Understanding Syslog
SYSLOG: Most Cisco devices use the Sys log protocol to manage system logs and alerts. But unlike their PC and server counterparts, Cisco devices lack large internal storage space for storing these logs. To overcome this limitation, Cisco devices offer the following two options:
Internal buffer— The device’s operating system allocates a small part of memory buffers to log the most recent messages. The buffer size is limited to few kilobytes. This option is enabled by default. However, when the device reboots, these SYSLOG messages are lost.
Sys Log— Use a UNIX-style Sys log protocol to send messages to an external device for storing. The storage size does not depend on the router’s resources and is limited only by the available disk space on the external Sys log server. This option is not enabled by default.
SYSLOG POINTS
Sys log uses the User Datagram Protocol (UDP), port 514, for communication. The Sys log protocol, defined in RFC 3164, was originally written by Eric. Syslog reserves facilities “local0″ through “local7″ for log messages received from remote servers and network devices. Routers, switches, firewalls and load balancers each logging with a different facility can each have their own log files for easy troubleshooting.
Before configuring a Cisco device to send sys log messages, make sure that it is configured with the right date, time, and time zone. Sys log data would be useless for troubleshooting if it shows the wrong date and time. You should configure all network devices to use NTP. Using NTP ensures a correct and synchronized system clock on all devices within the network. Setting the devices with the accurate time is helpful for event correlation.
Through Trap Level we can limit sys slog server message.
SYSLOG INFORMATION
The Sys log packet size is limited to 1024 bytes and carries the following information:
Facility
Severity
Hostname
Timestamp
Message
A clear understanding of each of the sys log packet parameters can help you easily deploy sys log systems across your network. Note that the first two parameters, facility and severity, are often misunderstood.
Facility
Sys log messages are broadly categorized on the basis of the sources that generate them. These sources can be the operating system, the process, or an application. These categories, called facility, are represented by integers, as shown in Table 1. As such, Cisco devices use one of the local use facilities for sending sys log messages.
Table1. Facility Values
Integer Facility
0 Kernel messages
1 User-level messages
2 Mail system
3 System daemons
4 Security/authorization messages
5 Messages generated internally by Sys log
6 Line printer subsystem
7 Network news subsystem
8 UUCP subsystem
9 Clock daemon
10 Security/authorization messages
11 FTP daemon
12 NTP subsystem
13 Log audit
14 Log alert
15 Clock daemon
16 Local use 0 (local0)
17 Local use 1 (local1)
18 Local use 2 (local2)
19 Local use 3 (local3)
20 Local use 4 (local4)
21 Local use 5 (local5)
22 Local use 6 (local6)
23 Local use 7 (local7)
By default, Cisco IOS devices, Cat OS switches, and VPN 3000 Concentrators use facility local7 while Cisco PIX Firewalls use local4 to send sys log messages. Moreover, most Cisco devices provide options to change the facility level from their default value.
Severity
The source or facility that generates the sys log message also specifies the severity of the message using a single-digit integer, as shown in Table 2.
Table2. Severity Values
Integer Severity
0 Emergency: System is unusable.
1 Alert: Action must be taken immediately.
2 Critical: Critical conditions.
3 Error: Error conditions.
4 Warning: Warning conditions.
5 Notice: Normal but significant condition.
6 Informational: Informational messages.
7 Debug: Debug-level messages.
Cisco devices use severity levels of Emergency to Warning to report software or hardware issues. A system restart or interfaces up/down messages are sent through the Notice level. A system reload is reported through the Informational level. The output of debug commands is expressed through the Debug level.
Hostname
The hostname field consists of the host name (as configured on the host itself) or the IP address. In devices such as routers or firewalls, which use multiple interfaces, sys log uses the IP address of the interface from which the message is transmitted.
Timestamp
The timestamp is the local time, in MMM DD HH:MM:SS format, of the device when the message was generated. Although RFC 3164 does not specify the use of a time zone, Cisco IOS allows configuring the devices to send the time-zone information in the message part of the sys log packet. Such timestamps are generally prefixed with a special character, such as an asterisk (*) or colon (:), to prevent the sys log server from misinterpreting the message. The timestamp format, including the time-zone information, is MMM DD HH:MM:SS Time zone *.
Note
For the timestamp information to be accurate, it is good administrative practice to configure all the devices to use the Network Time Protocol (NTP).
Message
This is the text of the sys log message, along with some additional information about the process that generated the message. The sys log messages generated by Cisco IOS devices begin with a percent sign (%) and use the following format:
%FACILITY-SEVERITY-MNEMONIC: Message-text
Following is a description of each field:
• FACILITY— Refers to the source of the message, such as a hardware device, a protocol, or a module of the system software. Note that this FACILITY is Cisco specific and is only relevant within the message string. It is different from the facility defined in RFC 3164 for the sys log protocol.
• SEVERITY— This is similar to the severity defined in Table 4-2.
• MNEMONIC— This is a device-specific code that uniquely identifies the message.
• Message-text— This is a text string that describes the message and can contain details such as port numbers and network addresses.
Following is a sample sys log message generated by a Cisco IOS device:
*Mar 6 22:48:34.452 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Note that the message begins with a special character (*) and that the timestamp includes the time-zone information. The message was generated by the LINEPROTO facility at severity 5 (Notice). The MNEMONIC UPDOWN along with the message-text describes the event.
The format of the sys log message generated by Cat OS is slightly different from that generated by the IOS devices. Following is the format of the message generated by Cat OS switches:
mm/dd/yyy:hh/mm/ss:facility-severity-MNEMONIC:Message-text
The sys log messages generated by a Cisco PIX Firewall begin with a percent sign (%) and are slightly different than the IOS sys log messages. Following is the format of sys log messages generated by a Cisco PIX Firewall:
%PIX-Level-Message number: Message text
CONFIG CISCO ROUTER FOR SYSLOG ****
To configure a Cisco IOS-based router for sending sys log messages to an external sys log server, follow the steps in Table
Step Command Purpose
1 Router# configure terminal Enters global configuration mode.
2 Router(configure)# service timestamps type datetime [msec] [localtime] [show-timezone] Instructs the system to timestamp sys log messages; the options for the type keyword are debug and log.
3 Router(configure)#logging host Specifies the sys log server by IP address or host name; you can specify multiple servers.
4 Router(configure)# logging trap level Specifies the kind of messages, by severity level, to be sent to the sys log server. The default is informational and lower. The possible values for level are as follows:
Emergency: 0
Alert: 1
Critical: 2
Error: 3
Warning: 4
Notice: 5
Informational: 6
Debug: 7
Use the debug level with caution, because it can generate a large amount of sys log traffic in a busy network.
5 Router(configure)# logging facility facility-type Specifies the facility level used by the sys log messages; the default is local7. Possible values are local0, local1, local2, local3, local4, local5, local6, and local7.
6 Router(configure)# End Returns to privileged EXEC mode.
7 Router# show logging Displays logging configuration.
Note
When a level is specified in the logging trap level command, the router is configured to send messages with lower severity levels as well. For example, the logging trap warning command configures the router to send all messages with the severity warning, error, critical, and emergency.
Similarly, the logging trap debug command causes the router to send all messages to the sys log server. Exercise caution while enabling the debug level. Because the debug process is assigned a high CPU priority, using it in a busy network can cause the router to crash.
CONFIG CISCO SWITCH FOR SYSLOG ****
To configure a Cisco Cat OS-based switch for sending sys log messages to an external sys log server, use the privileged EXEC mode commands shown in Table
Step Command Purpose
1 Switch>(enable) set logging timestamp {enable | disable} Configures the system to timestamp messages.
2 Switch>(enable) set logging server ip-address Specifies the IP address of the sys log server; a maximum of three servers can be specified.
3 Switch>(enable) set logging server severity server_severity_level Limits messages that are logged to the sys log servers by severity level.
4 Switch>(enable) set logging server facility server_facility_parameter Specifies the facility level that would be used in the message. The default is local7. Apart from the standard facility names listed in Table 4-1, Cisco Catalyst switches use facility names that are specific to the switch. The following facility levels generate sys log messages with fixed severity levels:
5: System, Dynamic-Trunking-Protocol, Port-Aggregation-Protocol, Management, Multilayer Switching
4: CDP, UDLD
2: Other facilities
5 Switch>(enable) set logging server enable Enables the switch to send sys log messages to the sys log servers.
6 Switch>(enable) Show logging Displays the logging configuration.
CONFIG CISCO PIX FIREWALL FOR SYSLOG ****
Proactive monitoring of firewall logs is an integral part of Net admin duties.
Step Command Purpose
1 Pix Firewall# configure terminal Enters global configuration mode.
2 Pix firewall(configure)#logging timestamp Specifies that each sys log message should have a timestamp value.
3 Pix firewall(configure)#logging host [interface connected to sys log server] ip_address [protocol / port] Specifies a sys log server that is to receive the messages sent from the Cisco PIX Firewall. You can use multiple logging host commands to specify additional servers that would all receive the sys log messages. The protocol is UDP or TCP. However, a server can only be specified to receive either UDP or TCP, not both. A Cisco PIX Firewall only sends TCP sys log messages to the Cisco PIX Firewall sys log server.
4 Pix firewall(configure)#logging facility facility Specifies the sys log facility number. Instead of specifying the name, the PIX uses a 2-digit number, as follows:
local0 – 16
local1 – 17
local2 – 18
local3 – 19
local4 – 20
local5 – 21
local6 – 22
local7 – 23
The default is 20.
5 Pix firewall(configure)#logging trap level Specifies the sys log message level as a number or string. The level that you specify means that you want that level and those values less than that level. For example, if level is 3, sys log displays 0, 1, 2, and 3 messages. Possible number and string level values are as follows:
0: Emergency; System-unusable messages
1: Alert; Take immediate action
2: Critical; critical condition
3: Error; error message
4: Warning; warning message
5: Notice; normal but significant condition
6: Informational: information message
7: Debug; debug messages and log FTP commands and WWW URLs
6 Pix firewall(configure)#logging on Starts sending syslog messages to all output locations.
7 Pix firewall(configure)#no logging message <message id> Specifies a message to be suppressed.
8 Pix firewall(configure)#exit Exits global configuration mode.
NOTE
If the sys log server disk is full, it can close the TCP connection. This will cause a denial of service because the Cisco PIX Firewall will stop all traffic until the sys log server disk space is freed.
If the PIX stop because of a disk-full condition, you must first free some disk space. Then disable sys log messaging on the PIX by using the no logging host host command, followed by re enabling sys log messaging using the logging host host command.
CONFIGURING CISCO VPN CONCENTRATOR FOR SYSLOG ****
The Cisco VPN 3000 Series Concentrator provides an appliance-based solution for deploying VPN functionality across remote networks. VPN concentrators are often connected parallel to the firewalls. The design simplifies the management of the network but creates security concerns. After a user has been authenticated through VPN concentrators, the user has complete access to the network. This makes a strong case for logging the messages from the VPN concentrator. To configure the Cisco VPN 3000 Series Concentrator for sending sys log messages, follow these steps:
1. Log in to the VPN concentrator using a web browser.
2. Navigate to the sys log server page by choosing Configuration > System > Events > Sys log Servers
3. On the Sys log Servers page, click the Add button
4. Enter the IP address of the sys log server and select the facility level from the Facility drop-down menu. Save these settings and return to the Sys log Servers page by clicking the Add button.
5. To select the kind of messages that are to be sent to the sys log server, navigate to the General page by choosing Configuration > System > Events > General.
6. On the General page, select an option from the Severity to Sys log drop-down menu, and click the Apply button.
7. To save the configuration changes, click the Save Needed icon.
As configured in this example, the VPN concentrator is now ready to send sys log messages at facility local6, severity 1–5 to server