Syslog is a standard for message logging. Primarily, it allows for a separation between the software that generates a message, the system that stores that message, and the software that reports and analyzes it.
Syslog is a protocol used across most computing disciplines in one form or another. Here, we’ll be focusing on Syslog with regards to computer networking, with a particular focus on Cisco devices and the CCNA Exam Topics (Syslog is [[CCNA Exam Topics#4.0 IP Services (10%)|topic #4.5]]).
In networking Syslog can be used to log events on network devices such as interface status, OSPF neighbor statuses, system restarts, etc. These messages are typically displayed in the device’s CLI as they occur, they can be stored locally on the device, and/or they can be sent to a remote Syslog server.
Logs are essential to debugging many network issues. It is important to keep accurate logs, which means keeping accurate system time.
Note
Syslog and SNMP are both used for monitoring and troubleshooting devices, but they are complementary protocols; Syslog does not allow you to change, or even view current configurations. It only logs changes (‘events’) on a system. Further, Syslog servers cannot actively retrieve data from their devices like SNMP can - they have to wait to receive messages.
Syslog Message Format
If you’ve made it to Syslog while studying for a CCNA, or any other equivalent certification, then you’ve most probably already seen some Syslog messages. They’re the messages that pop up in the CLI whenever an interface goes up or down, for example.
Below is the basic format for all Syslog messages.
Example
seq: time-stamp: %facility-severity-MNEMONIC:description
seq:- an optional sequence number indicating the order/sequence of messagestime-stamp:- a time stamp indicating when the message was generatedfacility-- a value that indicates which process on the device generated the messageseverity-- a number that indicates the severity of the logged eventMNEMONIC:- a short code for the message, indicating what happeneddescription- detailed information about the event being reported
Severity Levels
| Level | Keyword | Description |
|---|---|---|
| 0 | Emergency | System is unusable |
| 1 | Alert | Action must be taken immediately |
| 2 | Critical | Critical conditions |
| 3 | Error | Error conditions |
| 4 | Warning | Warning conditions |
| 5 | Notice | Normal but significant condition (Notification) |
| 6 | Informational | Informational messages |
| 7 | Debugging | Debug-level messages |
Quote
”Because severities are very subjective, a relay or collector should not assume that all originators have the same definition of severity.” -RFC 5424, pg. 35
Different vendors and developers may interpret each of these levels differently.
Logging Locations
Syslog messages can/will be stored in the following locations:
- Console line: Syslog messages will be displayed in the CLI when connected to the device via the console port. By default, all messages (level 0-7) are displayed
- VTY lines: Syslog messages will be displayed in the CLI when connected to the device via Telnet/SSH. Disabled by default.
- Buffer: Syslog messages will be saved to RAM. By default, all messages (level 0-7) are displayed.
- View the messages with
show logging
- View the messages with
- External Server: You can configure the device to send Syslog messages to an external server
- Syslog servers listen for messages on UDP port 514
Logging Synchronous
If you’ve ever received a Syslog message while in the middle of typing a CLI command, you’ll know it can be annoying. By default, logging messages are blasted into the middle of you command. Technically, this doesn’t prevent you from finishing the command, nor does it cause the command to be misinterpreted, but it can be annoying.
To prevent this, you can use the logging synchronous on the appropriate line:
(config)#line console 0(config-line)#logging synchronous
This will reprint your partial command onto a new line if you are interrupted by a log message.
Configuration
Cisco IOS
(config)#logging console level- Enables logging to the console line
- For a specific severity level and higher — i.e.
logging console 4would enable levels 4, 3, 2, 1, and 0. - You can input a level number (0-7) or its corresponding keyword (see Severity Levels)
- Already enabled for all levels by default
(config)#logging monitor level- Enables logging to the vty lines (Telnet & SSH)
- Same points about the level input as the previous command
terminal monitor- Must be used to send Syslog messages over Telnet/SSH every time you connect to the device
(config)#logging buffered [size] level- Enable logging to the buffer
- Same points about level as above
- size is in bytes
(config)#logging ip-address|(config)#logging host ip-address- Enable logging to a server
- These commands are functionally identical
(config)#logging trap level- Configure the levels of messages sent to an external server
- Does not affect which messages are logged locally
- Same points about level as in above commands
(config)#service timestamps log [datetime | uptime]- Show date and time or system uptime in log messages.
datetimeis configured by default
(config)#service sequence-numbers- Prepend sequence numbers on Syslog messages
- You may or may not find them useful, as it’s quite unlikely that messages would ever get stored out of order, but there’s not much harm in turning them on.