Gathering Information on Application Layer Problems
System logs

Logging enables the router or switch to keep track of events that occur. Logging can help find trends, system error messages, outages, and a variety of other network events. Time should be taken to develop a logging strategy that will provide reliable data when required.

Monitoring activity in the log files is an important aspect of network management and should be conducted regularly. Monitoring the log files allows the execution of appropriate and timely action when problems are detected, such as breaches of security or events that are likely to lead to a potential security breach.

The logging facility:

  • Provides logging information for monitoring and troubleshooting
  • Allows selection of the types of logging information captured
  • Allows selection of the destination of captured logging information

There are several types of events that can be monitored. Messages are classified in terms of levels of severity. Level 0 is the highest level (most severe) and level 7 is the lowest level (least severe). System messages can be saved based on the type of facility and the severity level.

Syslog messages can be categorized as follows:

  • Warning, Errors, Critical, Alerts, and Emergencies are Error level messages generated by software or hardware malfunctions.
  • Notification level messages generated by interface up/down transitions and system restart messages.
  • Informational level messages generated by reload requests and low-process stack messages.
  • Debugging level messages generated by output from the debug commands.

The logging facility can also be configured to send captured logging information to select destinations. By default, switches and routers normally log significant system messages to their internal buffer and the system console.

The four destinations that syslog messages can be forwarded to are listed below:

  • Console terminal
  • Virtual terminals
  • Internal buffer
  • Syslog server

Be aware that the debugging destination that is used, affects system overhead. Logging to the console produces high overhead, whereas logging to a virtual terminal produces less overhead. Logging to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method.

Time, specifically timestamp, is a valuable piece of information used to determine when a problem arose. The idea behind this is that many network problems can often be correlated to system configuration changes, modifications to the network topology (both intentional and unintentional). For this reason, syslog messages should be time-stamped to enhance real-time debugging and management.