A Syslog message is a system-generated message produced by routers and switches used to inform network administrators about useful information regarding the health and state of the device, along with network events and incidents that occurred at that point in time. Syslog logging is critical to our network system because it provides easier troubleshooting and enhances security by providing visibility into the infrastructure devices and equipment logs. We will discuss the different Cisco logging locations and how to configure Syslog logging on these locations below.
Syslog messages can be logged to various locations. These are the four ways and locations where we can store and display messages on our Cisco devices:
- Logging Buffer – events saved in the RAM memory of a router or switches. The buffer has a fixed size to ensure that the log messages will not use up valuable system memory. It is enabled by default.
- Console Line – events will be displayed in the CLI when you log in over a console connection. It is enabled by default.
- Terminal Lines – log messages will be shown in the CLI when you log in over a Telnet or SSH session. It is disabled by default.
- Syslog Server – log messages are saved in the Syslog server.
Syslog Logging Configuration
Now, we will see the different Syslog configurations you can do in your network devices depending on the location, preference, and needs.
Logging Buffer Configuration
The first one we will configure is the logging buffer using the ‘logging buffered’ configuration command. We will also set its buffer size and the logging severity levels using the following configuration commands:
R1(config)#logging buffered R1(config)#logging buffered 100000 R1(config)#logging buffered debugging
Console Line Configuration
The console line Syslog configuration is enabled by default. However, if you wish to disable logging to the console line, use the ‘no logging’ command:
R1(config)#no logging console
Terminal Line Configuration
You can also configure Syslog to send messages into the VTY terminal lines using the ‘terminal monitor’ command:
Syslog Server Configuration
Adding an external Syslog server to our network is important because it provides centralized storage and management. It makes sure that all of the network events messages and incidents are being recorded and logged on a server. Using a remote Syslog server makes handling logs a lot easier because messages can be stored on a hard drive on the Syslog server instead of on the router itself, thus freeing up the router’s memory. By default, these messages are sent to the logging host through UDP port 514.
To enable this, first, we configure the IP address of the Syslog server to be used by entering the ‘logging’ command. We then specify the Syslog server logging level or the type of message we want to send.
R1(config)#logging 10.0.0.100 R1(config)#logging trap debugging
Next, we specify the local timestamp for the Syslog messages sent to the Syslog server because it is not included by default.
R1(config)#service timestamps log datetime msec
Let’s take a look and verify our configured Syslog logging and log outputs on the different locations using the ‘show logging’ command.
R1#show logging Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: disabled Monitor logging: level debugging, 1 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 0 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. ESM: 0 messages dropped Trap logging: level debugging, 5 message lines logged Logging to 10.0.0.100 (udp port 514, audit disabled, authentication disabled, encryption disabled, link up), 2 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled Log Buffer (10000 bytes):
As the output shows, the logging buffer is enabled with an output size of 1000 bytes and a severity level of ‘debugging’. The console line logging is disabled as we configured it, but the terminal line is enabled. Lastly, you can see that R1 uses the Syslog server with an IP address of 10.0.0.100 and a severity level of ‘debugging’.
Security Information and Event Management (SIEM)
A SIEM can be considered a centralized log server since it provides a centralized location for all logging messages. It will typically provide advanced analysis and correlation of events, mainly used for security and audit administration.
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: