/
Log Types: CISCORouterLog

Log Types: CISCORouterLog

Overview

CISCO Switches and Routers generate a range of events, generally grouped into either:

  • Packet accept/deny information

  • General administrative or security information messages (eg: Interface up / down, administrator login, configuration changes)

CISCO Switches are more likely limit logs to general administrative or flow control messages.

The log format for a CISCO Router is designed to be generally human-readable, and is therefore not simple or consistent to parse by a computer.

The CISCORouterLog module makes use of several regular expressions to try and pull data out of the information presented.

Collection

Logging is enabled by default. To send logs to a remote machine:

  • configure terminal

    • Enters global configuration mode.

  • logging host

    • Logs messages to a UNIX syslog server host by entering its IP address.

    • To build a list of syslog servers that receive logging messages, enter this command more than once.

  • logging trap level

    • Be default, syslog servers receive informational messages and lower. See below for level keywords.

  • logging facility facility-type

    • Configures the syslog facility. See below for facility-type keywords.

    • The default is local7.

  • end

    • Returns to privileged EXEC mode.



Level Keyword

Level

Description

Syslog Definition

Level Keyword

Level

Description

Syslog Definition

emergencies

0

System unstable

LOG_EMERG

alerts

1

Immediate action needed

LOG_ALERT

critical

2

Critical conditions

LOG_CRIT

errors

3

Error conditions

LOG_ERR

warnings

4

Warning conditions

LOG_WARNING

notifications

5

Normal but significant condition

LOG_NOTICE

informational

6

Informational messages only

LOG_INFO

debugging

7

Debugging messages

LOG_DEBUG



Facility Type Keyword

Description

Facility Type Keyword

Description

auth

Authorization system

cron

Cron facility

daemon

System daemon

kern

Kernel

local0-7

Locally defined messages

lpr

Line printer system

mail

Mail system

news

USENET news

sys9

System use

sys10

System use

sys11

System use

sys12

System use

sys13

System use

sys14

System use

syslog

System log

user

User process

uucp

UNIX-to-UNIX copy system

 

Sample Events

<163>1: Jan  2 15:04:05: %SEC-6-IPACCESSLOGP: list Net-2389 denied TCP 172.234.1.22 -> 72.44.32.1 (22), 2365 packets
<163>2144: Jan  2 15:04:05 gateway: %LINK-3-UPDOWN: Interface rext2, changed state to down
<163>23: Jan  2 15:04:05 gateway: %RPS-3-MULTFAIL: There is more than one failure with the Redundant Power
<163>23: Jan  2 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
<163>23: Jan  2 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
<163>23: Jan  2 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
<163>23: Jan  2 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
<163>23: Jan  2 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down 2
<163>23: Jan  2 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
<163>23: Jan  2 18:47:02: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
<163>23: Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

CISCORouterLog

CRITICALITY

Numeric criticality identifier within the event ID

ACTION

Action - eg: denied

PROTO

Protocol - TCP/UDP/ICMP

SRCADDR

Source IP address

SRCPORT

Source Port

DSTADDR

Destination IP address

DSTPORT

Destination port

STRING

All other content provided in the message, that does not fit into another field

Notes

https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html