Cisco SYSLOG Configuration Complete Tutorial

Cisco SYSLOG Configuration Complete Tutorial

This tutorial is a complete guide on Cisco SYSLOG Configuration, what is syslog and how syslog works . In addition, how to configure syslog to collect messages on a small to medium-sized network management device.
Monitoring a functioning network can provide information to a network administrator to proactively manage the network and report network usage statistics to others. Link activity, error rates and link status are some of the factors that help a network administrator determine the status and use of a network. Collecting and reviewing this information over time allows a network administrator to view and project the growth, and can help detect and replace a defective part before it fails completely.
This chapter covers three protocols that a network administrator can use to control the network. Syslog, SNMP and NetFlow are popular protocols with different strengths and weaknesses. Together they provide a good set of tools to understand what happens in a network.
The NTP protocol is used to synchronize the time across the devices, which is especially important when trying to compare the log files of different devices.

What is SYSLOG ?

When certain events occur on a network, network devices have trusted mechanisms to notify detailed system messages to the administrator. These messages may be important or not.
Network administrators have a variety of options for storing, interpreting and displaying these messages, as well as for receiving those messages that could have the greatest impact on the network infrastructure.
The most common method of accessing system messages provided by network devices is to use a protocol called " syslog ".

Syslog uses UDP port 514 to send event notification messages over IP networks to event message collectors.
The term "syslog" is used to describe a standard. It is also used to describe the protocol developed for that standard. The syslog protocol was developed for UNIX systems in the 1980s, but IETF first registered it as RFC 3164 in 2001 .
Many network devices support syslog, including routers, switches, application servers, firewalls and other network devices. The syslog protocol allows network devices to send system messages to syslog servers across the network. It is possible to set up a special out-of-band network (OOB) for this purpose.
There are several different software packages of syslog servers for Windows and UNIX. Many of them are freeware.
The syslog logging service provides three main functions:

• The ability to collect registration information for problem control and resolution
• Ability to select the type of registration information that is captured
• The ability to specify the destinations of captured syslog messages

How SYSLOG Works

On Cisco network devices, the syslog protocol begins by sending system messages and the debug command result to an internal local device registration process. The way in which the registration process manages these messages and results is based on the device settings.
For example, syslog messages can be sent over the network to an external syslog server. These messages can be retrieved without having to access the device itself. The results and log messages stored on the external server can be included in several reports for easy reading.
On the other hand, syslog messages can be sent to an internal buffer. Messages sent to the internal buffer can only be viewed through the device CLI.

Finally, the network administrator can specify that only certain types of system messages be sent to several destinations. For example, you can configure the device to forward all system messages to an external syslog server. However, debug level messages are forwarded to the internal buffer, and only the administrator can access them from the CLI.
As shown in the illustration, common destinations for syslog messages include the following:

• Logging buffer (RAM inside a router or switch)
• Console line
• Terminal line
• Syslog server

It is possible to control system messages remotely by viewing the logs on a syslog server or accessing the device through Telnet, SSH or through the console port.

 FORMAT OF SYSLOG MESSAGES

Cisco devices generate syslog messages as a result of network events. Each syslog message contains a severity level and an installation .

SYSLOG SEVERITY LEVEL

The lower the level numbers, the more fundamental the syslog alarms. The severity level of the messages can be set to control where each type of message is displayed (that is, on the console or other destinations). In Image 3, the complete list of syslog levels is shown.

Each level of syslog has its own meaning:

• Warning level, emergency level : these are error messages about software or hardware that is malfunctioning; These types of messages mean that the functionality of the device is affected. The severity of the problem determines the actual level of syslog that is applied.
• Debug level: This level indicates that the messages are results that are generated from the issuance of several debug commands .
• Notification level: the notification level only provides information, the functionality of the device is not affected. Interface messages active or inactive, or system restart are displayed at the notification level.

INSTALLATION INFORMATION

In addition to specifying severity, syslog messages also contain information about the installation. Syslog installations are service identifiers that identify and categorize system status data to report error and event messages.
The available registry installation options are specific to the network device. For example, Cisco 2960 series switches and Cisco 1941 routers support 24 installation options that are categorized into 12 types of installation.
Some common syslog message installations that are reported on Cisco IOS routers include the following:

• IP
• OSPF protocol
• SYS operating system
• IP Security (IPsec)
• Interface IP (IF)

By default, the format of syslog messages in Cisco IOS software is as follows:
seq no: timestamp:% facility-severity-MNEMONIC: description
For example, the example result of a Cisco switch for an EtherChannel link that changes to the active state is as follows:
00:00:46:% LINK-3-UPDOWN: Interface 
Port-channel1, changed state to up
Here the installation is LINK, and the severity level is 3, with the UPDOWN MNEMOTECHNICAL.
The most common messages are the active link and the inactive link, and the messages that a device produces when it exits configuration mode. If the ACL log is configured, the device generates syslog messages when the packets match a parameter condition.

SERVICE TIME STAMP

Log messages can be marked with the time, and the source address of syslog messages can be set. This improves debugging and administration in real time.
When the global service timestamps log uptime configuration mode command is entered , the amount of time that has elapsed since the last time the switch was started in the logged events is displayed. A more useful version of this command applies the datetime keyword instead of the uptime keyword ; This causes each registered event to show the date and time associated with the event.
When the datetime keyword is used , the clock must be set on the network device. This can be achieved in two ways:

• Manual configuration using the clock set command
• Automatic configuration using the NTP protocol

To allow an NTP time server to synchronize the software clock, use the global configuration mode command:
ntp server  ip-address
In the illustration, an example configuration is shown. R1 is configured as an NTP client, while router R2 functions as an authoritative NTP server. A network device can be configured as an NTP server, so that the other devices synchronize outside their time, or as an NTP client.

R2 (config) # ntp master 1
R1 (config) # ntp server 10.1.1.1
For the rest of the chapter, it is assumed that the clock was set and the service timestamps log datetime command was configured on all devices.

SYSLOG SERVER

To view syslog messages, a syslog server must be installed on a network workstation. There are several versions of freeware and shareware of syslog, as well as business versions to buy.
The syslog server provides a relatively user-friendly interface to see the result of syslog. The server analyzes the result and places the messages in predefined columns to interpret them easily.

Network administrators can easily navigate through a large amount of data that is collected on a syslog server. An advantage of viewing syslog messages on a syslog server is the ability to perform granular searches through the data. In addition, a network administrator can quickly remove syslog messages that are not important from the database.

DEFAULT REGISTRATION

By default, Cisco routers and switches send log messages to the console for all severity levels. In some versions of IOS, the device also buffers log messages by default. To enable these two settings, use the global logging console and logging buffered configuration commands , respectively.
The show logging command shows the default configuration of the registration service on a Cisco router, as shown in the illustration. In the first lines of the result, information about the registration process is provided, and at the end of the result the registration messages are indicated.

• In the highlighted first line, it is indicated that this router is registered in the console and debug messages are included. This actually means that all debug level messages, as well as any lower level messages (such as notification level messages), are logged in the console. The result also indicates that 32 of these messages were recorded.
• In the second highlighted line, it is indicated that this router is registered in an internal buffer. Since registration on an internal buffer was enabled on this router, the show logging command also indicates the messages in that buffer.

ROUTER AND SWITCH COMMANDS FOR SYSLOG CLIENTS

There are three steps to configure the router to send system messages to a syslog server where they can be stored, filtered and analyzed:

• Step 1 . Configure the name of the destination host or the IP address of the syslog server in global configuration mode:

R1 (config) # logging 192.168.1.3

• Step 2 . Control the messages that are sent to the syslog server with the global configuration mode logging trap level command . For example, to limit messages to levels 4 and below (0 to 4), use one of two equivalent commands:

R1 (config) # logging trap 4
R1 (config) # logging trap warning

• Step 3 . Optionally, configure the source interface with the global configuration mode command:

logging source-interface  interface-type interface number
This specifies that syslog packets include the IPv4 or IPv6 address of a specific interface, regardless of the interface the packet uses to exit the router. For example, to set the source interface to g0 / 0, use the following command:

R1 (config) # logging source-interface g0 / 0

SYSLOG CONFIGURATION EXAMPLE

In Image 8, R1 was configured to send log messages of levels 4 and below to the syslog server at 192.168.1.3. The source interface was established in the G0 / 0 interface. A loopback interface is created, deactivated and reactivated. The result of the console reflects these actions.

The only messages that appear on the syslog server are those with a severity level of 4 or less (more serious). Messages with a severity level of 5 or more (less severe) appear in the result of the router console, but do not appear in the result of the syslog server, because the logging trap command limits the syslog messages that are sent to the syslog server according to severity level.

VERIFICATION OF SYSLOG

You can use the show logging command to view any message that is logged. When the registration buffer is large, it is convenient to use the vertical bar option (|) with the show logging command. The vertical bar option allows the administrator to specifically indicate which messages should be displayed.
For example, by issuing the show logging | include changed state to up , it is ensured that only interface notifications showing " changed state to up " are displayed .

In Image , it is also shown that by issuing the show logging | begin June 12 22:35 shows the contents of the registration buffer that occurred on June 12 or after this date.