System Message Logging – SYSLOG
Modern network devices have advanced from simple transmitting of messages (email.documents, multimedia etc), network devices like Cisco routers and switches provide the features for network administrators to reading system messages from their internal buffer about network situation at a particular time.
The way do this is by using Syslog server.
Cisco network devices (Routers and Switches) use Syslog to send system messages and debug output to a local logging process inside the device. These system messages can even be sent across the network to a syslog server or to an internal buffer so that you can view them at your convenience at a later time right through the device command line interface. Whichever way you choose is configurable.
You can use the following destinations for syslog messages:
• The logging buffer (RAM inside the router or switch)
• The console line
• The terminal lines
• A syslog server
So you know, all system messages and debug output generated by the router or switch IOS go out only the console port by default and are also logged in buffers in RAM. To accomplish the sending of messages from Cisco routers, to the VTY lines, use the terminal monitor command.
Basically, by default, you will see something like this on your console line:
*Oct 21 17:33:50.565:%LINK-5-CHANGED:Interface FastEthernet0/0, changed
state to administratively down
*Oct 21 17:33:51.565:%LINEPROTO-5-UPDOWN:Line protocol on Interface
FastEthernet0/0, changed state to down
Cisco router would send a summarized version of the message to the syslog server that would look something like this:
Seq no:timestamp: %facility-severity-MNEMONIC:description
A detail explanation on what this means:
seq no : This a sequence number of the message, but not by default. for you to know the time the message was sent, you’ve got to configure it.
Timestamp : This means Data and time of the message or event, which also need to be configured
Facility : The facility to which the message refers.
Severity : this a single-digit code from 0 to 7 that shows the severity of the message.
MNEMONIC : Text string that uniquely describes the message.
Description : Text string containing detailed information about the event being reported.
Example of Real syslog message:
Apr 10 14:10:01.052: %MESKING-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to down
= A timestamp: *Apr 10 14:10:01.052
The facility on the router that generated the message: %MESKING
The severity level: 5
A mnemonic for the message: UPDOWN
The description of the message: Line protocol on Interface FastEthernet0/0, changed state to down
Syslog Severity levels Explained:
Emergency (severity 0) System is unusable.
Alert (severity 1) Immediate action is needed.
Critical (severity 2) Critical condition.
Error (severity 3) Error condition.
Warning (severity 4) Warning condition.
Notification (severity 5) Normal but significant condition.
Information (severity 6) Normal information message.
Debugging (severity 7) Debugging message.
How to Configure and Verifying Syslog.
Cisco devices send all log messages according to the severity level you configure or chosen to the console.
These messages also go to the buffer, and both happen by default.
You can disable and enable these features with the following commands, to enable use:
The above command with a question mark will display all the option to choose from.
The configuration above can be used to enable the console and buffer to receive all log message of all severity, just know that this is the default setting for all Cisco IOS devices.
If you want to disable the defaults, use the following commands:
Router(config)#no logging console
Router(config)#no logging buffered
A Syslog server saves copies of console messages and can time-stamp them for viewing at a later time. This feature can be enabled with the following command:
HQ(config)#service timestamps log datetime msec
The above command will save all the console messages in one location to be viewed at your convenience! use the logging host ip_address command.
You can set a limit to a number of messages sent to the syslog server, based on severity with the following command:
SF(config)#logging trap warnings
The command above shows that you can use either the number or the actual severity level name—and they are in alphabetical order, not severity order, Cisco router will send messages for levels 0 through 4 (warnings)