This module confuses two different topics. The Cisco Network Academy Curriculum has done this for years. Let’s break them down.
How logging works on an IOS Router/Switch is one topic. And Syslog, the protocol, is another topic. Although there are aspects of both that work together, they are still two distinct things.
Logging on a Cisco IOS Device
Cisco IOS Devices will log to three different locations by default.
- Device log buffer (this is what is displayed when you do a show log command)
- Device connected to the console port (technically, the message is displayed there even if a device is not plugged into that port to display it)
- Device connected to a VTY Telnet/SSH session, provided that you have run the terminal monitor command (this enables you to get a copy of the console log messages)
There are a few commands that you can use to change the behavior of how this logging works.
By default, a typical log message will look something like this:
%LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to upIf you are troubleshooting a problem and trying to determine when something occurred, this will not help you much. There is a way that we can configure the internal log to add the date/time to those log messages:
R1(config)# service timestamps log datetimeThis command will change the log message that is logged to the log buffer or displayed to console port or VTY to include the date/time that the message was created. After turning that on, the log output on the device will look like this:
*Mar 1 00:14:03: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
*Mar 1 00:14:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to upThis will be much more useful when trying to troubleshoot an issue.
Because routers/switches do not have an internal clock that can keep time when the device is powered off, the time on a router will always go back to the epoch date of that device. Read more about epoch date here. So it would be a great idea to configure your IOS device with an NTP server so that it can sync it’s clock with the actual time. Read more about configuring a NTP server here.
Syslog
Syslog is an TCP/IP application that has it’s origins in Unix operating systems. This was the protocol that was used to allow logs from Unix servers and workstations to be sent to a remote host. There are several reasons to send logs to a centralized remote host.
- Centralizing logs make it much easier to analyze a single log. Modern tools like Splunk and LogRhythm allow you to take these centralized logs and analyze/alert on the contents. This especially useful when monitoring for security related events.
- If a server/device were to be compromised, one of the first things an attacker would do would be to modify/erase the logs to cover their tracks. Logging to a central log server that is further secured would make it much more difficult for the attacker to hid what is happening.
- Many network management tools will use Syslog as a way to get messages from network devices so that they can combine these messages with SNMP traps and other alerts to provide you with a single view into the health of your network.
It is not un-common in an enterprise environment to have the logs from your networking devices go to several different Syslog servers. You might send it to a centralized log server for archiving, a log correlation server to analyze for security events, and a network management server for alerting. Although almost all network devices provide some functionality to log to multiple devices, it is generally a best practice to send to a log archiving server (or some other single server) and then have that server forward on copies of those messages to other Syslog servers that need a copy of the message.
Using this method, you can reduce the load on your network devices and your wide area network by only sending a single copy of the log message and then letting the log archive server send the multiple copies inside of your data center where you would have more bandwidth capacity.
Syslog Facilities
Syslog Severities
Configuring a Syslog server
Configuring a syslog server on an IOS is very simple. Although this is out of scope now for the ENSA curriculum, it has been covered for years as part of the CCNA exam objectives.
The first step is to configure what server you want to forward your log messages to:
R1(config)#logging host 192.168.100.1This will result is a copy of each log message the router creates being forwarded over to the Syslog server on 192.168.100.1.
Leave a Reply