Part 23 – Sending Logs to a Syslog Server

Sending Logs to a Syslog Server

Table Of Contents
  1. Sending Logs to a Syslog Server
  2. Resources

Introduction

Welcome to Part 23 of the Network Fundamentals study notes! If you haven’t already, we recommend watching the video first.

Every network device generates logs — records of events like interface state changes, configuration changes, authentication attempts, and errors. Keeping those logs locally is useful, but centralising them on a syslog server gives you archiving, cross-device correlation, and a single place to look during troubleshooting.

Local Logging vs Syslog

Different vendors handle local logging differently. Cisco routers store logs in memory by default — which means they’re wiped when the router reboots. Juniper devices write logs to local storage files. Neither approach is ideal for a busy network.

All major vendors support syslog — a standard protocol for sending log messages to an external server over UDP. The advantages of a centralised syslog server are significant:

  • Logs are archived indefinitely, not wiped on reboot
  • Logs from many devices are collected in one place
  • You can correlate events across multiple devices to understand what happened and in what order
  • A common format means a single server can handle devices from different vendors

Syslog Message Format

Every syslog message has two key components beyond the message text itself: a facility and a severity level.

Facility

The facility identifies the process or system component that generated the event. Each facility has a numeric ID. Facilities local0 through local7 are generic, user-defined facilities — not tied to a specific purpose. Cisco routers and switches use local7 by default, though this can be changed. Other vendors may use different defaults.

Severity Levels

Devices generate a huge volume of log messages — most of them routine and unimportant. Severity levels let you filter and prioritise. There are eight levels, numbered 0 (most critical) to 7 (least critical):

  • 0 – Emergency
  • 1 – Alert
  • 2 – Critical
  • 3 – Error
  • 4 – Warning
  • 5 – Notification
  • 6 – Informational
  • 7 – Debug

A handy mnemonic to remember the order: Every Awesome Cisco Engineer Will Need Ice Cream Daily.

Note that the level name describes importance, not literal meaning. For example, an interface coming up is logged at level 3 (Error) on Cisco devices — not because it’s an error, but because it’s a significant event worth attention. The names indicate priority, not problems.

Local Logging on Cisco

By default, Cisco routers send log messages to the console port. If you’re connected via console cable, you’ll see these messages appear as you work. If you’re connected via SSH, you won’t see them — unless you run terminal monitor (often shortened to term mon) in your SSH session.

To view buffered logs that have already been generated, use show logging.

Configuring Syslog on a Cisco Router

Before configuring syslog, make sure NTP is configured (see Part 22). Accurate timestamps are essential for logs to be useful — especially when correlating events across multiple devices.

Step 1: Configure Timestamps

service timestamps log datetime msec

datetime tells the router to stamp logs with the actual date and time (rather than uptime since boot). msec adds millisecond precision — useful when correlating events that happen within the same second.

Step 2: Configure the Source Interface (Optional)

logging source-interface Loopback0

This controls which interface IP is used as the source of syslog messages. Using a loopback interface is common — loopbacks are always up, so the syslog server always sees messages from a consistent address regardless of which physical interface is used.

Step 3: Set the Facility (Optional)

logging facility local6

In practice this is rarely changed from the default, but it’s available if your syslog server needs to distinguish messages from different device types.

Step 4: Set the Severity Level

logging trap notifications

This sets the minimum severity level to send. In this example, level 5 (Notifications) and above are sent — levels 0–5. Debug messages (level 7) and informational messages (level 6) are excluded, keeping the log volume manageable. Sending debug-level logs to a syslog server would generate an enormous amount of traffic.

Step 5: Specify the Syslog Server

logging host 192.168.1.100

This is the IP address (or hostname) of your syslog server. You can configure multiple syslog servers if needed.

Syslog Server Software

Many syslog server options exist — some free, some paid, some part of larger network management platforms. Kiwi Syslog is a popular choice for getting started; there’s a free version with limited features that runs on Windows and is easy to set up. In production environments you’ll often find syslog integrated into tools like Splunk, Graylog, or a SIEM platform.

Resources

Test your knowledge with the Introduction to Networking quizzes.