Administrators can analyze router logs as log information can provide insight into the nature of an attack. Similarly the logged information can be used for troubleshooting purposes. Another usage of logs from multiple devices is that it can provide event correlation information.
Cisco IOS routers can send log output to a variety of destinations including Console, VTY lines, Buffer and so forth. One such device is the syslog server which is a popular choice for storage of log information. Other features include its easy configurability and also can store very large volumes of logs
There are two aspects to the syslog logging system namely syslog servers and syslog clients. A syslog server receives and stores log messages sent from syslog clients.
Syslog messages can also be viewed from within Cisco SDM. Let us now see how to use the CLI to send syslog messages.
- Make the connection as per the above diagram.
- Use the IP addressing chart below to assign IP address to the routers.
IP Addressing Schema
- Using the CLI, R1 should log to the Syslog server 100.100.100.100and should use a reliable transport. Log all messages up to notifications. Use IDs ROUTER2 and the UNIX facility Local 1.
- Configure Objective with Cisco SDM .
Syslog Configuration Using the CLI
R1(config)#logging host 100.100.100.100 transport tcp (Configure the Syslog server IP, and only Allow Reliable Transport Log messages)
R1(config)#logging source-interface Loopback0 (To assign Logging Source Interface)
R1(config)#logging trap notifications (To limit messages logged to the syslog servers based on severity, Notification: Normal but significant conditions)
R1(config)#logging facility local1 (To configure the syslog facility in which error messages are sent)
Verification of Successful Configuration
Syslog logging: enabled (12 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 29 messages logged, xml disabled, filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled
Buffer logging: disabled, xml disabled, filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level notifications, 32 message lines logged
Logging to 100.100.100.100 (tcp port 601, audit disabled,
authentication disabled, encryption disabled, link down),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
IOS support both TCP and UDP to transport syslog messages. UDP is the default. However UDP does not have reliable delivery like TCP does. The UNIX facility Local1 allows the syslog server to multiplex incoming messages. Multiple logging destinations can be configured using their own transport, but all servers share the same facility and trap level.