Syslog

  • Centralized logging system that collects, stores, and manages log messages from network devices, servers, and applications across an enterprise
  • Uses UDP port 514 by default (unreliable delivery - fire and forget mechanism)
  • Based on RFC 3164 (original) and RFC 5424 (enhanced format with structured data)
  • Client-server model where network devices (clients) send log messages to syslog servers for centralized management

Syslog Message Format

  • Facility: Source of the message (what generated it)
  • Severity: Importance level of the message (0-7 scale)
  • Timestamp: When the event occurred
  • Hostname/IP: Device that generated the message
  • Message: Actual log content describing the event

Facility Codes

Code Facility Description
0 Kernel Operating system kernel messages
16 Local0 Custom application use
23 Local7 Custom application use
24 Mail Mail system messages

Severity Levels

Level Keyword Description Example Use Case
0 Emergency System unusable Complete network failure
1 Alert Immediate action needed Hardware failure detected
2 Critical Critical conditions Temperature threshold exceeded
3 Error Error conditions Interface down, routing protocol failure
4 Warning Warning conditions High CPU utilization, authentication failure
5 Notice Normal but significant Interface up, user login
6 Informational Informational messages Configuration changes, normal operations
7 Debug Debug messages Detailed troubleshooting information

Syslog Configuration

Cisco IOS Commands

  • logging <server-ip> - Configure syslog server destination
  • logging trap <level> - Set minimum severity level to send (sends specified level and higher severity)
  • logging facility <facility> - Set facility code for outgoing messages
  • logging source-interface <interface> - Specify source interface for syslog packets
  • logging on - Enable syslog globally (enabled by default)
  • no logging console - Disable console logging (useful to prevent console spam)

Example Configuration 

1
2
3
4

Router(config)# logging 192.168.1.100
Router(config)# logging trap warnings
Router(config)# logging facility local0
Router(config)# logging source-interface loopback0

Syslog vs SNMP Comparison

Aspect Syslog SNMP
Purpose Event logging and notification Network monitoring and management
Transport UDP 514 (unreliable) UDP 161/162 (SNMP v1/v2), TCP/UDP 161 (SNMP v3)
Data Flow Push model (devices send logs) Pull model (manager polls agents)
Message Type Text-based log messages Structured MIB data
Real-time Yes (immediate event notification) Polling-based (scheduled intervals)
Bandwidth Low (only when events occur) Higher (continuous polling)

Vocabulary

Facility: Categorizes the source or type of program generating the syslog message (allows filtering and routing of messages based on origin)

Severity Level: Numeric scale (0-7) indicating the importance or urgency of a syslog message (lower numbers = higher severity)

Trap Level: Minimum severity threshold - messages at this level and higher severity are sent to syslog server

Log Buffer: Local memory storage on network devices for temporary log message storage before transmission

Sequence Numbers: Optional feature that adds incremental numbers to syslog messages for tracking and identifying missing messages

Rate Limiting: Feature that prevents syslog message flooding by limiting the number of messages sent per time interval

Notes

  • Syslog uses UDP by default - messages can be lost in transit without notification (trade-off for reduced network overhead)
  • When configuring logging trap warnings, the device sends warnings (level 4) and all higher severity levels (0-4)
  • Use logging buffered to store logs locally on device memory (survives until reboot or buffer fills)
  • Syslog servers should be on reliable network segments - unreachable servers mean lost log data with no retry mechanism
  • Consider NTP synchronization across all devices for accurate timestamp correlation in centralized logs
  • Large networks often use multiple syslog servers for redundancy and load distribution
  • Syslog messages are sent in plain text by default - use secure variants (syslog over TLS) for sensitive environments
  • Debug level messages (7) can overwhelm networks - use sparingly and only during active troubleshooting
  • Modern implementations support structured data fields and enhanced formatting (RFC 5424) for better parsing and analysis