Using Syslog Messages

Syslog messages provide a wealth of information as to the possible root cause of the outage by generating, for the most part, meaningful messages such as the reload of module or shielded twisted-pair (STP) root change, and so on. Cisco switches can be configured for various syslog levels on a per-protocol basis or globally for all protocols. For example, it is generally accepted to have spanning-tree syslog level set at 6, meaning the switch will display syslog messages that fall in the range of 0?6. The number of syslog messages generated is directly proportional to the syslog level. A syslog of level 7 generates a lot more syslog messages than a syslog of level 6, and so on. Therefore, syslog level 7 is primarily for troubleshooting where the switch logs all messages that are generated by the feature/hardware in question:

• 0? emergencies

• 1? alerts

• 2? critical

• 3? errors

• 4? warnings

• 5? notifications

• 6? informational

• 7? debugging

The size of the buffer dictates how big the storage room will be for syslog messages on the switch. When the buffer fills up, the old messages will be removed to make room for the new log messages. If the buffer is too small, it is possible to lose relevant unread logs on the switch. To protect against this scenario, syslog buffers are typically set to 1024 and the log messages are also forwarded to a server for storage. Example 12-10 illustrates a standard configuration. The switch is configured to forward syslog level 0?6 messages to server, IP address of 10.1.1.1.

Example 12-10. Configuring Logging on the Switch

Switch1(enable)set logging server enable

Switch1(enable)set logging server 10.1.1.1

Switch1(enable)set logging level spantree 6 default

Switch1(enable)set logging server severity 6