Syslog on Cisco devices

What is syslog and how to use it on Cisco devices?

Written on 2022-04-03 by Remco Kersten in networking


What is syslog?

Syslog is a system logging protocol. Syslog is used by many applications, such as software, servers, sensors, etc. Cisco devices also use syslog.

Syslog messages always contain a time, a priority and a message.

Severity Levels

Cisco syslog messages can range from important critical messages (such as a router crash) to less important informational messages (such as line protocol information).

Emergency0System unusable
Emergency0System unusable

Configure syslog on Cisco devices

Cisco devices can display syslog messages in the following way:

  • Via the console connection
  • Via vty connection (telnet, SSH etc.)
  • Save to buffer
  • To syslog server

Syslog via console connection

By default, all type of syslog messages on the console connection are displayed. With command logging console <level> you can set which messages are displayed on the console connection. level stands for the last severity level. This can be entered as a keyword or number. logging console 4 is therefore the same as logging console warning. In this case, only syslog messages with levels 0 to 4 will be displayed on the console connection.

Syslog via vty connection

Syslog messages can also be sent to vty connections, users who are logged into the router via eg SSH. With the command logging monitor level you can set which messages are displayed on the vty connections.

NB! When a user is logged in, they will see no syslog messages by default. The user can enable this in his session by entering the command terminal monitor in enabled mode.

Syslog to buffer

Cisco devices have a buffer in which syslog messages are stored. With the command logging buffered <level> you can set which messages are stored in this buffer.

In enabled mode the buffer can be viewed with command show logging

SSH bluesheep@R1

R1#show logging
Log Buffer (8192 bytes):

*Apr  3 12:08:44.372: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
*Apr  3 12:08:44.378: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
*Apr  3 12:08:44.379: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
*Apr  3 12:08:44.389: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
*Apr  3 12:08:45.381: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
*Apr  3 12:08:45.384: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down

Syslog to syslog server

Cisco devices can forward the syslog messages to a syslog server.

Syslog servers capture and store syslog messages. Often such servers also offer the option to send a warning to the administrator if a critical syslog message has been received. An example of a free syslog server is Kiwi.

To set up a syslog server on a cisco device 2 things have to happen:

  1. Specify the syslog server: logging host ipaddress
  2. Specify up to which severity level syslog messages should be sent to the server: logging trap level

In the example below, messages up to level 4 (notification) are sent to syslog server

SSH bluesheep@R1

R1(config)#logging host
R1(config)#logging trap 4