Going beyond the question of what is sylog and why it’s used, this article digs into how to configure syslog on network devices.

The explanations and examples will be a bit Cisco IOS specific, mainly because thatโ€™s the gear Iโ€™m most familiar with. Essentially every modern network device has at least some syslog capabilities. The ones that donโ€™t support it directly have their own logging consoles that can usually be configured to filter and forward logs on to a centralized syslog server.

Here are the basic steps I tend to follow for Cisco syslog configuration, to keep the messages manageable, and the network overhead low.

Before configuring a Cisco device to send syslog messages, make sure that it is configured with the right date, time, and time zone. Syslog data would be useless for troubleshooting if it shows the wrong date and time.

Step 1: Enable logging on the Cisco device

The syslog protocol sends clear text messages over UDP port 514. You can enable basic logging on most Cisco devices using the command โ€œlogging IP.โ€ On my network, the syslog serverโ€™s IP address is 192.168.2.47, so I would type this:

!
 logging 192.168.2.47
 logging on
!

Note: โ€œlogging onโ€ (โ€œlogging enableโ€ on some devices) isnโ€™t usually necessary. This command just turns on the logging function. I included it here in case it had previously been disabled.

Step 2: Modify the syslog config for facility codes

By default, Cisco devices use a syslog facility code of โ€œlocal7โ€ for all of their messages. As I explained in the previous article, facility codes are just a way of separating messages from different types of devices and services. Otherwise, you can find yourself completely inundated with messages and unable to use them effectively.

If youโ€™re only logging from one service to a remote syslog server (one service code is the default with Cisco devices), then you typically donโ€™t need to change the facility. If for some reason you do, it’s an easy change. Simply type the following, replacing โ€˜Xโ€™ with a number 0-7:

logging facility localX  

Quick tip: if youโ€™re using network management software like Auvik, all your configurations, current and new, will be part of your network configuration backup for quick retrieval if any of your server tweaks donโ€™t perform the way you want them too!

Step 3: Change the default logging levels

In the previous example, my Cisco device was just configured with the default logging level, which is โ€œinformational.โ€ This means the device will send all messages to the server that are of level 6 or โ€œhigherโ€ (in this case, higher priority means a lower numerical value).

Suppose I didnโ€™t want to use those default values, and I only want to send messages of a certain priority or higher. If I want to see debugging messages as well as all the higher priority messages, I can use this command:

!
 logging trap debugging
!

Similarly, if I only want to see warning messages (priority 4) or higher, I can use this command:

!
 logging trap warning
!

I donโ€™t generally recommend configuring the logging priority level much higher than this. Youโ€™ll almost never see priority 0 or 1 messages because they usually indicate a catastrophic failure. And in my experience, the designations of priority 2, 3, and 4 messages are largely arbitrary. I usually just leave the default value of 6, or โ€œinformational.โ€ The priority you use may also depend on your network performance monitoring tool, and its storage capacity and log ingestion limits.

Step 4: Define destination port and IP address

One thing you may want to do is change the UDP port number, or use TCP ports instead. To change your UDP port, use the following transport command:

!
 logging trap 192.168.2.47 transport udp port 8514
!

This command says, โ€œFor this server, I want to send messages to UDP port 8514 instead of the default port 514โ€. This only applies to the specified server. You may have multiple servers configured, and the device will send each message to all the configured servers.

To configure the device to use TCP instead of UDP, use this command:

!
 logging trap 192.168.2.47 transport tcp port 8514
!

Note that, by default, the TCP port number is 601 on many Cisco devices. But there are a lot of TCP syslog implementations that use port 514. You need to verify which port your server is expecting to use.

Step 5: Define source IP address

Network devices often have several interfaces, and each of those interfaces could have a different IP address. You can easily have a situation where the device sends a syslog message for a โ€œlink downโ€ event with one IP address and the corresponding โ€œlink upโ€ event with a different IP address. It can be confusing to search the log files for these two messages. For this reason, itโ€™s useful to specify a particular source address or source interface for syslog messages:

!
interface loopback0
 ip address 192.168.10.1 255.255.255.255
 no shutdown
!
logging source-interface loopback0
!

In this case, Iโ€™ve specified a loopback interface as the source. I did this because whichever physical interface I choose might be down when the device needs to send a message. Loopback interfaces can never go down, so they are a convenient way to uniquely specify a device. If you do this, youโ€™ll need to make sure to create the loopback interface like Iโ€™ve done in the example.

Step 6: Securing syslog messages on a Cisco device (Optional)

One of the drawbacks to using syslog is that the messagesโ€”which could be sensitive in natureโ€”are sent in clear text and can be readily intercepted or forged. In practice, I havenโ€™t heard of any such attacks actually happening because most IT pros are careful to keep their syslog traffic confined to trusted network segments. But itโ€™s possible.

Syslog can be, at least in theory, secured using SSL encryption. This requires using certificates on both the network device and the server to mutually authenticate one another. I say โ€œin theoryโ€ because not all Cisco devices support this feature. Starting in version 9.2.1, Cisco Nexus switches support encrypted syslog, and ASA firewalls also support SSL syslog, but (at the time of writing this) it doesnโ€™t appear to be supported in other Cisco product lines.

Read more: Kevin Dooley explains how to migrate a Cisco ASA firewall configuration from old syntax to new.

This feature isnโ€™t used in most network installations because of the administrative overhead of keeping the certificates updated, and because it consumes more system resources to maintain the encrypted sessions. Itโ€™s much easier for a server to support logging from large numbers of remote devices over UDP, where the only overhead is in receiving individual packets and dropping them in the appropriate file or database table. Thereโ€™s no session to maintain and no certificate to validate.

For these reasons, I generally donโ€™t recommend using the encryption features of syslog. Instead, I prefer to design the network so these messages and other management traffic is isolated away from users and other production traffic. After all, network segmentation is good network management.


Are you ready to get started managing your syslog messages with Auvik? Try Auvik now, risk-free, for 14 days and see the difference cloud-based network monitoring makes.

Appendix: Cisco syslog commands quick reference guide

PurposeCommand
Router# configure terminalEnters global configuration mode.
Router(config)# service timestamps type datetime [msec] [localtime] [show-timezone]Timestamp syslog messages; the options for the type keyword are debug and log.
Router(config)#logging hostSpecifies the syslog server by IP address or host name; you can specify multiple servers.
Router(config)# logging trap levelSpecifies the kind of messages, by severity level, to be sent to the syslog server. The default is informational and lower.

Emergency: 0
Alert: 1
Critical: 2
Error: 3
Warning: 4
Notice: 5
Informational: 6
Debug: 7

Use the debug level with caution, because it can generate a large amount of syslog traffic in a busy network.
Router(config)# logging facility facility-typeSpecifies the facility level used by the syslog messages; the default is local7.

Possible values are local0, local1, local2, local3, local4, local5, local6, and local7.
Router(config)# EndReturns to privileged EXEC mode.
Router# show loggingDisplays logging configuration.

For more information, please read the original Cisco documentation on Configuring Cisco Devices to Use a Syslog Server

Get templates for network assessment reports, presentations, pricing & moreโ€”designed just for MSPs.

Ebook cover - The Ultimate Guide to Selling Managed Network Services
  1. Michael Sta Maria Avatar
    Michael Sta Maria

    Thanks for the detailed steps you provide. How about configuration for the successful and failed logins? Specially for routers and switches.

Leave a Reply

Your email address will not be published. Required fields are marked *