Syslog is a standard for message logging. Syslog messages are generated on Cisco devices whenever an event takes place – for example, when an interface goes down or a port security violation occurs.
You’ve probably already encountered syslog messages when you were connected to a Cisco device through the console – Cisco devices show syslog messages by default to the console users:
R1# %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
This is because the logging console global configuration command is enabled by default. SSH and Telnet users need to execute the terminal monitor EXEC mode command in order to see the messages:
R1#terminal monitor R1# %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
In the example above you can see that the logged in user executed the terminal monitor command. Because of that, the telnet user was notified via a syslog message when the Gi0/1 interface went up a couple of moments later.
It is recommended to store the logs generated by Cisco devices to a central syslog server. To instruct a device to send logs to the syslog server, we can use the logging IP_ADDRESS command:
Now, logs generated on R1 will be sent to the syslog server with the IP address of 10.0.0.10. Of course, you need to have a Syslog server (e.g. Kiwi syslog) installed and configured.