Network & Security Engineering
  • My Training Course
  • Network Engineering
    • CompTIA Network+
      • OSI Model: Layers 1-7 (Functions & Devices)
      • TCP/IP Model: Layers & Protocols
      • Encapsulation & De-encapsulation Process in Networking
      • Star, Mesh, Bus, Ring, Hybrid
      • LAN, WAN, WLAN, MAN, CAN, PAN
      • IPv4 Addressing & Classes
      • CIDR Notation & Subnet Masks
      • Private vs. Public IPs
      • Common TCP & UDP Ports
      • Twisted Pair (CAT5e, CAT6, CAT7, etc.)
      • Fiber Optic Cables
      • Ethernet Frame Structure
      • Switches
      • Router
      • Traceroute Test
      • Setting Up a Wireless Network in Cisco Packet Tracer
    • CCNA
      • Cisco Systems History
      • Cisco Certification Roadmap
      • Cisco Router Port Naming
      • Configuring Hostname, Passwords, and Banners in GNS3
      • Setting Router Clocks in Cisco Devices
      • Assigning IP Addresses to Interfaces
      • How to Back Up and Restore Router Configurations with TFTP
      • SSH Configuration on a Cisco Router
      • Configuring Static Routes on Routers
      • Configuring RIP v2 and Verifying Routes
      • Configuring EIGRP
      • Implementing Single-Area OSPF
      • Implementing Multiple OSPF Areas
      • Troubleshooting with show ip route
      • Configuring Standard ACLs in Cisco Routers
      • Getting Internet in GNS3 using a Cisco Router
      • Securing Remote Management and Disabling Unnecessary Services
      • Setting up a DHCP Server on a Cisco Router
      • Creating VLANs and Assigning Ports
      • Blackhole VLAN
      • Configuring 802.1Q Trunking
      • Configuring SSH on a Cisco Switch
      • Configuring Router-on-a-stick (ROAS) for VLANs
      • Setting up Syslog for Network Monitoring
      • Serial Point-to-Point Overview
      • Point-to-Multipoint OSPF in Metro Ethernet WAN Network
      • Frame Relay Configuration
    • CCNP
      • OSPF Single Area Configuration
      • OSPF Multi-Area Configuration
    • GNS3
      • About GNS3
      • GNS3 Architecture
      • Windows Installation
      • Linux Installation
      • Cisco IOS images for Dynamips
      • Add Router IOS Image in GNS3
      • Add a Virtual Machine in GNS3
      • Upgrade The GNS3 VM
      • L2 Switching Simulation
      • L3 switching Simulation
      • Lab 01 : Connect 2 PCs
      • Lab 02 : Configuring Ethernet and Serial Interfaces
      • Lab 03 : Basic switch setup
      • Lab 04 : Basic router setup
      • Lab 05 : Connect Router to Cloud in GNS3
      • Lab 06 : Router Remote Access via Telnet
      • Lab 07 : Configure Static Route in GNS3
      • Lab 08 : Syslog Server for Cisco Router in GNS3
      • Lab 09 : DHCP configuration in GNS3
      • Lab 10 : PPP Configuration
      • Lab 11 : Configuring Switch Security Features
    • MTCNA
      • Module 1 : Introduction
        • History
        • Cisco vs. MikroTik
        • Training Programs
        • MikroTik RouterOS
        • MikroTik RouterBOARD
        • Product Categories
        • Product Naming
        • First Time Access
        • Winbox
        • Default Configuration
        • Neighbor Discovery
        • Command Line Interface
        • Router Identity
        • Upgrading RouterOS
        • Package Management
        • Users and Services
        • Reset Configuration
        • RouterOS Licensing
      • Module 2 : DHCP
        • Overview of DHCP
        • DHCP Client
        • DHCP Server
        • RouterOS ARP table
      • Module 3 : Bridging
        • OSI Model
        • Overview of Bridging
      • Module 4 : Routing
        • IP Addressing
        • Routing Concepts
        • Static routing
      • Module 5 : Wireless
        • Basics of Radio Waves
        • Wireless Agencies
        • 802.11a/b/g/n/ac Concepts
        • Setup a simple wireless link
        • Link Budget Calculation
        • Wireless Network Topologies
        • 2.4 GHz Band
        • 5 GHz Band
      • Module 6 : Firewall
        • Firewall Principles
        • Firewall (Input Chain)
      • Module 7 : QoS
        • Quality of Service
  • Network Administrator
    • Linux Commands
      • The ls command
      • The cd command
      • The cat command
      • The head command
      • The tail command
      • The pwd command
      • The touch Command
      • The cal Command
      • The uname command
      • The mkdir command
      • The gzip command
      • The who command
      • The man command
      • The passwd command
      • The w command
      • The whoami command
      • The cp command
    • Windows Server 2012
      • Windows Server 2012 - Home
      • Installation
      • Server Roles
      • PowerShell
      • Windows Firewall
      • Remote Desktop Management
      • Resource Monitor
      • Active Directory
      • Group Policy Overview
      • DC Accounts
      • DHCP Role
      • DNS Role
      • Primary Zones
      • Manage Records
      • IIS Overview
      • IIS Security
      • Sharing of Files
      • Print Server
    • VMware Workstation
      • Install VMware Workstation on Windows
      • Customize Network Settings in VMware Workstation
      • Install VMware Tools on Windows and Windows Server VMs
      • Configure Autologin for a Windows VM on VMware Workstation
      • Lab 01 - Install Windows 7 on a VMware Workstation
      • Lab 02 - Install CentOS 8 on a VMware Workstation
      • Lab 03 - Install Kali Linux on VMware Workstation
      • Lab 04 - Install The Mikrotik CHR On VMware Workstation​
      • Lab 05 - Install Ubuntu in VMware Workstation
      • Lab 06 - Installing GNS3 VM on VMware Workstation
      • Lab 07 - Install Windows Server 2012 R2 on VMWare Workstation
      • Lab 08 - Install Windows 10 in VMware Workstation
    • LPIC-1
      • 101.1 Determine and configure hardware settings
  • Security Engineering
    • Practical Packet Analysis
      • Network Traffic Analysis with Wireshark in GNS3
      • Echo Requests and Responses
      • Dynamic Host Configuration Protocol
      • Cisco Discovery Protocol
      • Routing Information Protocol
    • PRTG Network Monitoring
      • Overview of PRTG Network Monitor
      • Internet Uptime/Availability Monitoring
      • Configuring SNMP v2 on Cisco Devices
    • Classical Ciphers
      • Caesar Cipher
      • Atbash Cipher
      • Vigenère Cipher
      • Affine Cipher
      • Hill Cipher
      • Rail Fence Cipher
      • Scytale Cipher
      • Bacon's Cipher
      • Beaufort Cipher
      • ROT13
      • Gronsfeld Cipher
  • Web Development
    • HTML
      • What is HTML?
      • Basic HTML Structure
      • Headings and Paragraphs
      • Text Formatting Tags
      • Working with Links
      • Adding Images to a Webpage
      • Embedding Videos and Audio
      • Creating Lists
      • Building Tables
      • HTML Forms
Powered by GitBook
On this page
  • Step 1: Understanding Syslog
  • Step 2: Scenario & Topology
  • Step 3: Setting Up the Syslog Server
  • Step 4: Configure Syslog on Cisco Devices
  • Step 5: Verify Syslog Configuration
  • Step 6: Monitor Logs on the Syslog Server
  • Step 7: Automating Log Analysis
  • Keywords
  1. Network Engineering
  2. CCNA

Setting up Syslog for Network Monitoring

Nerd Cafe

Syslog is a crucial protocol for logging network events, enabling administrators to monitor and troubleshoot network devices like routers and switches. In this guide, we will:

  • Explain Syslog fundamentals

  • Set up a Syslog server

  • Configure Cisco devices to send logs to the Syslog server

  • Verify and monitor Syslog messages

Step 1: Understanding Syslog

Syslog is a logging protocol used by network devices to send event messages to a centralized Syslog server.

Syslog Components:

  1. Syslog Server – Collects and stores logs (e.g., a Linux/Windows server running Syslog software)

  2. Syslog Clients – Cisco routers/switches sending logs to the Syslog server

  3. Severity Levels:

    • 0: Emergency (System is unusable)

    • 1: Alert (Immediate action needed)

    • 2: Critical (Serious issues)

    • 3: Error (General errors)

    • 4: Warning (Potential issues)

    • 5: Notification (Normal but significant events)

    • 6: Informational (Routine messages)

    • 7: Debugging (Detailed logs for troubleshooting)

Step 2: Scenario & Topology

Scenario:

You are a network administrator and want to monitor logs from routers and switches using a Syslog server. You will set up a Syslog server on a PC and configure network devices to send logs to this server.

Topology:

Tools Needed:

  • Cisco Packet Tracer (or GNS3/real devices)

  • A Syslog server software (Kiwi Syslog, Rsyslog, or Syslog-ng)

Step 3: Setting Up the Syslog Server

On a PC (Windows/Linux):

  1. Download Syslog Server:

    • Windows: Install Kiwi Syslog Server

    • Linux: Use rsyslog (sudo apt install rsyslog)

  2. Configure the Syslog Server:

    • Open the Syslog software and ensure it's listening on UDP port 514

    • Set log storage options (e.g., save logs to a file)

    • Start the Syslog service

Step 4: Configure Syslog on Cisco Devices

1. Basic Router (R1) Configuration

R1#configure terminal
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.202.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#^Z
R1#ping 192.168.202.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.202.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/9/12 ms
R1#ping 192.168.202.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.202.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/9/20 ms
R1#

2. Enable Logging:

R1(config)#logging on

3. Set the Syslog Server IP

R1(config)#logging 192.168.202.10

4. Specify the Logging Severity Level

R1(config)#logging trap ?
  <0-7>          Logging severity level
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
  <cr>

R1(config)#logging trap informational

5. Enable Timestamps (for better analysis)

/R1(config)#service timestamps log ?
  datetime  Timestamp with date and time
  uptime    Timestamp with system uptime
  <cr>

R1(config)#service timestamps log datetime ?
  localtime      Use local time zone for timestamps
  msec           Include milliseconds in timestamp
  show-timezone  Add time zone information to timestamp
  year           Include year in timestamp
  <cr>

R1(config)#service timestamps log datetime msec

6. On the Switch (SW1):

  • Enable Logging

Sw1(config)#logging on

  • Set the Syslog Server IP

Sw1(config)#logging 192.168.202.10

  • Specify Severity Level (E.g., Warnings and above)

Sw1(config)#logging trap ?
  <0-7>          Logging severity level
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
  <cr>

Sw1(config)#logging trap warnings

  • Enable Console Logging

Sw1(config)#logging console

Step 5: Verify Syslog Configuration

On the Router/Switch:

  • Check Syslog Configuration:

R1# show logging

Output should show the configured Syslog server (192.168.1.100).

  • Generate a Log Message Manually (For Testing):

R1(config)#interface fastEthernet 1/0
R1(config-if)#shutdown
R1(config-if)#no shutdown

Step 6: Monitor Logs on the Syslog Server

  • Open your Syslog server software

  • Check if logs from R1 and SW1 are being received

  • If logs do not appear:

    • Ensure firewall allows UDP 514

    • Check connectivity (ping 192.168.1.100 from router)

    • Verify show logging output

Step 7: Automating Log Analysis

For better network monitoring, use SIEM tools (e.g., Splunk, Graylog) to analyze logs and detect security threats.

Keywords

Syslog, network monitoring, Cisco CCNA, logging, router logs, switch logs, Syslog server, Kiwi Syslog, rsyslog, network security, log analysis, troubleshooting, UDP 514, event logging, logging levels, Cisco configuration, Packet Tracer, network management, log messages, SIEM tools, سیسکو

PreviousConfiguring Router-on-a-stick (ROAS) for VLANsNextSerial Point-to-Point Overview

Last updated 1 month ago

Topology