Home > Articles > Cisco Network Technology > Network Administration & Support > An Overview of the syslog Protocol

An Overview of the syslog Protocol

Sample Chapter is provided courtesy of Cisco Press.
Date: Dec 1, 2005.

Chapter Information

Overview of Syslog
Deploying Syslog Servers
Configuring Cisco Devices to Use a Syslog Server
Commercial Cisco Products
Summary

Chapter Description

This chapter presents an overview of the syslog protocol and shows you how to deploy an end-to-end syslog system. You'll learn about the syslog architecture as well as the issues in deploying syslog servers in Linux and Windows OSs with a focus on their relevance in a Cisco environment.

From the Book

Network Administrators Survival Guide

$75.00

Configuring Cisco Devices to Use a Syslog Server

Most Cisco devices use the syslog protocol to manage system logs and alerts. But unlike their PC and server counterparts, Cisco devices lack large internal storage space for storing these logs. To overcome this limitation, Cisco devices offer the following two options:

Internal buffer— The device's operating system allocates a small part of memory buffers to log the most recent messages. The buffer size is limited to few kilobytes. This option is enabled by default. However, when the device reboots, these syslog messages are lost.
Syslog— Use a UNIX-style SYSLOG protocol to send messages to an external device for storing. The storage size does not depend on the router's resources and is limited only by the available disk space on the external syslog server. This option is not enabled by default.

To enable syslog functionality in a Cisco network, you must configure the built-in syslog client within the Cisco devices.

Cisco devices use a severity level of warnings through emergencies to generate error messages about software or hardware malfunctions. The debugging level displays the output of debug commands. The Notice level displays interface up or down transitions and system restart messages. The informational level reloads requests and low-process stack messages.

Configuring Cisco Routers for Syslog

To configure a Cisco IOS-based router for sending syslog messages to an external syslog server, follow the steps in Table 4-11 using privileged EXEC mode.

Table 4-11. Configuring Cisco Routers for Syslog

Step	Command	Purpose
1	Router# configure terminal	Enters global configuration mode.
2	Router(config)# service timestamps type datetime [msec] [localtime] [show-timezone]	Instructs the system to timestamp syslog messages; the options for the type keyword are debug and log.
3	Router(config)#logging host	Specifies the syslog server by IP address or host name; you can specify multiple servers.
4	Router(config)# logging trap level	Specifies the kind of messages, by severity level, to be sent to the syslog server. The default is informational and lower. The possible values for level are as follows: Emergency: 0 Alert: 1 Critical: 2 Error: 3 Warning: 4 Notice: 5 Informational: 6 Debug: 7 Use the debug level with caution, because it can generate a large amount of syslog traffic in a busy network.
5	Router(config)# logging facility facility-type	Specifies the facility level used by the syslog messages; the default is local7. Possible values are local0, local1, local2, local3, local4, local5, local6, and local7.
6	Router(config)# End	Returns to privileged EXEC mode.
7	Router# show logging	Displays logging configuration.

Note

When a level is specified in the logging trap level command, the router is configured to send messages with lower severity levels as well. For example, the logging trap warning command configures the router to send all messages with the severity warning, error, critical, and emergency. Similarly, the logging trap debug command causes the router to send all messages to the syslog server. Exercise caution while enabling the debug level. Because the debug process is assigned a high CPU priority, using it in a busy network can cause the router to crash.

Example 4-12 prepares a Cisco router to send syslog messages at facility local3. Also, the router will only send messages with a severity of warning or higher. The syslog server is on a machine with an IP address of 192.168.0.30.

Example 4-12. Router Configuration for Syslog

Router-Dallas#
Router-Dallas#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-Dallas(config)#logging 192.168.0.30
Router-Dallas(config)#service timestamps debug datetime localtime show-timezone
 
   msec
Router-Dallas(config)#service timestamps log datetime localtime show-timezone msec
Router-Dallas(config)#logging facility local3
Router-Dallas(config)#logging trap warning
Router-Dallas(config)#end
Router-Dallas#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
    Console logging: level debugging, 79 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: disabled
    Trap logging: level warnings, 80 message lines logged
        Logging to 192.168.0.30, 57 message lines logged

Configuring a Cisco Switch for Syslog

To configure a Cisco CatOS-based switch for sending syslog messages to an external syslog server, use the privileged EXEC mode commands shown in Table 4-12.

Table 4-12. Configuring a Cisco Switch for Syslog

Step	Command	Purpose
1	Switch>(enable) set logging timestamp {enable \| disable}	Configures the system to timestamp messages.
2	Switch>(enable) set logging server ip-address	Specifies the IP address of the syslog server; a maximum of three servers can be specified.
3	Switch>(enable) set logging server severity server_severity_level	Limits messages that are logged to the syslog servers by severity level.
4	Switch>(enable) set logging server facility server_facility_parameter	Specifies the facility level that would be used in the message. The default is local7. Apart from the standard facility names listed in Table 4-1, Cisco Catalyst switches use facility names that are specific to the switch. The following facility levels generate syslog messages with fixed severity levels: 5: System, Dynamic-Trunking-Protocol, Port-Aggregation-Protocol, Management, Multilayer Switching 4: CDP, UDLD 2: Other facilities
5	Switch>(enable) set logging server enable	Enables the switch to send syslog messages to the syslog servers.
6	Switch>(enable) Show logging	Displays the logging configuration.

Example 4-13 prepares a CatOS-based switch to send syslog messages at facility local4. Also, the switch will only send messages with a severity of warning or higher. The syslog server is on a machine with an IP address of 192.168.0.30.

Example 4-13. CatOS-Based Switch Configuration for Syslog

Console> (enable) set logging timestamp enable
System logging messages timestamp will be enabled.
Console> (enable) set logging server 192.168.0.30
192.168.0.30 added to System logging server table.
Console> (enable) set logging server facility local4
System logging server facility set to <local4>
Console> (enable) set logging server severity 4
System logging server severity set to <4>
Console> (enable) set logging server enable
System logging messages will be sent to the configured syslog servers.
Console> (enable) show logging
Logging buffered size: 500
timestamp option: enabled
Logging history size: 1
Logging console: enabled
Logging server: enabled
{192.168.0.30}
server facility: LOCAL4
server severity: warnings(4
Current Logging Session: enabled

Facility            Default Severity          Current Session Severity
-------------       -----------------------   ------------------------
cdp                 3                         4
drip                2                         4
dtp                 5                         4
dvlan               2                         4
earl                2                         4
fddi                2                         4
filesys             2                         4
gvrp                2                         4
ip                  2                         4
kernel              2                         4
mcast               2                         4
mgmt                5                         4
mls                 5                         4
pagp                5                         4
protfilt            2                         4
pruning             2                         4
radius              2                         4
security            2                         4
snmp                2                         4
spantree            2                         4
sys                 5                         4
tac                 2                         4
tcp                 2                         4
telnet              2                         4
tftp                2                         4
udld                4                         4
vmps                2                         4
vtp                 2                         4

0(emergencies)        1(alerts)              2(critical)
3(errors)             4(warnings)            5(notifications)
6(information)        7(debugging)
Console> (enable)

Configuring a Cisco PIX Firewall for Syslog

Proactive monitoring of firewall logs is an integral part of a Netadmin's duties. The firewall syslogs are useful for forensics, network troubleshooting, security evaluation, worm and virus attack mitigation, and so on. The configuration steps for enabling syslog messaging on a PIX are conceptually similar to those for IOS- or CatOS-based devices. To configure a Cisco PIX Firewall with PIX OS 4.4 and above, perform the steps shown in Table 4-13 in privileged EXEC mode.

Table 4-13. PIX Configuration for Syslog

Step	Command	Purpose
1	Pixfirewall# config terminal	Enters global configuration mode.
2	Pixfirewall(config)#logging timestamp	Specifies that each syslog message should have a timestamp value.
3	Pixfirewall(config)#logging host [interface connected to syslog server] ip_address [protocol / port]	Specifies a syslog server that is to receive the messages sent from the Cisco PIX Firewall. You can use multiple logging host commands to specify additional servers that would all receive the syslog messages. The protocol is UDP or TCP. However, a server can only be specified to receive either UDP or TCP, not both. A Cisco PIX Firewall only sends TCP syslog messages to the Cisco PIX Firewall syslog server.
4	Pixfirewall(config)#logging facility facility	Specifies the syslog facility number. Instead of specifying the name, the PIX uses a 2-digit number, as follows: local0 - 16 local1 - 17 local2 - 18 local3 - 19 local4 - 20 local5 - 21 local6 - 22 local7 - 23 The default is 20.
5	pixfirewall(config)#logging trap level	Specifies the syslog message level as a number or string. The level that you specify means that you want that level and those values less than that level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are as follows: 0: Emergency; System-unusable messages 1: Alert; Take immediate action 2: Critical; critical condition 3: Error; error message 4: Warning; warning message 5: Notice; normal but significant condition 6: Informational: information message 7: Debug; debug messages and log FTP commands and WWW URLs
6	pixfirewall(config)#logging on	Starts sending syslog messages to all output locations.
7	pixfirewall(config)#no logging message <message id>	Specifies a message to be suppressed.
8	pixfirewall(config)#exit	Exits global configuration mode.

Example 4-14 prepares the Cisco PIX Firewall to send syslog messages at facility local5 and severity debug and below to the syslog server. The Netadmin does not want the PIX to log message 111005. The syslog server has an IP address of 192.168.0.30.

Example 4-14. Configuring a Cisco PIX Firewall for Syslog

Firewall-Dallas#
Firewall-Dallas# config terminal
Firewall-Dallas(config)# loggin time
Firewall-Dallas(config)# logging host 192.168.0.30
Firewall-Dallas(config)# logging facility 21
Firewall-Dallas(config)# logging trap 7
Firewall-Dallas(config)# logging on
Firewall-Dallas(config)# no logging message 111005
rewall-Dallas(config)# exit
Firewall-Dallas# show logging
Syslog logging: enabled
    Facility: 21
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level debugging, 6 messages logged
        Logging to inside 192.168.0.30
    History logging: disabled
    Device ID: disabled

For added reliability, the Cisco PIX Firewall can be configured to send syslog messages through TCP. Please note that if the syslog server disk is full, it can close the TCP connection. This will cause a denial of service because the Cisco PIX Firewall will stop all traffic until the syslog server disk space is freed. Both Kiwi Syslogd Server and PFSS offer this feature. Kiwi Syslogd has an alert mechanism to warn the Netadmin through e-mail or pager when the disk is nearing its capacity. The setting can be established from the Syslog Daemon Setup window, as shown in Figure 4-9, for Kiwi syslog configuration.

If the PIX stops because of a disk-full condition, you must first free some disk space. Then disable syslog messaging on the PIX by using the no logging host host command, followed by reenabling syslog messaging using the logging host host command.

Example 4-15 shows the configuration steps for a Cisco PIX Firewall to send syslog messages at TCP port 1468.

Example 4-15. PIX Configuration for TCP Syslog

Firewall-Dallas# config terminal
Firewall-Dallas(config)# logging host inside 192.168.0.30  tcp/1468
Firewall-Dallas(config)# exit
Firewall-Dallas# show logging
Syslog logging: enabled
    Facility: 21
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level debugging, 12 messages logged
        Logging to inside 192.168.0.30 tcp/1468
    History logging: disabled
    Device ID: disabled
Firewall-Dallas#

Caution

A Cisco PIX Firewall facing the Internet is subjected to a large amount of unsolicited traffic in the form of ping scans, port scans, and probes. This can cause the log file to become large within days. It will be filled with data, making it difficult to search for useful information. You should fine-tune your firewall to suppress certain common messages using the no logging message message-id-number command. Additionally, use the IOS firewall features on the edge router to filter unwanted traffic before it hits the Cisco PIX Firewall.

Configuring a Cisco VPN Concentrator for Syslog

The Cisco VPN 3000 Series Concentrator provides an appliance-based solution for deploying VPN functionality across remote networks. VPN concentrators are often connected parallel to the firewalls, as shown earlier in Figure 4-1. The design simplifies the management of the network but creates security concerns. After a user has been authenticated through VPN concentrators, the user has complete access to the network. This makes a strong case for logging the messages from the VPN concentrator. To configure the Cisco VPN 3000 Series Concentrator for sending syslog messages, follow these steps:

Log in to the VPN concentrator using a web browser.
Navigate to the syslog server page by choosing Configuration > System > Events > Syslog Servers, as shown in Figure 4-12.

Figure 4-12 VPN Concentrator—Syslog Server
On the Syslog Servers page, click the Add button (see Figure 4-12).
Enter the IP address of the syslog server and select the facility level from the Facility drop-down menu, as shown in Figure 4-13. Save these settings and return to the Syslog Servers page by clicking the Add button.

Figure 4-13 VPN Concentrator—Add Syslog Server
To select the kind of messages that are to be sent to the syslog server, navigate to the General page by choosing Configuration > System > Events > General.
On the General page, select an option from the Severity to Syslog drop-down menu, as shown in Figure 4-14, and click the Apply button.

Figure 4-14 VPN Concentrator—General Configuration
To save the configuration changes, click the Save Needed icon.

As configured in this example, the VPN concentrator is now ready to send syslog messages at facility local6, severity 1–5 to server 192.168.0.30.

4. Commercial Cisco Products | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Privacy Notice

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
Such marketing is consistent with applicable law and Pearson's legal obligations.
Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

As required by law.
With the consent of the individual (or their parent, if the individual is a minor)
In response to a subpoena, court order or legal process, to the extent permitted or required by law
To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
To investigate or address actual or suspected fraud or other illegal activities
To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020

Email Address