written 5.2 years ago by |
A system message and error reporting service is an essential component of any operating system. The syslog system message service provides a means for the system and its running processes to report system state information to a network manager.
Cisco devices produce syslog messages as a result of network events. Every syslog message contains a time stamp (if enabled), severity level, and facility.
Example shows samples of syslog messages produced by the Cisco IOS software. The most common messages are those that a device produces upon exiting configuration mode, and the link up and down messages. If ACL logging is configured, the device generates syslog messages when packets match the ACL condition. ACL logging can be useful to detect packets that are denied access based on the security policy that is set by an ACL.
Example: Syslog Messages
The following parameters are used in the syslog messages:
■ A sequence number appears on the syslog message if the service sequence-numbers global configuration command is configured.
■ The time stamp shows the date and time of the message or event if the service timestamps log [datetime | log] global configuration command is configured. The time stamp can have one of three formats:
- mm/dd hh:mm:ss
- hh:mm:ss (for short uptimes)
- d h (for long uptimes)
■ Facility: A code consisting of two or more uppercase letters that indicate the facility to which the message refers. Syslog facilities are service identifiers used to identify and categorize system state data for error and event message reporting. A facility can be a hardware device, a protocol, or a module of the system software. The Cisco IOS software has more than 500 different facilities; the following are the most common:
- IP
- OSPF (OSPF protocol)
- SYS (operating system)
- IPsec (IP Security)
- RSP (Route Switch Processor)
- IF (interface)
- LINK (data link messages)
Other facilities include CDP, QoS, RADIUS, multicast (MCAST), MLS, TCP, VLAN trunking protocol (VTP), Telnet, and trivial file transfer protocol (TFTP).
■ Severity: A single-digit code (from 0 to 7) that reflects the severity of the condition; the lower the number, the more serious the situation. Syslog defines the following severity levels:
- Emergency (Level 0, which is the highest level)
- Alert (Level 1)
- Critical (Level 2)
- Error (Level 3)
- Warning (Level 4)
- Notice (Level 5)
- Informational (Level 6)
- Debugging (Level 7)
■ Mnemonic: A code that uniquely identifies the error message.
■ Description: A text string that describes the condition. This portion of the message sometimes contains detailed information about the event, including port numbers, network addresses, or addresses that correspond to locations in the system memory address space.
Syslog Distributed Architecture
Figure illustrates the syslog distributed architecture.
Figure: Syslog Distributed Architecture
Syslog messages are sent to the console session by default. A device must be configured to send syslog messages elsewhere; the configuration includes the address of the NMS or another device. Network devices can be configured to send syslog messages directly to the NMS or to the remote network host on which a syslog analyzer is installed. A syslog analyzer conserves bandwidth on WAN links because the analyzer usually applies different filters and sends only the predefined subset of all syslog messages it receives. The analyzer filters and periodically forwards messages to the central NMS. For example, the analyzer could filter ACL logging data from other router or switch syslog entries to ensure that the ACL logging data does not overwhelm the syslog reporting tool.
The Syslog Analyzer is a CiscoWorks Resource Manager Essentials application that supports a distributed syslog server architecture for localized collection, filtering, aggregation, and forwarding of syslog data to a central syslog server for further processing and analysis. The Syslog Analyzer also supports reporting functions to automatically parse the log data into predefined or custom formats for ease of use and readability.
When it receives a syslog message, the NMS applies filters to remove unwanted messages. Filters can also be applied to perform actions based on the received syslog message, such as paging or e-mailing the network manager.
Syslog data can consume large amounts of network bandwidth and might require a very large storage capacity based on the number of devices sending syslog messages, the syslog facility and severity levels set for each, and any error conditions that may trigger excessive log messages. Therefore, it is important to enable logging only for network facilities of particular interest and to set the appropriate severity level to provide sufficient, but not excessive, detail.