Logging Buffer Full — Old Events Being Overwritten
Presenting Symptom
The network engineer observes that recent syslog messages are missing from the logging buffer, and older messages are being overwritten.
Network Context
A small branch office with a Cisco 4321 ISR running IOS XE 16.9. The router is configured with logging buffered to capture events for troubleshooting. The logging buffer size is set to the default (4096 bytes), and the network generates a moderate volume of syslog messages from routing protocols, interface changes, and security events.
Diagnostic Steps
Check current logging buffer configuration and usage
show loggingSyslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 4096 bytes (1000 messages) logged
File logging: disabled
Trap logging: level informational
Log Buffer (4096 bytes):
<timestamp>: %SYS-5-CONFIG_I: Configured from console by console
<timestamp>: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
... (older messages overwritten)The output shows the buffer size (4096 bytes) and the number of messages logged (1000). If the buffer is full, older messages are overwritten. The 'Log Buffer' section may show only recent messages, indicating that the buffer is too small for the volume of logs.
Verify the logging buffer size and severity level
show running-config | include logging bufferedlogging buffered 4096 debugging
This confirms the buffer size is 4096 bytes (default) and severity is debugging. If the buffer size is small, it will fill quickly, causing overwrites.
Check the rate of syslog message generation
show logging | include messages loggedBuffer logging: level debugging, 4096 bytes (1000 messages) logged
The number of messages logged indicates how quickly the buffer fills. If the buffer is full (e.g., 1000 messages) and the device continues to generate logs, old messages are overwritten.
Monitor the buffer usage in real-time
show logging | include Log BufferLog Buffer (4096 bytes): <timestamp>: %SYS-5-CONFIG_I: Configured from console by console ... (only recent messages)
If only recent messages are shown, the buffer is full and older messages have been overwritten. This confirms the issue.
Root Cause
The logging buffer size is set to the default 4096 bytes, which is insufficient for the volume of syslog messages generated by the router. As a result, the buffer fills quickly and older messages are overwritten by new ones, causing loss of historical log data.
Resolution
Verification
Run 'show logging' and verify the buffer size is now 16384 bytes and that more messages are retained. Expected output: Buffer logging: level debugging, 16384 bytes (4000 messages) logged Log Buffer (16384 bytes): <timestamp>: %SYS-5-CONFIG_I: Configured from console by console ... (more historical messages visible)
Prevention
1. Configure an appropriate logging buffer size based on the expected log volume. For busy routers, use at least 16384 bytes or more. 2. Implement remote syslog (logging host) to store logs externally, reducing reliance on the local buffer. 3. Regularly monitor log buffer usage and adjust size as needed.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why log messages are missing. The exam tests knowledge of the 'show logging' command and the 'logging buffered' configuration. Key fact: The default logging buffer size is 4096 bytes, and increasing it prevents message overwriting.
Exam Tips
Remember the default logging buffer size is 4096 bytes; if logs are missing, suspect buffer overflow.
The 'show logging' command displays buffer size, messages logged, and the actual log entries.
To increase buffer size, use 'logging buffered <size>' in global configuration mode.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions