Setting up Syslog for Network Monitoring

Nerd Cafe

Syslog is a crucial protocol for logging network events, enabling administrators to monitor and troubleshoot network devices like routers and switches. In this guide, we will:

Explain Syslog fundamentals
Set up a Syslog server
Configure Cisco devices to send logs to the Syslog server
Verify and monitor Syslog messages

Step 1: Understanding Syslog

Syslog is a logging protocol used by network devices to send event messages to a centralized Syslog server.

Syslog Components:

Syslog Server – Collects and stores logs (e.g., a Linux/Windows server running Syslog software)
Syslog Clients – Cisco routers/switches sending logs to the Syslog server
Severity Levels:
- 0: Emergency (System is unusable)
- 1: Alert (Immediate action needed)
- 2: Critical (Serious issues)
- 3: Error (General errors)
- 4: Warning (Potential issues)
- 5: Notification (Normal but significant events)
- 6: Informational (Routine messages)
- 7: Debugging (Detailed logs for troubleshooting)

Step 2: Scenario & Topology

Scenario:

You are a network administrator and want to monitor logs from routers and switches using a Syslog server. You will set up a Syslog server on a PC and configure network devices to send logs to this server.

Topology:

Tools Needed:

Cisco Packet Tracer (or GNS3/real devices)
A Syslog server software (Kiwi Syslog, Rsyslog, or Syslog-ng)

Step 3: Setting Up the Syslog Server

On a PC (Windows/Linux):

Download Syslog Server:
- Windows: Install Kiwi Syslog Server
- Linux: Use rsyslog (sudo apt install rsyslog)
Configure the Syslog Server:
- Open the Syslog software and ensure it's listening on UDP port 514
- Set log storage options (e.g., save logs to a file)
- Start the Syslog service

Step 4: Configure Syslog on Cisco Devices

1. Basic Router (R1) Configuration

R1#configure terminal
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.202.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#^Z
R1#ping 192.168.202.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.202.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/9/12 ms
R1#ping 192.168.202.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.202.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/9/20 ms
R1#

2. Enable Logging:

R1(config)#logging on

3. Set the Syslog Server IP

R1(config)#logging 192.168.202.10

4. Specify the Logging Severity Level

R1(config)#logging trap ?
  <0-7>          Logging severity level
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
  <cr>

R1(config)#logging trap informational

5. Enable Timestamps (for better analysis)

/R1(config)#service timestamps log ?
  datetime  Timestamp with date and time
  uptime    Timestamp with system uptime
  <cr>

R1(config)#service timestamps log datetime ?
  localtime      Use local time zone for timestamps
  msec           Include milliseconds in timestamp
  show-timezone  Add time zone information to timestamp
  year           Include year in timestamp
  <cr>

R1(config)#service timestamps log datetime msec

6. On the Switch (SW1):

Enable Logging

Sw1(config)#logging on

Set the Syslog Server IP

Sw1(config)#logging 192.168.202.10

Specify Severity Level (E.g., Warnings and above)

Sw1(config)#logging trap ?
  <0-7>          Logging severity level
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
  <cr>

Sw1(config)#logging trap warnings

Enable Console Logging

Sw1(config)#logging console

Step 5: Verify Syslog Configuration

On the Router/Switch:

Check Syslog Configuration:

R1# show logging

Output should show the configured Syslog server (192.168.1.100).

Generate a Log Message Manually (For Testing):

R1(config)#interface fastEthernet 1/0
R1(config-if)#shutdown
R1(config-if)#no shutdown

Step 6: Monitor Logs on the Syslog Server

Open your Syslog server software
Check if logs from R1 and SW1 are being received
If logs do not appear:
- Ensure firewall allows UDP 514
- Check connectivity (ping 192.168.1.100 from router)
- Verify show logging output

Step 7: Automating Log Analysis

For better network monitoring, use SIEM tools (e.g., Splunk, Graylog) to analyze logs and detect security threats.

Keywords

Syslog, network monitoring, Cisco CCNA, logging, router logs, switch logs, Syslog server, Kiwi Syslog, rsyslog, network security, log analysis, troubleshooting, UDP 514, event logging, logging levels, Cisco configuration, Packet Tracer, network management, log messages, SIEM tools, سیسکو

PreviousConfiguring Router-on-a-stick (ROAS) for VLANs NextSerial Point-to-Point Overview

Last updated 8 months ago