Syslog is a logging mechanism which collects logs about the system and provides them to the system administrator. With this logging mechanism, network management and troubleshooting activities get easier. We can use a Syslog Server to store these logs.
You can also check Cisco Syslog Configuration Example.
Syslog provides log information in different levels. There are 8 levels of syslog. These levels are given below:
These levels show all the critical message for the system beside the normal system messages. The importance of these logs starts from 0. 0 is the most important syslog log. It is emergency. After emergency, other seven logs are ordered. The least important log is debug. Debug syslog message is 7.
Let’s explain syslog levels with an analogy :)
We hope you never get Critical, Alert, Emergency alarms in this case :)
Syslog messages are sent in a format. This format can a little change in different systems but generally the concept is similar. Below, you can find an example syslog message format:
seq no:timestamp: %facility-severity-MNEMONIC:description
At the beginning of a syslog message, there is a sequence number. Then a time stamp which shows the exact time of the event is used. After that the facility which shows the source of the syslog message is used. Then, severity level is mentioned. As we have mentioned before, there are eight severity levels. One of these levels is used here. After severity, the keyword which defines the syslog message specifically is used as mnemonic. Lastly, a detailed description is used for the event.
There are different alternatives to display syslog messages. These are given below:
Console lines show syslog messages during console connection. By default, it displays eight severity levels.
VTY lines show syslog messages during Telnet/SSH connection. By default, it is disabled. To enable it, you should use “terminal monitor” command.
If Buffer is used for syslog message, RAM is used. It is limited. It displays eight levels by default.
SNMP Server can be also a destination for syslog messages. And according to these messages, system can be monitored and proactive engineering can be done.
The best option to store syslog messages is using separate External Syslog Server. Because, after a while, log size can be large and it can cause a memory problem.
By default, syslog is enabled on Cisco devices. If it is not enables, you can manually enable syslog. To do this, you can use “logging on” command.
Router (config)# logging on
If you would like to disable syslog, you can use “no logging on” command.
Router (config)# no logging on
To configure a Syslog Server as a best practice to store syslog message, you should give the ip address o0f the syslog server. For example, if your syslog server ip address is 10.0.0.2, you can use “logging 10.0.0.2” command.
Router (config)# logging 10.0.0.2
During troubleshooting or daily routine configuration practices, maybe you do not want to see all the severity levels on the logs. So, you can change the severity levels that will be displayed as logs. To do this, you can use “logging trap” command with the desired severity and upper severity layers.
Below, we will set the severity level tom critical. SO, we will see critical, alert and emergency level events in the logs.
Router (config)# logging trap critical
To see the logs on a Cisco router, you can use “show logging” command.
Router # show logging
Logs messages divide your commands if you do not synchronize it. And when it divides your commands, then you can do a wrong configuration. Because, the syslog messages anfd your configuration commands are mixed. So, to avoid this, you should synchronize the logs. with “logging synchronous” command under the line console connection.
Router (config)# line console 0
Router (config-line)# logging synchronous
Router (config-line)# exit
After this configuration, syslog message do not divide your commands during the configuration.
In this lesson, we have explained what is syslog and how to use syslog server on Cisco devices.