Syslog:

o Syslog stands for System Logging, standard protocol used to send system log.
o Cisco network devices Routers and Switches use Syslog to send system messages.
o Cisco network devices use debug output to a local logging process inside the device.
o Syslog is used on a variety of devices to give system information to the system admin.
o Most Cisco devices use the syslog protocol to manage system logs and system alerts.
o Logging can be used for fault notification, network forensics, and security auditing.
o Syslog messages can be output to the console, local buffer or a remote syslog serve.
o Logs can include content flow, configuration changes and new software installs etc.
o Logging helps to detect unusual network traffic, network device failures, issue etc.

Syslog Severity Level

Level Name Level Router Messages
Emergency 0 System-Unusable Messages (Missing Fan Tray)
Alert 1 Take Immediate Action (Temperature Limit Exceeded)
Critical 2 Critical Condition (Memory Allocation Failures)
Error 3 Error Message (Interface Up/Down)
Warning 4 Warning Message (File Written to Server)
Notice 5 Normal but Significant Condition (Line Protocol Up/Down)
Informational 6 Information Message (Access-List Violation)
Debug 7 Debug Messages and Log FTP Commands

TIMESTAMP This is the time and date message generated.

FACILITY-SUBFACILITY Reports protocol, module or process that generated the message.
SEVERITY This is level from 0-7 specifies how important the message is.
MNEMONIC A code that identifies the action reported.
MESSAGE TEXT A plain text description of the event.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Local Logging:
o Everything happens on router or switch can be logged.
o By default, syslog messages are only displayed to the console.
o Because the logging console command is enabled by default.
o By default, the router sends all log messages to its console port.
o Only users physically connected to the router console port can view messages.
o This can be turned off with the no logging command.
o For local logging, Cisco IOS can save syslog messages to the internal buffer.
o Syslog messages can be output to the console or a remote syslog server.
o The logging is basically the process that generated the syslog message.

Terminal Logging:
o It is like console logging, but it displays log messages to the router's VTY lines instead.
o This is not enabled by default. To enable it to use this command: R1# terminal monitor

Buffered Logging:
o This type of logging uses Cisco Router's & Switches RAM for storing log messages.
o Buffer has fixed size to ensure that the log will not deplete valuable system memory.
o Router accomplishes this by deleting old messages as new messages are added.
o To enable it use configuration mode command: R1 (config)# logging buffered

Syslog Server Logging:

o Router can use syslog to forward log messages to external syslog servers for storage.
o Syslog Server Logging method of type of logging is not enabled by default in devices.

SNMP Trap Logging:

o The router can use SNMP traps to send log messages to an external SNMP server.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

 R1 Configuration
R1(config)#interface f0/0 R1(config)#interface f0/1
R1(config-if)#ip address 1.1.1.1 255.0.0.0 R1(config-if)#ip address 2.1.1.1 255.0.0.0
R1(config-if)# no shutdown R1(config-if)#no shutdown
R1(config)#router rip R1# show ip int br
R1(config-router)#network 0.0.0.0 R1# show ip route
R2 Configuration
R2(config)#interface f0/0 R2(config)#interface f0/1
R2(config-if)#ip address 1.1.1.2 255.0.0.0 R2(config-if)#ip address 2.1.1.2 255.0.0.0
R2(config-if)# no shutdown R2(config-if)#no shutdown
R2(config)#router rip R2# show ip int br
R2(config-router)#network 0.0.0.0 R2# show ip route
SW1 Configuration
SW1(config)#interface vlan 1 SW1(config)#router rip
SW1(config-if)#ip address 1.1.1.4 255.0.0.0 SW1(config-router)#network 0.0.0.0
SW1(config-if)# no shutdown SW1# show ip int br

Logging Configuration
R1 (config)# logging 1.1.1.10
R1 (config)# logging host 1.1.1.10
R1 (config)# logging buffered
R1 (config)# logging trap <1-7>
R1 (config)# logging trap notifications
R1 (config)# logging traps 5
R1 (config)# no logging console
R1 (config)# logging console <Level>
R1# clear logging
R1(config)# logging buffered informational
R1(config)# logging buffered 64000
R1(config)# no service timestamps
R1(config)# service sequence-number
R1# terminal monitor
R1# terminal no monitor
R1# show logging

External Syslog Server show up R1 logs.

Logs with Timestamp

Logs without Timestamp.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Logs with sequence number after enable service sequence-number.

R1(config)#line vty 0 4
R1(config-line)#password 123
R1(config-line)#login
R1(config)#enable password 123
R1#terminal monitor

After enable, terminal monitor logs show up on remote telnet screen.

By default, syslog messages are only displayed to the console.

Below is local logging in console.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717