Syslog is a standard protocol for collecting, storing, and forwarding log messages generated by various network devices, such as routers, switches, firewalls, servers, and applications. Developed in the 1980s, it has become a widely adopted standard across different operating systems and devices.
When syslog is enabled on a network, it allows network administrators to centralize the management of logs from different devices and applications. This can be particularly useful in large and complex networks, where monitoring and troubleshooting can be challenging.
By collecting and aggregating log messages in a central location, administrators can more easily identify and respond to issues, such as security threats, network errors, and performance degradation.
The syslog service is enabled by default on Cisco devices. The logging process is responsible for collecting event messages and distributing them to various destinations, such as the console line, the terminal lines, the internal logging buffer of the device, or an external syslog server.
Although the logging service, compared to other monitoring protocols, is the simplest, it provides more than sufficient data for deep monitoring and solid troubleshooting. The best option for logging is to use an external syslog server which allows administrators to retain log messages for an extended period, which can be used for historical analysis and trend reporting.
Exploring the Syslog Message Format
The syslog message format consists of three parts: priority (PRI), a header, and a message body (MSG). The priority is an 8-bit number and contains information about the facility (5 bits) that generated the message and the severity level (3 bits) of the message.
The facility is a number value representing the message's source, such as an operating system, process, or application. The severity specifies the severity of the message, or in other words, how severe the reported issue is. There are eight severity levels (from 0 to 7), where the lower the number, the more severe the issue.
The header identifies the timestamp and the hostname of the source, whereas the message body contains the actual message being logged.
Syslog messages generated by the Cisco IOS software are structured in the following format: Seq no:timestamp: %facility-severity-mnemonic: description. The meaning of each parameter is the following:
- Seq no: Represents the message sequence number
- Timestamp: Date and time when the message originated
- Facility: Source of the message
- Severity: Number representing the severity of the message
- Mnemonic: Complimentary data to the facility information
- Description: Explanation of the meaning of the message in plain language
To understand better what a syslog message looks like and what information it provides, let’s take a look at the following syslog message:
*Nov 17 21:12:23.233: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
As you can see in the example above, the syslog message was created on Nov 17 at 21:12:23.233. The facility code is LINEPROTO and this tells us that the message provides info about line protocol.
The severity level is 5, and the mnemonic UPDOWN complements the line protocol (going up or down). The description provides information in plain text about the reason why the syslog message was generated.
If you want to export syslog messages to an external syslog server, first you need to define the IP address of the syslog server by using the logging host ip-address command. Then you need to define the severity level of the syslog messages that you want to log using the logging trap severity-level command.
The severity levels of syslog messages are as follows:
- Emergency (0): The system is unusable
- Alert (1): Action must be taken immediately
- Critical (2): Critical conditions
- Error (3): Error conditions
- Warning (4): Warning conditions
- Notice (5): Normal but significant condition
- Informational (6): Informational messages
- Debug (7): Debug-level messages
Optionally, you can change the source IP address of the message to an IP assigned to a specific interface using the logging source-interface interface_type command. This provides consistency in the source of the gathered log messages, and it is recommended to use a loopback interface instead of a physical one because of its stability.
The following commands instruct the router to send a syslog message of severity level informational (level 6) to the syslog server at 192.168.1.1 with a source IP address used on interface loopback5.
Important: When a severity level is configured, the device does not only export messages for the selected severity level, but also for all other more severe levels.
To check the syslog messages that are stored in the device, you can use the show logging command. Additionally, it will provide information about how many messages are logged at various locations, as well as the severity level assigned to each destination.