Administrators can analyze router logs as log information can provide insight into the nature of an attack. Similarly the logged information can be used for troubleshooting purposes. Another usage of logs from multiple devices is that it can provide event correlation information.

Cisco IOS routers can send log output to a variety of destinations including Console, VTY lines, Buffer and so forth. One such device is the syslog server which is a popular choice for storage of log information. Other features include its easy configurability and also can store very large volumes of logs

There are two aspects to the syslog logging system namely syslog servers and syslog clients. A syslog server receives and stores log messages sent from syslog clients.

Syslog messages can also be viewed from within Cisco SDM. Let us now see how to use the CLI to send syslog messages.

Lab Topology

Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server Fig 1

Lab Setup

  • Make the connection as per the above diagram.
  • Use the IP addressing chart below to assign IP address to the routers.

IP Addressing Schema

Router

Interface

IP Address

R1

S0/0

100.1.12.1/24

R2

S0/0

100.1.12.2/24

 

Lab Objectives

  1. Using the CLI, R1 should log to the Syslog server 100.100.100.100and should use a reliable transport. Log all messages up to notifications.  Use IDs ROUTER2 and the UNIX facility Local 1.
  2. Configure Objective with Cisco SDM .

Syslog Configuration Using the CLI

R1(config)#logging host 100.100.100.100 transport tcp (Configure the Syslog server IP, and only Allow Reliable Transport Log messages)

R1(config)#logging source-interface Loopback0 (To assign Logging Source Interface)

R1(config)#logging trap notifications (To limit messages logged to the syslog servers based on severity, Notification: Normal but significant conditions)

R1(config)#logging facility local1 (To configure the syslog facility in which error messages are sent)

 

Verification of Successful Configuration

R1#show logging

Syslog logging: enabled (12 messages dropped, 0 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 29 messages logged, xml disabled,  filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled

Buffer logging:  disabled, xml disabled, filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: level notifications, 32 message lines logged

Logging to 100.100.100.100  (tcp port 601,  audit disabled,

authentication disabled, encryption disabled, link down),

0 message lines logged,

0 message lines rate-limited,

0 message lines dropped-by-MD,

xml disabled, sequence number disabled

filtering disabled

 

Note:

IOS support both TCP and UDP to transport syslog messages. UDP is the default. However UDP does not have reliable delivery like TCP does.  The UNIX facility Local1 allows the syslog server to multiplex incoming messages. Multiple logging destinations can be configured using their own transport, but all servers share the same facility and trap level.