Syslog

1. What is SYSLOG?

🔍 Imagine you’re managing a network, and something goes wrong—how do you find out what happened? This is where SYSLOG comes in. It’s a standard protocol used by network devices like routers and switches to send status updates and alerts.

SYSLOG helps centralize logs, making it easier to track network events in real-time. Instead of checking every device individually, you can use a SYSLOG server to collect all messages in one place.

Syslog Notification

Example: Detecting an Interface Failure

If an interface goes down on a Cisco router, SYSLOG immediately generates a message like this:

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

This tells you that the interface is no longer operational, allowing you to respond quickly.

2. Storing SYSLOG Messages

Default Console Logging

By default, Cisco devices display SYSLOG messages directly on the console. This is helpful for immediate visibility but has limitations:

✅ Messages appear instantly on the device.
❌ They are lost after a reboot or session disconnect.

Default Console Logging

Central Storage with SYSLOG Servers

🛠️ For better log management, SYSLOG messages should be stored centrally on a SYSLOG server. This allows long-term storage, analysis, and alerting.

  • Transport Protocol: SYSLOG uses UDP (User Datagram Protocol) for fast delivery.
  • Port Number: SYSLOG messages are sent over UDP port 514.

With a SYSLOG server, you can store logs from multiple devices, making it easier to analyze trends and troubleshoot network issues.

Syslog Central Storage with SYSLOG Servers

📢 Next Steps: In the following chapters, we will explore SYSLOG message structure, severity levels, and facility codes.

3. SYSLOG Message Structure

🔍 Each SYSLOG message provides structured information to help you diagnose network events. Here’s what a SYSLOG message typically contains:

  • Timestamp: When the event happened.
  • Facility Code: The part of the system that generated the message.
  • Severity Level: How critical the event is.
  • Mnemonic: A short identifier for the event type.
  • Message Text: A detailed description of what happened.

✅ SYSLOG messages are formatted for clarity and quick parsing, ensuring network admins can quickly respond to critical issues.

Example:

When an interface goes down, a SYSLOG message might look like this:

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
  • Facility Code: %LINEPROTO (related to the interface protocol)
  • Severity Level: 5 (Notification level)
  • Mnemonic: UPDOWN (Interface status change)
  • Message Text: The interface went down.

📢 Understanding this structure helps network administrators react faster and troubleshoot efficiently.

4. Understanding Severity Levels

🔍 SYSLOG messages come with a severity level (0-7) that indicates their importance. Knowing these levels helps prioritize issues efficiently.

High-Priority Levels (0–4)

⚠️ 0 – Emergency: The system is completely unusable.

%SYS-0-EMERG: System is down due to severe hardware failure.

⚠️ 1 – Alert: Immediate action is needed.

%LINK-1-ALERT: Power supply failure on R1. Immediate action needed.

⚠️ 2 – Critical: Critical failure affecting network operations.

%LINEPROTO-2-CRIT: Line protocol on Interface GigabitEthernet0/0, changed state to down.

⚠️ 3 – Error: Functional but error-prone condition.

%ETHPORT-3-ERR: Ethernet port GigabitEthernet0/0 failed to initialize.

⚠️ 4 – Warning: Potential issues that should be monitored.

%SYS-4-WARNING: High CPU usage detected on R1.

Low-Priority Levels (5–7)

5 – Notification: Significant changes in network behavior.

%LINEPROTO-5-NOTICE: Line protocol on Interface GigabitEthernet0/0, changed state to up.

6 – Informational: Normal operational messages.

%CONFIG-6-INFO: Configuration change made to access control list on R1.

7 – Debugging: Detailed technical logs for troubleshooting.

%DEBUG-7-TRACE: IP packet received on interface GigabitEthernet0/0.

💡 Mnemonic to Remember Severity Levels:

Use this phrase: “Every Awesome Cisco Engineer Will Need Ice Cream Daily.”

  • 0 – Emergency → Every
  • 1 – Alert → Awesome
  • 2 – Critical → Cisco
  • 3 – Error → Engineer
  • 4 – Warning → Will
  • 5 – Notification → Need
  • 6 – Informational → Ice Cream
  • 7 – Debugging → Daily

📢 Understanding severity levels helps you decide which issues need immediate attention and which can be monitored over time.

5. Facility Codes in SYSLOG

Why Are Facility Codes Important?

In a network environment where hundreds of logs are generated every minute, facility codes categorize SYSLOG messages based on their source. This helps administrators filter logs efficiently and focus on relevant system events without being overwhelmed by unnecessary messages.

By filtering messages based on their facility code, administrators can quickly isolate logs related to security, interfaces, authentication, system processes, or other critical areas.

Overview of Facility Codes

Facility CodeDescriptionExample Messages
KERNELKernel-related messages%KERNEL-3-CRIT: Kernel panic - system halted.
AUTHAuthentication and user access%AUTH-4-LOGIN_FAILURE: Failed login attempt from 192.168.1.100.
SECSecurity-related events (firewall, unauthorized access)%SEC-5-ACL_PERMIT: Access granted to 10.0.0.5 via ACL 101.
SYSGeneral system messages%SYS-6-LOGGING_HOST: Logging server set to 192.168.1.10.
LINKInterface status changes%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down.
LINEPROTOLine protocol status%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up.
DAEMONMessages from background system services%DAEMON-6-NTP_SYNC: NTP synchronized with 192.168.1.1.
LOCAL0 – LOCAL7Custom facility codes for specific applications%LOCAL3-5-INFO: Custom logging enabled for app-service.

Example: Interface Link Down Message

When an interface goes down, the SYSLOG message might look like this:

%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down

Breaking it down:

  • %LINK → The facility code indicates that the message is related to interface link status.
  • 3 → The severity level (Error).
  • UPDOWN → The message mnemonic, showing that the interface state changed.
  • Message text → Specifies the affected interface and the new state.

This allows administrators to quickly understand the issue and take appropriate action.

6. 📢Conclusion

SYSLOG is more than just a logging tool—it’s your first line of defense in network monitoring and troubleshooting. By understanding severity levels and facility codes, you can filter logs efficiently, detect issues faster, and respond proactively to network events.

Key Takeaways:

  • Efficient log filtering based on severity and facility codes.
  • Faster issue detection by categorizing messages from different sources.
  • Proactive network management, reducing downtime and improving security.

By leveraging SYSLOG’s structured logging capabilities, network administrators can maintain better visibility, control, and response times in their IT environments.

Running and Startup Config