Syslog is a logging mechanism in network devices (Cisco Network Equipments, Unix Servers, GNU/Linux Servers) used to collect system logs which contains critical information about the status, errors, warning, configuration logs etc., of the devices. Cisco Routers and Switches use Syslog for tracking system logs and alerts. General working of Syslog protocol is defined in RFC 3164.
Syslog messages provide information about the events, errors or any serious problems which can happen inside a Cisco Router or Switch. By monitoring Syslog messages, network security administrators can troubleshoot the network problems, identify a network attack etc.
Syslog message format and example of Syslog message
The general format of Syslog message is shown below.
More detailed description of Syslog message format is shown below.
|Syslog Message Element
||Used to record the Date and time of the Syslog message. <date_time_stamp> typically has the following format: "mm/dd hh:mm:ss".
Syslog messages are categorized based on the sources which generated syslog message. The Syslog categories are called as facility. In other words, Syslog facility are just tags which are attached to Syslog messages by the source which generated the Syslog.
The facility element in a Syslog message generated by a Cisco device is Cisco specific. The facility element in a Cisco Syslog message is different from the facility defined for the Syslog protocol in RFC 3164.
Severity is used to specify the severity level of the Syslog message using an integer between 0 and 7. Following and the Syslog message integers and their meaning.
0 - Emergency (System is unusable)
1 - Alert (Action must be taken immediately)
2 - Critical (Critical conditions)
3 - Error (Error conditions)
4 - Warning (Warning conditions)
5 - Notice (Normal but significant condition)
6 - Informational (Informational messages)
7 - Debug (Debug-level messages)
|| <mnemonic> uniquely identifies the Syslog message.
||<message_text> is the text which describes the Syslog message and can contain details about the Syslog message.
An example of Syslog message is shown below.
*Jan 24 11:28:30.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
How to enable / disable Syslog messages
Syslog is enabled by default. Follow the below steps if you want to disable Syslog, for any valid reason.
OmniSecuR1(config)#no logging on
How to enable Synchronous Logging
By default Syslog messages are sent to the Line Console as they are generated. Syslog messages are spit to the Console, which is often a disturbance to a network administrator, who is using Line Console.
When synchronous logging of Syslog message is enabled, Syslog messages are spit to the Console and after that the IOS CLI prompt for user input is returned to the user.
Follow below configuration steps to enable Synchronous Logging in Line Console.
OmniSecuR1(config)#line console 0
Where to Display / Store Syslog Messages
By default, Cisco Routers and Switches spit the Syslog messages to the line Console, which is often a disturbance to the line Console user. Console Syslog messages are not available for a future examination, once the Console connection is closed.
Unlike Unix Servers/GNU Linux Servers, Cisco Routers and Switches do not include enough internal storage to store Syslog messages internally. We have different options to store Syslog messages, as described below.
Vty lines: You can collect the Syslog messages in an SSH connection terminal by running "terminal monitor" command. But Syslog messages which are sent to Vty lines are not available for a future examination, once the SSH connection is closed. Use the following commands to collect the Syslog messages when you are connected to an SSH terminal.
Buffer: Syslog messages can be stored in a Cisco Router or Switch memory. You should use only a minimum size of memory to store the Syslog Message. If you make the buffe memory size large, the Cisco Router or Switch may not get enough memory for other tasks.
Use the following commands to store the Syslog messages in Cisco Router's / Switch's memory. "8192" is the size of memory allocated to store Syslog messages and "5" is the severity level.
OmniSecuR1(config)#logging buffered 8192 5
SNMP Server: A Cisco Router or Switch can send Syslog messages to an SNMP server.
Syslog server: A Cisco Router or Switch can send Syslog messages from a Cisco Router / Switch to a Syslog server. Using a Syslog server you can manage the Syslogs efficiently and helps in aggregation of Syslog messages.
Use the following commands to send Syslog messages to a Syslog server, configured at 192.168.10.100.
Note: Out of the options listed above, sending Syslog to a Syslog Server is considered as the best option.