syslog Configuration and Cisco Devices

syslog Configuration and Cisco Devices

Introduction

Syslog reserves facilities local0 through local7 for log messages received from remote servers and network devices. Routers, switches, firewalls and load balancers each logging with a different facility can each have their own log files for easy troubleshooting. The following examples will show how to have a different log file for each class of device.

If you have a large data center, then you may also want to switch off all logging to /var/log/messages as suggested above for the home/SOHO environment. In all the network device configuration examples below we are logging to the remote Linux logging server 192.168.1.100 which we set up in the previous section.

Cisco Routers

By default Cisco routers send syslog messages to their logging server with a default facility of local7. Don't set the facility in this case, but do tell the router to timestamp the messages and make the messages have the source IP address of the loopback interface.

service timestamps log datetime localtime

no logging console

no logging monitor

logging 192.168.1.100

Catalyst CAT Switches running CATOS

By default Cisco switches also send syslog messages to their logging server with a default facility of local7. Don't change this facility either, therefore making routers and switches log to the same file.

set logging server enable

set logging server 192.168.1.100

set logging level all 5

set logging server severity 6

Cisco Local Director

Local Directors use the syslog output command to set their logging facility and severity. The value provided must be in the format FF.SS (facility.severity) using the numbering scheme in Table IV-1:

Table IV-1 Syslog Facility and Severity Numbering Scheme for Local Directors

This example uses facility local4 and the logging debugging messages from Table IV-1.

syslog output 20.7

no syslog console

syslog host 192.168.1.100

Cisco PIX Filewalls

PIX firewalls use the numbering scheme in Table IV.2 to determine their logging facilities.

Table IV-2 Syslog Facility and Severity Numbering Scheme for PIX Firewalls

This configuration example assumes that the logging server is connected on the side of the 'inside' protected interface. It sends log messages to facility local3 with a severity level of 5 (Notification) set by the logging trap command.

logging on

logging standby

logging timestamp

logging trap notifications

logging facility 19

logging host inside 192.168.1.100

Cisco CSS11000 (Arrowpoints)

The configuration for the Cisco CSS11000 load balancer series is more straightforward. You specify the facility with an intuitive number using the logging host command and set the severity with the logging subsystem command. This example shows the CSS11000 logging facility local6 and severity level 6 (Informational):

logging host 192.168.1.100 facility 6

set logging subsystem all info-6

logging commands enable

The Sample Cisco syslog.conf File

# All LOCAL3 messages (debug and above) go to the firewall file ciscofw

local3.debug /var/log/cisco/ciscofw

# All LOCAL4 messages (debug and above) go to the Local Director file ciscold

local4.debug /var/log/cisco/ciscold

# All LOCAL6 messages (debug and above) go to the CSS file ciscocss

local6.debug /var/log/cisco/ciscocss

# All LOCAL7 messages (debug and above) go to the ciscoacl

# This includes ACL logs which are logged at severity debug

local7.debug /var/log/cisco/ciscoacl

# LOCAL7 messages (notice and above) go to the ciscoinfo

# This excludes ACL logs which are logged at severity debug

local7.notice /var/log/cisco/ciscoinfo