OmniSecu.com Logo  
omnisecu.com free mcse ccna rhce linux java learning
omnisecu.com free mcse ccna rhce linux java learning
          Sharefacebook twitter google+ google bookmark yahoo bookmark delicious digg linkedin pinterest reddit stumbleupon evernote diigo blinklist blogmarks livejournal email feed

Tutorials

Introduction to Syslog in Cisco Routers and Switches

External Resources

Syslog is a logging mechanism in network devices (Cisco Network Equipments, Unix Servers, GNU/Linux Servers) used to collect system logs which contains critical information about the status, errors, warning, configuration logs etc., of the devices. Cisco Routers and Switches use Syslog for tracking system logs and alerts. General working of Syslog protocol is defined in RFC 3164.

Syslog messages provide information about the events, errors or any serious problems which can happen inside a Cisco Router or Switch. By monitoring Syslog messages, network security administrators can troubleshoot the network problems, identify a network attack etc.

Syslog message format and example of Syslog message

The general format of Syslog message is shown below.

<date_time_stamp>%<facility>-<severity>-<mnemonic>: <message_text>

More detailed description of Syslog message format is shown below.

Syslog Message Element Description
<date_time_stamp> Used to record the Date and time of the Syslog message. <date_time_stamp> typically has the following format: "mm/dd hh:mm:ss".
<facility>

Syslog messages are categorized based on the sources which generated syslog message. The Syslog categories are called as facility. In other words, Syslog facility are just tags which are attached to Syslog messages by the source which generated the Syslog.

The facility element in a Syslog message generated by a Cisco device is Cisco specific. The facility element in a Cisco Syslog message is different from the facility defined for the Syslog protocol in RFC 3164.

<severity>

Severity is used to specify the severity level of the Syslog message using an integer between 0 and 7. Following and the Syslog message integers and their meaning.

0 - Emergency (System is unusable)

1 - Alert (Action must be taken immediately)

2 - Critical (Critical conditions)

3 - Error (Error conditions)

4 - Warning (Warning conditions)

5 - Notice (Normal but significant condition)

6 - Informational (Informational messages)

7 - Debug (Debug-level messages)

<mnemonic> <mnemonic> uniquely identifies the Syslog message.
<message_text> <message_text> is the text which describes the Syslog message and can contain details about the Syslog message.

An example of Syslog message is shown below.

*Jan 24 11:28:30.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

How to enable / disable Syslog messages

Syslog is enabled by default. Follow the below steps if you want to disable Syslog, for any valid reason.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no logging on
OmniSecuR1(config)#exit

How to enable Synchronous Logging

By default Syslog messages are sent to the Line Console as they are generated. Syslog messages are spit to the Console, which is often a disturbance to a network administrator, who is using Line Console.

When synchronous logging of Syslog message is enabled, Syslog messages are spit to the Console and after that the IOS CLI prompt for user input is returned to the user.

Follow below configuration steps to enable Synchronous Logging in Line Console.

OmniSecuR1#configure terminal
OmniSecuR1(config)#line console 0
OmniSecuR1(config-line)#logging synchronous
OmniSecuR1(config-line)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

Where to Display / Store Syslog Messages

By default, Cisco Routers and Switches spit the Syslog messages to the line Console, which is often a disturbance to the line Console user. Console Syslog messages are not available for a future examination, once the Console connection is closed.

Unlike Unix Servers/GNU Linux Servers, Cisco Routers and Switches do not include enough internal storage to store Syslog messages internally. We have different options to store Syslog messages, as described below.

Vty lines: You can collect the Syslog messages in an SSH connection terminal by running "terminal monitor" command. But Syslog messages which are sent to Vty lines are not available for a future examination, once the SSH connection is closed. Use the following commands to collect the Syslog messages when you are connected to an SSH terminal.

OmniSecuR1#terminal monitor 

Buffer: Syslog messages can be stored in a Cisco Router or Switch memory. You should use only a minimum size of memory to store the Syslog Message. If you make the buffe memory size large, the Cisco Router or Switch may not get enough memory for other tasks.

Use the following commands to store the Syslog messages in Cisco Router's / Switch's memory. "8192" is the size of memory allocated to store Syslog messages and "5" is the severity level.

OmniSecuR1#configure terminal
OmniSecuR1(config)#logging buffered 8192 5
OmniSecuR1(config)#exit
OmniSecuR1#

SNMP Server: A Cisco Router or Switch can send Syslog messages to an SNMP server.

Syslog server: A Cisco Router or Switch can send Syslog messages from a Cisco Router / Switch to a Syslog server. Using a Syslog server you can manage the Syslogs efficiently and helps in aggregation of Syslog messages.

Use the following commands to send Syslog messages to a Syslog server, configured at 192.168.10.100.

OmniSecuR1#configure terminal
OmniSecuR1(config)#logging 192.168.10.100
OmniSecuR1(config)#exit
OmniSecuR1#

Note: Out of the options listed above, sending Syslog to a Syslog Server is considered as the best option.

              Jajish Thomason Google+
Related Topics
comments powered by Disqus


eXTReMe Tracker DMCA.com