System Message Logging – SYSLOG
Modern network devices have advanced from simple transmitting of messages (email. documents, multimedia etc), network devices like Cisco routers and switches provide the features for network administrators to reading system messages from their internal buffer about network situation at a particular time.
The way to do this is by using a Syslog server.
A Syslog server is a dedicated server used in network management for collecting and storing log messages from various network devices, including routers, switches, firewalls, and even servers or other software applications. This centralized logging is crucial for network diagnostics, security monitoring, and compliance with various regulatory standards.
Let’s discuss the details:
Syslog Protocol:
Standard Protocol: Syslog is a standard protocol used for sending system log or event messages to a specific server, known as a syslog server.
Wide Adoption: It is widely supported across various devices and operating systems, making it a universal tool for logging network events.
Functionality:
Centralized Logging: Syslog servers centralize the logs from different devices, which helps in streamlined monitoring and analysis.
Log Management: They categorize, process, store, and archive logs. This management includes timestamping logs, sorting them, and sometimes even analyzing them for specific patterns or issues.
Importance of Syslog Servers:
Troubleshooting: Centralized logs are invaluable for troubleshooting network issues, as they provide a chronology of events leading up to an incident.
Security Monitoring: Analysis of log data can reveal security incidents, policy violations, fraudulent activity, and other threats.
Compliance: Many regulatory standards require log collection and review. A syslog server helps in meeting these compliance requirements.
Syslog Messages:
Severity Levels: Syslog messages are categorized into different severity levels, from emergency (most severe) to debug (least severe).
Facilities: They are also categorized based on the facility code, which indicates the type of software or hardware logging the message (like auth, daemon, kernel, etc.).
Cisco network devices (Routers and Switches) use Syslog to send system messages and debug output to a local logging process inside the device.
These system messages can even be sent across the network to a Syslog server or an internal buffer so that you can view them at your convenience at a later time right through the device command line interface. Whichever way you choose is configurable.
You can use the following destinations for syslog messages:
• The logging buffer (RAM inside the router or switch)
• The console line
• The terminal lines
• A Syslog server
So you know, all system messages and debug output generated by the router or switch IOS go out only to the console port by default and are also logged-in buffers in RAM. To accomplish the sending of messages from Cisco routers, to the VTY lines, use the terminal monitor command.
Basically, by default, you will see something like this on your console line:
*Oct 21 17:33:50.565:%LINK-5-CHANGED:Interface FastEthernet0/0, changed
state to administratively down
*Oct 21 17:33:51.565:%LINEPROTO-5-UPDOWN:Line protocol on Interface
FastEthernet0/0 changed state to down
The Cisco router would send a summarized version of the message to the syslog server that would look something like this:
Seq no:timestamp: %facility-severity-MNEMONIC: description
A detailed explanation of what this means:
seq no: This is a sequence number of the message, but not by default. for you to know the time the message was sent, you’ve got to configure it.
Timestamp: This means Data and time of the message or event, which also need to be configured
Facility: The facility to which the message refers.
Severity: this is a single-digit code from 0 to 7 that shows the severity of the message.
MNEMONIC: Text string that uniquely describes the message.
Description: Text string containing detailed information about the event being reported.
Example of Real syslog message:
Apr 10 14:10:01.052: %MESKING-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to down
= A timestamp: *Apr 10 14:10:01.052
The facility on the router that generated the message: %MESKING
The severity level: 5
A mnemonic for the message: UPDOWN
The description of the message: Line protocol on Interface FastEthernet0/0, changed state to down
Syslog Severity Levels Explained:
Emergency (severity 0) System is unusable.
Alert (severity 1) Immediate action is needed.
Critical (severity 2) Critical condition.
Error (severity 3) Error condition.
Warning (severity 4) Warning condition.
Notification (severity 5) Normal but significant condition.
Information (severity 6) Normal information message.
Debugging (severity 7) Debugging message.
How to Configure and Verify Syslog.
Cisco devices send all log messages according to the severity level you configure or choose to the console.
These messages also go to the buffer, and both happen by default.
You can disable and enable these features with the following commands, to enable use:
Router(config)#logging?
The above command with a question mark will display all the options to choose from.
Router(config)#logging console
Router(config)#logging buffered
The configuration above can be used to enable the console and buffer to receive all log messages of all severity, just know that this is the default setting for all Cisco IOS devices.
If you want to disable the defaults, use the following commands:
Router(config)#no logging console
Router(config)#no logging buffered
A Syslog server saves copies of console messages and can time-stamp them for viewing at a later time. This feature can be enabled with the following command:
HQ(config)#logging 172.16.10.1
HQ(config)#service timestamps log datetime msec
The above command will save all the console messages in one location to be viewed at your convenience! use the logging host ip_address command.
You can set a limit to several messages sent to the Syslog server, based on severity with the following command:
SF(config)#logging trap warnings
The command above shows that you can use either the number or the actual severity level name—and they are in alphabetical order, not severity order, Cisco router will send messages for levels 0 through 4 (warnings)
In Summary
Syslog is a standard for message logging that allows devices, applications, and systems to record and send event notification messages across a network to a logging server, typically known as a syslog server. It provides a common platform for logging information and debugging, making it easier to consolidate and analyze information from different types of systems and equipment.
The syslog protocol is very flexible and can be used in various systems for network troubleshooting, security auditing, and system management. Messages in syslog are classified by severity levels, ranging from debug messages that provide fine-grained informational events to critical messages that report significant issues within the system. This standard helps administrators manage network and system logs efficiently, ensuring timely and proactive responses to various operational problems and security threats.
