Here are few syslog messages in a cisco switch.Each syslog message has common parameters like Facility, Severity & Mnemomics.
%SYS-5-CONFIG_I: Configured from console by consol %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
You can send these syslog messages to a Console, buffer, monitor, host depend on your requirement. Most common is sending to a remote host (or syslog server). For troubleshooting you can configure a device to send it to console or monitor (if you remotely log in) or buffer. Following example shows syslog configuration done on a cisco IOS device.
logging 192.168.100.10 logging facility local5 logging buffered 100000 notification logging trap notifications logging source-interface Loopback0
There are 8 severity levels in Syslog messages. Once you configured a severity level all syslog messages from that level & below (numerical value) messages are sent to syslog server.
1 – Alert
2 – Critical
3 – Error
4 – Warning
5 – Notification
6 – Informational
7 – Debugging
I remember this using “Every Airplane comes with Critical Errors & Warning Notification Information Display”.
To configure syslog in cisco WLC you have to go “Management > Logs > Config” section. Syslog level show in the drop-down box is not in to severity order you have to know severity number against each classification. e.g if they ask to configure severity level 3 & above, you have to select ” Error” here. Syslog facility level can be used to differentiate syslog messages coming from a certain devices. e.g. you can configure all routers syslog to certain facility level & all switches syslog in another facility level.
Also you can configure message logs to store local to the controller in the same section. You can configure buffer & console log levels. By using CLI as well you can configure those. Following shows the available options for configuration.
(WLC1) >config logging ? buffered Set buffered logging parameters. console Set console logging parameters. debug Set debug message logging parameters. exception Limit size of exception flush output. fileinfo Set source file information logging parameters. syslog Configure parameters for outgoing syslog mesages. traceinfo Set traceback information logging parameters.
By using the WLC CLI you can configure advanced options for Syslog. Below shows advanced config options available for a particular frequency band (in this case 802.11a or 5GHz)
(WLC1) >show advanced 802.11a logging RF Event and Performance Logging Channel Update Logging......................... Off Coverage Profile Logging....................... Off Foreign Profile Logging........................ Off Load Profile Logging........................... Off Noise Profile Logging.......................... Off Performance Profile Logging.................... Off TxPower Update Logging......................... Off
You can configure any of these by “config advanced <802.11a|802.11b> logging < > <on|off> “command. As you can see above all are off by default.
(WLC1) >config advanced 802.11a logging ? channel 802.11a channel change logging mode. coverage 802.11a coverage profile logging mode. foreign 802.11a foreign interference profile logging mode. load 802.11a load profile logging mode. noise 802.11a noise profile logging mode. performance 802.11a performance profile logging mode. txpower 802.11a transmit power change logging mode. (WLC1) >config advanced 802.11a logging channel ? on Turns on 802.11a channel logging off Turns off 802.11a channel logging
Access Points related syslog messages can be configured only using CLI mode. You can configure getting syslog from all ap (global) or from specific ap (specific) by using “config ap syslog host ” command.
(WLC1) >config ap syslog host ? global Configures the global system logging host for all Cisco AP specific Configures the system logging host for a specific Cisco AP. ! (WLC1) >config ap syslog host specific HQ-AP1 192.168.100.10
You can go through “Cisco Wireless LAN Controller Command Reference, Release 7.0” for all commands available in 7.0 release which is tested at CCIEW 2.0 lab exam.
Juan Carlos said:
Very interesting article.
I wonder if there is any documentation of cisco regarding severity levels of syslog messages. What kind of events are considered critical, alert an so on.
Only thing i’ve found is the same information that you provide here, but as always your explanations are better than cisco site.
Now i,m working with 2 WLC 8500 with version 7.6.100, i,m trying to identify wich severity level i should configure to obtain important information, ap,s dissasotiations, WLC ports problems or downs etc. I guess this kind of info belongs to critical severity level.
Tomorrow i will make some test
Juan Carlos said:
If anyone want to know about syslog messages, this is Cisco Wireless LAN Controller System Message Guide, Release 7.6:
Thomas McClintic said:
Juan Carlos, great document. However the link is broken on Cisco’s site. Here is a link to the PDF.
Click to access sysmsg76.pdf
Vasco Costa said:
• SEVERITY level
The severity level is a single-digit code from 0 to 7 that reflects the severity of the condition. A lower number indicates a more serious situation
Ok, 0 to 7 but does anyone knows the meaning of severity levels that aren’t in the RFC 5424?
Got some APs reporting this message and we would like to know the meaning of it:
*Nov 15 11:31:35.708: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:9 Channel:6 Source MAC:0024.8c50.2897
*Nov 15 11:41:53.553: %WIDS-5-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:9 Channel:6
*Nov 15 15:23:21.754: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:9 Channel:6 Source MAC:0024.8c50.2897
*Nov 15 15:33:19.541: %WIDS-5-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:9 Channel:6
Thanks in advanced
what is the syslog format of the message when we detect Rogue AP ?
could somebody give me a hand with this issue ?
If anyone could give me a hand with this that would be greatly appreciated:
I got to update the OS on a controller and approx. 160 AP-s.
After that i will have to collect logs from all the AP-s to prove their current OS version and uptime + a few “show” commands.
Is there a function on the Cisco WLC-s where i can add custom commands to run them all at once on all AP-s and collect the logs with pre-defined .log names (named by their MAC) ?