Cisco IOS Syslog Logging Locations

A Syslog message is a system-generated message produced by routers and switches that use to inform network administrators about useful information regarding the health and state of the device along with network events and incidents that occurred at that point in time. Syslog logging is a critical part of our network system because it provides easier troubleshooting and enhances security by providing visibility into the logs of all of our infrastructure devices and equipment that we manage. We will discuss the different Cisco logging locations and how to configure Syslog logging on these locations below.

 

NOTE
By default, Cisco IOS devices send Syslog messages to the console line and logging buffer. However, you can also configure to send Syslog messages into the terminal lines, SNMP traps, and Syslog servers.

 

Cisco Logging Locations

Syslog messages can be logged to various locations. These are the four ways and locations where we can store and display messages on our Cisco devices:

  • Logging Buffer – events saved in the RAM memory of a router or switches, the buffer has a fixed size to ensure that the log messages will not use up valuable system memory. It is enabled by default.
  • Console Line – events will be displayed in the CLI when you log in over a console connection. It is enabled by default.
  • Terminal Lines – log messages will be shown in the CLI when you log in over a Telnet or SSH session. It is disabled by default.
  • Syslog Server – log messages are saved in the Syslog server.

 

Syslog Logging Configuration

Now, we will see the different Syslog configurations you can do in your network devices depending on the location, preference, and needs.

Logging Buffer Configuration

The first one we are going to configure is the logging buffer using the ‘logging buffered’ configuration command. We will also set its buffer size and the logging severity levels as well.

R1(config)#logging buffered
R1(config)#logging buffered 100000
R1(config)#logging buffered debugging

 

NOTE
Cisco IOS devices have a default logging buffer size of 4096, but you can modify it depending on your preference.

 

Console Line Configuration

The console line Syslog configuration is enabled by default. However, if you wish to disable logging to the console line, use the ‘no logging’ command:

R1(config)#no logging console

 

NOTE
When you execute logging synchronous on the global configuration mode, log messages sent to the console line will not interrupt the command you are typing, and the command will be moved to a new line.

 

Terminal Line Configuration

You can also configure Syslog to send messages into the VTY terminal lines using the ‘terminal monitor’ command:

R1(config)#terminal monitor

 

NOTE
The reason terminal lines are disabled by default in Cisco IOS is because it might make your VTY terminal connections congested due to massive amounts of log messages being sent into the lines when it is improperly configured.

 

Syslog Server Configuration

It is important to add an external Syslog server to our network because it provides centralized storage and management. It makes sure that all of the network events messages and incidents are being recorded and logged on a server. This makes handling logs a lot easier because messages can be stored on a hard drive on the Syslog server instead of on the router itself, thus freeing up the router’s memory. By default, these messages are sent to the logging host through UDP port 514.

To enable this, first, we configure the IP address of the Syslog server to be used by entering the ‘logging’ command. We then specify the type of message we want to send to the Syslog server.

R1(config)#logging 10.0.0.100
R1(config)#logging trap debugging

 

Next, we specify the local timestamp to use with the Syslog messages which will be sent to the Syslog server because it is not included by default.

R1(config)#service timestamps log datetime msec

 

Let’s take a look and verify our configured Syslog logging and log outputs on the different locations using the ‘show logging’ command.

R1#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited,
          0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
    Console logging: disabled
    Monitor logging: level debugging, 1 messages logged, xml disabled,
          filtering disabled
    Buffer logging:  level debugging, 0 messages logged, xml disabled,
          filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
    Trap logging: level debugging, 5 message lines logged
        Logging to 10.0.0.100  (udp port 514,  audit disabled,
             authentication disabled, encryption disabled, link up),
             2 message lines logged,
             0 message lines rate-limited,
             0 message lines dropped-by-MD,
             xml disabled, sequence number disabled
             filtering disabled
Log Buffer (10000 bytes):

 

As the output shows, the logging buffer is enabled with an output size of 1000 bytes and a severity level of ‘debugging’. The console line logging is disabled as we configured it to be, but the terminal line is enabled. Lastly, you can see that R1 is using the Syslog server with an IP address of 10.0.0.100 and with a severity level of ‘debugging’.

 

Security Information and Event Management (SIEM)

A SIEM can be thought of as a centralized log server as it provides a centralized location for all logging messages. It will typically provide advanced analysis and correlation of events. It is mainly used for security and audit administration.


Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: