Syslog Tutorial
As an administrator of a network, you have just completed all the configuration and they are working nicely. Now maybe the next thing you want to do is to set up something that can alert you when something goes wrong or down in your network. Syslog is an excellent tool for system monitoring and is almost always included in your distribution.
Places to store and display syslog messages
There are some places we can send syslog messages to:
| Place to store syslog messages | Command to use |
| Internal buffer (inside a switch or router) | logging buffered [size] |
| Syslog server | logging |
| Flash memory | logging file flash:filename |
| Nonconsole terminal (VTY connection…) | terminal monitor |
| Console line | logging console |
Note: If sent to a syslog server, messages are sent on UDP port 514.
By default, Cisco routers and switches send log messages to the console. We should use a syslog server to contain our logging messages with the logging command. Syslog server is the most popular place to store logging messages and administrators can easily monitor the wealth of their networks based on the received information.
Syslog syntax
A syslog message has the following format:
| seq no:timestamp%FACILTY-SEVERITY-MNEMONIC: message text |
Each portion of a syslog message has a specific meaning:
+ Seq no: a sequence number only if the service sequence-numbers global configuration command is configured
+ Timestamp: Date and time of the message or event. This information appears only if the service timestamps global configuration command is configured.
+ FACILITY: This tells the protocol, module, or process that generated the message. Some examples are SYS for the operating system, IF for an interface…
+ SEVERITY: A number from 0 to 7 designating the importance of the action reported. The levels are:
| Level | Keyword | Description |
| 0 | emergencies | System is unusable |
| 1 | alerts | Immediate action is needed |
| 2 | critical | Critical conditions exist |
| 3 | errors | Error conditions exist |
| 4 | warnings | Warning conditions exist |
| 5 | notification | Normal, but significant, conditions exist |
| 6 | informational | Informational messages |
| 7 | debugging | Debugging messages |
Note: You can remember the order above with the sentence: “Eventually All Critical Errors Will Not Involve Damage”.
The highest level is level 0 (emergencies). The lowest level is level 7. To change the minimum severity level that is sent to syslog, use the logging trap level configuration command. If you specify a level, that level and all the higher levels will be displayed. For example, by using the logging console warnings command, all the logging of emergencies, alerts, critical, errors, warnings will be displayed. Levels 0 through 4 are for events that could seriously impact the device, whereas levels 5 through 7 are for less-important events. By default, syslog servers receive informational messages (level 6).
+ MNEMONIC: A code that identifies the action reported.
+ message text: A plain-text description of the event that triggered the syslog message.
Let’s see an example of the syslog message:
| 39345: May 22 13:56:35.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down |
+ seq no: 39345
+ Timestamp: May 22 13:56:35.811
+ FACILTY: LINEPROTO
+ SEVERITY level: 5 (notification)
+ MNEMONIC: UPDOWN
+ message text: Line protocol on Interface Serial0/0/1, changed state to down
Syslog Configuration
The following example tells the device to store syslog messages to a server on 10.10.10.150 and limit the messages for levels 4 and higher (0 through 4):
| Router(config)#logging 10.10.10.150 Router(config)#logging trap 4 |
Of course on the server 10.10.10.150 we have to use a syslog software to capture the syslog messages sent to this server.
Ok
Great!! Thanks 9tut.
Thanks a lot..
thanks it’s helpful,and well explained .
cbt-nuggets did not spend enough time on syslog, netflow and snmp.
thanks 9tut
Thanks alot for such useful information
good info
Thanks 9tut
Šta je local 7?
Short and to the point. Thanks
Thank you so much. I dont know what we are going to do without you 9tut
Easy and concise straight to the point explanation, we really appreciate 9tut.
Thanks for the information!!!
Keep posting
Sorry, but in the Cisco Site Configuration Guide, says the following: By default, Cisco IOS devices, CatOS switches, and VPN 3000 Concentrators use facility local7.
So, what affirmation is correct? :(
Level 6 or Level 7 is the default value?
“By default, syslog servers receive informational messages (level 6).”
Actually its 7
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_5syslog.html#wp1065165
@Anonymous: In your link, it said “The default outgoing facility is local7″. That is not level 7 message but the “facility”. The statement “By default, syslog servers receive informational messages (level 6)” is correct.
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-3_7_JA/configuration/guide/i1237sc/s37sml.html#wp1035106
You made my day thanks
surper description
nice,awesome explanation >>>>>>>>>>>>
Short and to the point. Thanks
Short and to the point. Thanks
So simple and straight to the point
Good material. Thannk you 9tut
Thank you 9tut , very good
Thanks u it help me a lot
nice..thanx
Thanks, Well explained.
Hi
What is the difference between Syslog & SNMP ?!
While as both of them are doing the same thing.
Please respond
Regards
Mohsin
Thank you well illustrated.
Wow this is very helpful! now I know! thanks 9tut!
hello 9tut: cant locate the NETflow tutorial
is there one?
thanks
@justin13: We are sorry but currently we don’t have NetFlow tutorial. We will try to add it soon.
justin13, you can go to danscourses on youtube and he has them there
thanks ;)
@9tut please upload Net flow tutorial
i need a vce and latest dumps
jovialwhisper@hotmail.com
can i get the latest dumps
ahmadalibm@hotmail.com
can i get the latest dumps plz
hshantan@gmail.com