Knowing how to properly use logging is a necessary skill forany network administrator. It's vital that you know how to use logging when itcomes time to start troubleshooting.


The syslog daemon, syslogd, is installed with the base distributions of FreeBSD.
Syslogd accepts logs from:
 - the kernel (from /dev/klog),
 - applications running on the system via the logging socket it creates (/var/run/log)
 - other systems over UDP port 514 (by default) when configured to do so.

The /etc/syslog.conf file controls what system messages go to what log file.
FreeBSD and most of the 3rd party applications that issue messages do so using facility.level (facility - This is who is issuing the messages).

1) The FreeBSD facilities are:
auth - authentication messages from login(1), su(1), getty(8), sshd(8)
authpriv - like auth, should only be read by privileged individuals
console - capture log messages written to /dev/console by the kernel console output driver
cron - messages generated by the cron(8) daemon
daemon - messages generated by system daemons like routed(8) that are not sent to other facilities
ftp - for ftpd(8)
kern - Kernel messages read from /dev/klog
local0..local7 - for local use
lpr -  line printing and spooling daemon
mail - messages from Sendmail, Postfix, and other mail-related programs (Courier IMAP and POP mail)
mark - pseudofacility and used only by syslogd
news - for providing the network news system (nntp)
security - IPFW logs (/var/log/security)
syslog - syslog-related messages
user - when no facility is specified
uucp - uucp system
2) Level - the severity of the message and is a keyword
emerg - a panic condition. This is normally broadcast to all users
alert - a condition that should be corrected immediately (ex: corrupted system database)
crit - critical conditions (ex: hard device errors)
err - errors
warning - warning messages
notice - not error conditions, but should possibly be handled specially
info - informational messages
debug - only for debugging
none - pseudo-priority causes messages of the attached level to not be logged

There is a wildcard * meaning all or everything.

a) *.notice means messages from all facilities of level notice and below,so that would include notice, info, and debug severity messages.

b) kern.=info means only kernel messages of severity level info are selected.

You have explicit control over the messages you can select to go to different logs. When you add a new log file for an application you just installed be sure to also configure it for rotation and archiving in /etc/newsyslog.conf.

As part of defining a new log file in /etc/syslog.conf you also have to create the file. Using the touch command will do this just fine.
touch /var/log/dhcpd.log will create the dhcpd.log file.

To activate the changes to /etc/syslog.conf you can reboot or force the syslogd task into re-reading /etc/syslog.conf by issuing this console command:
/etc/rc.d/syslogd reload

3) LOG Rotation and Archiving
The /etc/newsyslog.conf file controls when a log is to be rotated and how it's to be archived.

4) Capturing Screen Content To A File
Sometimes you may want to capture everything that displays on the console screen to a file. This is really useful in making a record of what you are doing that you can review later if there is a problem.
Use the script command like this:
script /root/console.log
When finished 'enter exit' to stop recording all console messages to the file

5) FreeBSD Logs
All the operating system logs are stored in the same location, /var/log

# all the console messages for user ‘root’ account.
# no other user account will see any system messages
# *.notice; authpriv.none; kern.debug; lpr.info; mail.crit; news.err

By default, Cisco IOS does not send log messages to a terminal session over IP, that is, telnet or SSH connections don’t get log messages.
Console connections on a serial cable do have logging enabled by default.

1) Check current logging settings
Router#sh logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

2) Enable/Disable logging to appear on terminal (vty), by default is NO
Router#term mon 
Router#term no mon 

3) Disable Logging Completely on your console.
Router(config)#no logging console

4) Configure Logging Levels
Cisco routers, switches, PIX and ASA firewalls prioritize log messages into 8 levels.
Log messages with lower numbers are more critical than higher numbers.
Router(config)#logging console ?
  <0-7>          Logging severity level
  emergencies    System is unusable                (severity=0)
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  errors         Error conditions                  (severity=3)
  warnings       Warning conditions                (severity=4)
  notifications  Normal but significant conditions (severity=5)
  informational  Informational messages            (severity=6)
  debugging      Debugging messages                (severity=7)
  guaranteed     Guarantee console messages
  xml            Enable logging in XML
Router(config)#logging console warnings
Router(config)#logging monitor ?

5) Logging Synchronous
In Synchronous logging, after the message is thrown in to the terminal,
router displays the original prompt with what you have already typed.
Router#conf t
Router(config)#line console 0
Router(config-line)#logging synchronous
Router#conf t
Router(config)#line vty 0 4
Router(config-line)#logging synchronous

6) Logging buffer size (number of entries to be available)
Router(config)# logging buffered 8192

7) Logging to Syslog Server
Router(config)# logging
8) Timestamp log messages
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone


No comments :

Post a Comment