• EOS Logging Explained

 
 
Print Friendly, PDF & Email

 

Show Logging Explained

 

What’s in a log? This document will serve to explain all of the available options and sub-feature explanations when it comes to logging. Each of the below sections correspond directly to the output of ‘show logging’ to attempt to explain each of them one by one.

 

switch#show log

Syslog logging: enabled

    Buffer logging: level debugging

    Console logging: level errors

    Persistent logging: disabled

    Monitor logging: level errors

    Synchronous logging: disabled

    Trap logging: level informational

    Sequence numbers: disabled

    Syslog facility: local4

    Hostname format: Hostname only

    Repeat logging interval: disabled

    Repeat messages: disabled




Facility                   Severity            Effective Severity

--------------------       -------------       ------------------

aaa                        debugging           debugging

accounting                 debugging           debugging

acl                        debugging           debugging

agent                      debugging           debugging

*SNIP*

 

Logging Locations

Buffer Logging

 

You can configure this via ‘logging buffered’, these are the logs that are kept in the buffer space on the switch. Within the logging buffered command you can set the syslog level as well as the buffer size. A larger buffer size (capable of keeping a week or two) is recommended by TAC.

 

[no] logging buffered [<len>] [<severity>]

 

If len is specified, this will be the number of messages that are displayed by the show logging command, len must be a value between 10 and 2147483647 (2^31 – 1).

 

If severity is specified, sets the minimum severity threshold of messages that are logged. severity must be an integer from 0-7, or a string from the list {emergencies, alerts, critical, errors, warnings, notifications, informational, debugging}.

 

          Numerical         Severity

             Code




              0       Emergency: system is unusable

              1       Alert: action must be taken immediately

              2       Critical: critical conditions

              3       Error: error conditions

              4       Warning: warning conditions

              5       Notice: normal but significant condition

              6       Informational: informational messages

              7       Debug: debug-level messages

 

For example, if we configure a logging level of 6, this will correspond to informational. At that point, everything in levels 0-6 will be logged.

Console Logging

 

This is logging sent only to the console port of the switch. This can be configured as far as syslog levels just like buffer logging. 

 

[no] logging console [severity]

 

Persistent Logging

 

Persistent logging will write system logs to non-volatile flash, so that they would then survive a reload. It is not advised to utilize persistent logging unless needed as there can be heavy writing which will quickly fill up the flash. 

 

Monitor Logging

 

This command will control the severity level of logging that will be displayed during a terminal session. This can be accessed via the logging command as well. Note: You will have to enable ‘terminal monitor’ for this to take effect.

 

[no] logging monitor [severity]

Synchronous Logging

 

Logging synchronously is to ensure log messages that need to be show on the Cli console do not interrupt current Cli output, such as from a Cli command, and are shown after the output has finished printing.

 

The logging synchronous cli command is enabled in configuration mode and has the following format:

 

[ no ] logging synchronous [ level severity | all ]

 

Where level severity specifies log messages of lower severity level are to be logged synchronously and all specifies all log messages are to be logged synchronously. If neither are specified, the severity level for logging synchronously is defaulted to 2 (alerts). Logging synchronous is disabled by default.

 

Let n and m be integers ∈ [ 0, 7 ], defined as the logging synchronous severity level and logging console severity level respectively. That is:

 

logging synchronous level n

logging console m

 

Considering that a lower integer means a higher severity, when n < m:

  • Asynchronous message severity levels ∈ [ 0, n ]
  • Synchronous message severity levels ∈ ( n, m ]

 

When n ≥ m:

  • Asynchronous message severity levels ∈ [ 0, m ]
  • There are no synchronous messages (same as no logging synchronous)

 

When n is replaced with ‘all’:

  • There are no asynchronous messages
  • Synchronous message severity levels ∈ [ 0, m ]

 

It is recommended to simply use ‘all’ so none of your sessions are interrupted by logs whether in console or monitor.

 

Trap Logging

 

The logging trap system command configures remote logging of system messages. Specifying a severity level logs only those messages with a severity at or above that level to the remote server. To configure the IP address of the remote syslog server, use the logging host command; to enable logging, use the logging on command.

 

The no logging trap system and default logging trap system commands restore remote logging defaults by removing the corresponding logging trap system command from running-config.

 

Command Syntax

logging trap system [FACILITY] [SEVERITY] [PROGRAM] [TEXT]

no logging trap system [FACILITY] [SEVERITY] [PROGRAM] [TEXT]

default logging trap system [FACILITY] [SEVERITY] [PROGRAM] [TEXT]

The TEXT parameter, when present, is always last. All other parameters can be placed in any

order.

Parameters

  • FACILITY Defines the appropriate facility.
    • <no parameter> Specifies default facility.
    •  facility <facility-name> Specifies named facility.
  • SEVERITY Specifies minimum severity level to be logged. Options include:
    •  <no parameter> Specifies default severity level.
    •  severity <level> Minimum severity level for remote logging.
  • PROGRAM Filters packets based on program name. Options include:
    •  <no parameter> All tags or program names.
    •  tag program-name Specific tag or program name.
  • TEXT Specifies log message text. Options include:
    • <no parameter> Specify text contained in log message.
    •  contain reg-expression Specify text contained in log message.

 

Logging Options

Sequence Numbers

 

The service sequence-numbers command causes the sequence numbers of syslog messages to be visible when the messages are displayed.

The no service sequence-numbers and default service sequence-numbers commands remove the service sequence-numbers command from running-config.

 

Command Syntax

service sequence-numbers

no service sequence-numbers

default service sequence-numbers

 

Examples

  • This command enables sequence numbering that can been seen when syslog messages are

displayed.

switch(config)#service sequence-numbers

switch(config)#
  • To display the service sequence number, issue the show logging command.

 

switch#show logging

Syslog logging: enabled

 Buffer logging: level debugging

 Console logging: level informational

 Synchronous logging: disabled

 Trap logging: level informational

 Sequence numbers: enabled

 Syslog facility: local4

 Hostname format: Hostname only

 Repeat logging interval: disabled

<-------OUTPUT OMITTED FROM EXAMPLE-------->

Log Buffer:

<-------OUTPUT OMITTED FROM EXAMPLE-------->

Nov 12 14:03:34 switch1 SuperServer: 1: %SYS-7-CLI_SCHEDULER_LOG_STORED: Logfile

for scheduled CLI execution job 'tech-support' is stored in

flash:/schedule/tech-support/tech-support_2012-11-12.1402.log.gz

Nov 12 14:06:52 switch1 Cli: 2: %SYS-5-CONFIG_I: Configured from console by admin

on con0 (0.0.0.0)

Nov 12 14:07:26 switch1 Cli: 3: %SYS-5-CONFIG_E: Enter configuration mode from

console by admin on con0 (0.0.0.0)

Nov 12 14:14:29 switch1 Cli: 4: %SYS-5-CONFIG_I: Configured from console by admin

on con0 (0.0.0.0)

Nov 12 14:15:55 switch1 Cli: 5: %SYS-5-CONFIG_E: Enter configuration mode from

console by admin on con0 (0.0.0.0)

Nov 12 14:33:05 switch1 Cli: 6: %SYS-5-CONFIG_I: Configured from console by admin

on con0 (0.0.0.0)

Nov 12 14:45:13 switch1 Cli: 7: %SYS-5-CONFIG_E: Enter configuration mode from

console by admin on con0 (0.0.0.0)

switch#

 

Logging Facility

 

The logging facility represents the machine process within Linux that created the syslog event. I.E is this from the kernel, the clock daemon etc. These facilities are used to create the priority value within the syslog packet. The default value used by Arista is local4. The exact configurations for this are out of the scope of this document, however the full list of facilities is configurable on Arista devices. To read more about these facilities please see RFC5424 at https://datatracker.ietf.org/doc/html/rfc5424

 

Hostname Format

 

This option allows the user to configure how they want the hostname of their device to appear in the show log output. You can choose either a Fully Qualified Domain Name or the Ipv4 address of the device. The logs will then appear as the below:

 

Oct 25 17:52:50 yourdevice.yourdomain.yourtld Stp: %SPANTREE-6-STABLE_CHANGE: Stp state is now not stable

Oct 25 17:52:50 yourdevice.yourdomain.yourtld Stp: %SPANTREE-6-INTERFACE_DEL: Interface Ethernet40 has been removed from instance MST0




Oct 25 17:53:36 1.1.1.1 Stp: %SPANTREE-6-INTERFACE_STATE: Interface Ethernet40 instance MST0 moving from discarding to learning

Oct 25 17:53:36 1.1.1.1 Stp: %SPANTREE-6-INTERFACE_STATE: Interface Ethernet40 instance MST0 moving from learning to forwarding

Oct 25 17:54:06 1.1.1.1 Stp: %SPANTREE-6-STABLE_CHANGE: Stp state is now stable

 

Repeat Logging Interval

 

This is a feature that will repeat critical log messages after a user configured amount of time. This is available via the below command:

 

switch(config)#logging relogging-interval ?

  <1-720>  Set number of minutes for repeat log interval




switch(config)#logging relogging-interval 1

switch(config)#show log

Syslog logging: enabled

    Buffer logging: level debugging

    Console logging: level debugging

    Persistent logging: disabled

    Monitor logging: level debugging

    Synchronous logging: disabled

    Trap logging: level informational

    Sequence numbers: enabled

    Syslog facility: local4

    Hostname format: ipv4 format

    Repeat logging interval: 1 minutes  <----

    Repeat messages: disabled

 

Repeat Messages

 

By default, Arista devices will not spam the logging with concurrent repeat messages. The logs will instead take the same message that occurs in a short period of time, print the message, and advise of the number of repeats. It is certainly recommended to keep this default, however you can issue ‘no logging repeat-messages’ if you wish to see all of the logs for the same event. 

 

Facility Column

 

This column represents all of the agents that will log events to the various ways of logging that have been described thus far.

 

Severity vs. Effective Severity Column

 

Individual agents are able to be configured with their own logging levels. This is useful if a particular agent is rather chatty and you want to stop that. 

 

Facility                   Severity            Effective Severity

--------------------       -------------       ------------------

aaa                        debugging           debugging




switch(config)#logging level aaa informational




Facility                   Severity            Effective Severity

--------------------       -------------       ------------------

aaa                        informational       informational

 

Severity as we see above is strictly what is configured for the individual facility. The effective severity is the lowest number, or highest severity level that is configured for the facility out of the trap, buffer, and console settings,(also if you have monitor logging enabled) in relation to the individual facility level. So we can see a few examples. We see effective severity change automatically when we move the facility level. This is because this is now the highest level programmed out of all the criteria, so effectively, we will only see informational and more severe messages from this facility on all of our logging mediums (according to the example above). Now observe when we make all of the individual logging mechanisms a higher severity:

 

switch...14:55:56(config)#show log

Syslog logging: enabled

    Buffer logging: level warnings

    Console logging: level warnings

    Persistent logging: disabled

    Monitor logging: level warnings

    Synchronous logging: disabled

    Trap logging: level warnings

    Sequence numbers: disabled

    Syslog facility: local4

    Hostname format: Hostname only

    Repeat logging interval: disabled

    Repeat messages: disabled




Facility                   Severity            Effective Severity

--------------------       -------------       ------------------

aaa                        informational       warnings

accounting                 notifications       warnings

acl                        debugging           warnings

agent                      debugging           warnings

 

So now, as we can see, the individual severity no longer comes into play as all of my logging mediums operate at the warning level. So, effectively, my severity is really at warning, as nothing is configured to log at a lower severity. 

 

 

Created and revised by: Kyle McPeak and Sarthak Shetty

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: