Syslog is a crucial protocol for logging network events, enabling administrators to monitor and troubleshoot network devices like routers and switches. In this guide, we will:
Explain Syslog fundamentals
Set up a Syslog server
Configure Cisco devices to send logs to the Syslog server
Verify and monitor Syslog messages
Step 1: Understanding Syslog
Syslog is a logging protocol used by network devices to send event messages to a centralized Syslog server.
Syslog Components:
Syslog Server – Collects and stores logs (e.g., a Linux/Windows server running Syslog software)
Syslog Clients – Cisco routers/switches sending logs to the Syslog server
Severity Levels:
0: Emergency (System is unusable)
1: Alert (Immediate action needed)
2: Critical (Serious issues)
3: Error (General errors)
4: Warning (Potential issues)
5: Notification (Normal but significant events)
6: Informational (Routine messages)
7: Debugging (Detailed logs for troubleshooting)
Step 2: Scenario & Topology
Scenario:
You are a network administrator and want to monitor logs from routers and switches using a Syslog server. You will set up a Syslog server on a PC and configure network devices to send logs to this server.
Topology:
Topology
Tools Needed:
Cisco Packet Tracer (or GNS3/real devices)
A Syslog server software (Kiwi Syslog, Rsyslog, or Syslog-ng)
Step 3: Setting Up the Syslog Server
On a PC (Windows/Linux):
Download Syslog Server:
Windows: Install Kiwi Syslog Server
Linux: Use rsyslog (sudo apt install rsyslog)
Configure the Syslog Server:
Open the Syslog software and ensure it's listening on UDP port 514
Set log storage options (e.g., save logs to a file)
Start the Syslog service
Step 4: Configure Syslog on Cisco Devices
1. Basic Router (R1) Configuration
2. Enable Logging:
3. Set the Syslog Server IP
4. Specify the Logging Severity Level
5. Enable Timestamps (for better analysis)
6. On the Switch (SW1):
Enable Logging
Set the Syslog Server IP
Specify Severity Level (E.g., Warnings and above)
Enable Console Logging
Step 5: Verify Syslog Configuration
On the Router/Switch:
Check Syslog Configuration:
Output should show the configured Syslog server (192.168.1.100).
Generate a Log Message Manually (For Testing):
Step 6: Monitor Logs on the Syslog Server
Open your Syslog server software
Check if logs from R1 and SW1 are being received
If logs do not appear:
Ensure firewall allows UDP 514
Check connectivity (ping 192.168.1.100 from router)
Verify show logging output
Step 7: Automating Log Analysis
For better network monitoring, use SIEM tools (e.g., Splunk, Graylog) to analyze logs and detect security threats.
/R1(config)#service timestamps log ?
datetime Timestamp with date and time
uptime Timestamp with system uptime
<cr>
R1(config)#service timestamps log datetime ?
localtime Use local time zone for timestamps
msec Include milliseconds in timestamp
show-timezone Add time zone information to timestamp
year Include year in timestamp
<cr>
R1(config)#service timestamps log datetime msec
