year Include year in timestamp <cr> http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 11
More things to consider You can group messages from similar devices: Router(config)#logging facility?... local0 Local use local1 Local use local2 Local use local3 Local use local4 Local use local5 Local use local6 Local use local7 Local use... http://security-planet.de Karsten Iwen - CCIE #14602 (Security, R/S) 12