What is Syslog ?
Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. Most network equipment, like routers and switches, can send Syslog messages. Windows-based servers don’t support Syslog natively, but a large number of third-party tools make it easy to collect Windows Event Log or IIS data and forward it to a Syslog server. Unlike SNMP, Syslog can’t be used to “poll” devices to gather information. These system logs are useful later for troubleshooting and auditing.
For example, when a hacker breaks into a system, the trail left behind by the hacker’s activity is logged in the syslog messages. These messages can then be used to understand the attack, assess the damage, and patch the system.
Various Cisco devices, including routers, switches, PIX Firewalls, VPN concentrators, and so on, generate syslog messages for system information and alerts.
Example
A Cisco router can generate a syslog message when an interface goes down or the configuration is changed. Similarly, a Cisco PIX Firewall can generate a syslog message when it blocks a TCP connection.
- R1#
*Feb 14 09:38:48.132: %SYS-5-CONFIG_I: Configured from console by console - R1#
*Feb 14 09:40:09.325: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Feb 14 09:40:10.326: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
The syslog packet size is limited to 1024 bytes and carries the following information:
- Facility
- Severity
- Hostname
- Timestamp
- Message
Cisco devices can be configured to send the syslog messages to an external machine that acts as a central syslog server. However, if the connectivity between the Cisco device and the syslog server is down, no syslog messages would be captured by the server. In such cases, the syslog messages stored locally by the Cisco devices are the only source of information to determine the root cause of the issue.
Syslog uses the User Datagram Protocol (UDP), port 514, for communication. Being a connectionless protocol, UDP does not provide acknowledgments. Additionally, at the application layer, syslog servers do not send acknowledgments back to the sender for receipt of syslog messages. Consequently, the sending device generates syslog messages without knowing whether the syslog server has received the messages. In fact, the sending devices send messages, even if the syslog server does not exist. So, be aware that some network devices will send Syslog data via TCP 1468 to ensure message delivery.
A clear understanding of each of the syslog packet parameters can help you easily deploy syslog systems across your network. Note that the first two parameters, facility and severity, are often misunderstood.
—————————————————————————
Facility (Sources)
Syslog messages are broadly categorized on the basis of the sources that generate them. The facility represents the machine process that created the syslog event. For example, is the event created by the kernel, by the mail system, by ospf processes. We see it under the example above.
————————————————————————–
Severity
Cisco devices use one of the local use facilities for sending syslog messages. The source or facility that generates the syslog message also specifies the severity of the message using a single-digit integer, as shown in Table 2
By default, these syslog messages are only outputted to the console and this is because the logging console command is enabled by default.
Example
In this example, I shut down an interface f0/0 on a DHCP server running OSPF and then no shut to bring it back up.
- RT-04(config)#interface f0/0
- RT-04(config-if)#shut
- RT-04(config-if)#
- %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
- %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
- 02:45:13: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.3.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
- RT-04(config-if)#no shut
- RT-04(config-if)#
- %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
- %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
- RT-04(config-if)#
- 02:46:01: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.3.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
- RT-04(config-if)#
Notice that by default on this particular device, we see the following:
A timestamp: *02:45:13
The facility on the router that generated the message: %LINEPROTO
The severity level: 5
A mnemonic for the message: UPDOWN
The description of the message: Line protocol on Interface FastEthernet0/0, changed state to down
Syslog Output Methods
Console Syslog
- Syslog output to the console by default-Messages are displayed to the console when we are physically connected to our device.
- Console Syslog can also be viewed whilst administering the Cisco devices remotely using Telnet/ssh and because we are not directly connected, you will need to run the instruction each time you connect remotely. All configurations are in ccnp section, see link below.
Logging Buffer
- Stored in memory on the Cisco device and are lost upon reload of the device
- Default size of 4096
- Overwritten once full
Remote Syslog
- Syslog messages are sent to a remote central server
- uses udp 514 to communicate