DiagnosticsEXEC

show logging

Displays the contents of the system logging buffer, including syslog messages generated by the router.

Overview

The 'show logging' command on Cisco IOS-XR is a fundamental diagnostic tool that displays the system logging buffer contents. This buffer stores syslog messages generated by the router, including informational events, warnings, and error conditions. The command provides a snapshot of recent system activity, which is invaluable for troubleshooting network issues, verifying configuration changes, and monitoring system health.

Syslog messages are categorized by facility (e.g., OSPF, BGP, LINK) and severity (0-7). The logging buffer is a circular buffer; when it fills, the oldest messages are overwritten. By default, the buffer captures messages at the debugging level (severity 7) but can be configured to a different level. The output also shows the logging configuration for other destinations like console, monitor, and trap (syslog server).

On IOS-XR, the 'show logging' command behaves similarly to classic IOS but with some differences. For instance, IOS-XR uses a structured logging format and supports additional filtering options like 'brief', 'last', 'reverse', and 'tail'. The command is essential for correlating events across the network, especially when used in conjunction with timestamps synchronized via NTP. In troubleshooting workflows, start with 'show logging' to identify recent errors, then drill down with more specific commands like 'show logging last 60' to focus on a time window.

Syntax·EXEC
show logging [brief | last <seconds> | reverse | tail <number> | <facility>]

When to Use This Command

  • Review recent syslog messages to diagnose a network issue such as a flapping interface.
  • Check for error messages after a configuration change to verify no misconfigurations.
  • Monitor system events during a maintenance window to ensure no unexpected alarms.
  • Correlate log timestamps with other network events to troubleshoot connectivity problems.

Parameters

ParameterSyntaxDescription
briefbriefDisplays a one-line summary per log message instead of the full message. Useful for quick scanning.
last <seconds>last <seconds>Displays only log messages that occurred within the last <seconds> seconds. Helps focus on recent events.
reversereverseDisplays log messages in reverse chronological order (newest first). Useful for seeing the most recent events immediately.
tail <number>tail <number>Displays only the last <number> log messages. Similar to the Unix tail command.
<facility><facility>Filters log messages by facility (e.g., OSPF, BGP, SYS). Only messages from that facility are displayed.

Command Examples

Basic show logging output

show logging
Syslog logging: enabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 100 messages logged
Trap logging: level informational, 0 messages logged

Log Buffer (100 messages):

<189>Mar  1 00:00:05.123: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0/0, changed state to up
<189>Mar  1 00:00:06.456: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0/0, changed state to up
<189>Mar  1 00:01:10.789: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.1.2 on GigabitEthernet0/0/0/0 from LOADING to FULL, Loading Done

The output shows logging configuration (enabled/disabled for each destination) and the buffer contents. Each log entry includes a timestamp, facility code, severity, message mnemonic, and description. Healthy state shows normal events like interface up and OSPF adjacency full.

Show last 30 seconds of logs

show logging last 30
<189>Mar  1 00:05:00.123: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.1.100(80) -> 10.0.0.1(12345), 1 packet
<189>Mar  1 00:05:15.456: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.1.100(80) -> 10.0.0.2(54321), 1 packet

This filters logs to only those generated in the last 30 seconds. Useful for real-time troubleshooting. The output shows ACL deny events, indicating potential security issues or misconfigurations.

Understanding the Output

The show logging command output is divided into two main sections: the logging configuration summary and the log buffer contents. The configuration summary shows whether syslog logging is enabled, and the logging levels for console, monitor, buffer, and trap destinations. For example, 'Buffer logging: level debugging' means the buffer captures messages at severity debugging and higher. The number of messages logged indicates how many entries are currently in the buffer. The log buffer displays each message with a syslog priority code (e.g., <189>), timestamp, facility mnemonic (e.g., LINK, LINEPROTO, OSPF), severity number (0-7), message mnemonic, and a descriptive text. The priority code is calculated as facility*8 + severity. For instance, <189> corresponds to facility 23 (local7) and severity 5 (notice). Healthy logs show normal state changes (interface up, OSPF full) while problem logs show errors (interface down, authentication failures, high CPU). The timestamp is relative to system uptime or absolute if NTP is configured. Key fields to interpret: severity (0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=informational, 7=debugging). Higher severity numbers are less critical. Facility indicates the source (e.g., OSPF, SYS, LINK). The message mnemonic is a short code that can be looked up for detailed explanation. In troubleshooting, focus on messages with severity 3 or lower (error, critical, alert, emergency) as they indicate problems.

Configuration Scenarios

Increasing Log Buffer Size

A network engineer notices that important log messages are being overwritten due to a small buffer. They need to increase the buffer size to retain more logs.

Topology

Single router (no topology needed)

Steps

  1. 1.Enter global configuration mode: configure terminal
  2. 2.Set the buffer size to 100000 bytes: logging buffered 100000
  3. 3.Optionally set the logging level: logging buffered informational
  4. 4.Exit configuration mode: commit
Configuration
!
configure terminal
logging buffered 100000
logging buffered informational
commit
!

Verify: Use 'show logging' to verify the buffer size and level. Look for 'Buffer logging: level informational, 100000 messages logged' (approximate).

Watch out: The buffer size is in bytes, not messages. The number of messages that can be stored depends on message length. Also, changes take effect immediately after commit.

Filtering Logs for OSPF Events

An engineer is troubleshooting an OSPF adjacency issue and wants to see only OSPF-related log messages.

Topology

Two routers connected via GigabitEthernet (R1 and R2)

Steps

  1. 1.On R1, enter EXEC mode.
  2. 2.Run 'show logging ospf' to display only OSPF facility messages.
  3. 3.Alternatively, use 'show logging | include OSPF' for more flexible filtering.
Configuration
! No configuration needed; this is a show command.

Verify: Output should show only OSPF messages, e.g., adjacency changes, LSA updates.

Watch out: The facility filter is case-insensitive but must match the facility name exactly (e.g., 'ospf' works). Not all messages have a facility; some are generic.

Troubleshooting with This Command

When troubleshooting network issues on Cisco IOS-XR, the 'show logging' command is often the first step. Start by checking the logging configuration to ensure logging is enabled and the buffer is sized appropriately. If you suspect a recent event, use 'show logging last <seconds>' to narrow down the timeframe. For example, if an interface went down at 10:00 AM, run 'show logging last 300' to see logs from the last 5 minutes.

Look for messages with severity 3 (error) or lower. Common error messages include '%LINK-3-UPDOWN' indicating interface state changes, '%OSPF-3-ADJCHG' for OSPF adjacency failures, and '%SEC-3-IPACCESSLOGP' for ACL denies. If you see repeated messages of the same type, it may indicate a flapping interface or a persistent security violation.

Use the 'reverse' parameter to see the newest messages first, which is helpful when the buffer is large. Combine with 'tail' to see only the last few messages. For example, 'show logging reverse tail 10' shows the 10 most recent messages. If logs are being sent to a syslog server, also check the server for historical data. On IOS-XR, you can also use 'show logging last <seconds>' with a pipe to 'include' for more granular filtering.

If the buffer is empty or shows only old messages, verify that logging is enabled and the buffer level is set appropriately. Use 'show running-config | include logging' to check the configuration. Remember that the buffer is cleared on reload unless you have configured persistent logging (not default). For long-term analysis, configure a syslog server.

CCNA Exam Tips

1.

Remember that 'show logging' displays the local buffer; for remote syslog, use 'show logging | include <IP>' or check the syslog server.

2.

Know the severity levels: 0-7, with 0 being most severe. The 'logging buffered <severity>' command sets the buffer level.

3.

In CCNP troubleshooting, use 'show logging last <seconds>' to filter recent events without clearing the buffer.

Common Mistakes

Assuming 'show logging' shows all logs from all sources; it only shows logs stored in the local buffer, which may be limited in size.

Forgetting that the buffer is circular; old messages are overwritten. Use 'logging buffered <size>' to increase buffer size.

Misinterpreting timestamps: if NTP is not configured, timestamps are relative to system uptime, not absolute time.

Platform Notes

On Cisco IOS-XR, the 'show logging' command has several differences from classic Cisco IOS. First, IOS-XR uses a modular operating system, so logging is more granular and includes process-specific messages. The command supports additional parameters like 'brief', 'reverse', and 'tail' that are not available in classic IOS. The output format includes a syslog priority code (e.g., <189>) which is not present in classic IOS output. Additionally, IOS-XR requires a 'commit' after configuration changes, whereas classic IOS applies changes immediately.

Equivalent commands on other platforms: On Cisco IOS, the command is the same ('show logging') but with fewer options. On Juniper Junos, the equivalent is 'show log messages' or 'show system log'. On Arista EOS, use 'show logging' similar to IOS. On Linux, the equivalent is 'tail -f /var/log/syslog' or 'journalctl'. Version differences: In IOS-XR 6.0 and later, the 'last' parameter accepts seconds; earlier versions may not support it. Always check the specific version documentation.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions