Skip to content

Collecting from Cisco IOS based devices

This collecting method is designed to collect logs from Cisco products that operates IOS, such as Cisco Catalyst 2960 switch or Cisco ASR 9200 router.

Log configuration

Configure the remote address of a collector and the logging level:

CATALYST(config)# logging host <hostname or IP of the LogMan.io collector> transport tcp port <port-number>
CATALYST(config)# logging trap informational
CATALYST(config)# service timestamps log datetime year msec show-timezone
CATALYST(config)# logging origin-id <hostname>

Log format contains the following fields:

  • timestamp in the UTC format with:

    • year month, day
    • hour, minute, and second
    • millisecond

  • hostname of the device

  • log level is set to informational

Example of the output

<189>36: CATALYST: Aug 22 2022 10:11:25.873 UTC: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.0.0.44)

Time synchronization

It is important that Cisco device time is synchronized using NTP.

Prerequisites are: * Internet connection (if you are using a public NTP server) * Configured name-server option (for a DNS query resolution)

LAB-CATALYST(config)# no clock timezone
LAB-CATALYST(config)# no ntp
LAB-CATALYST(config)# ntp server <hostname or IP of NTP server>

Example of the configuration with Google NTP server:

CATALYST(config)# no clock timezone
CATALYST(config)# no ntp
CATALYST(config)# do show ntp associations
%NTP is not enabled.

CATALYST(config)# ntp server time.google.com
CATALYST(config)# do show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~216.239.35.4     .GOOG.            1    58    64  377    15.2    0.58     0.4
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

CATALYST(config)# do show clock
10:57:39.110 UTC Mon Aug 22 2022