LOG
Capturing Logs with Syslog
Centralize network logging with Syslog for comprehensive visibility and rapid troubleshooting
Contents
In any well-managed network, visibility is key, and Syslog is one of the most powerful tools for gaining it. Whether it's a failed interface, unauthorized access attempt, or routine configuration change, your devices know what's happening. Syslog provides the mechanism to capture and centralize those events.
Syslog is a universal logging protocol that enables network devices to send messages to a central syslog server, typically over UDP port 514. These messages contain a severity level and a facility code identifying which subsystem generated the message.
Syslog Severity Levels
| Level | Severity | Description | Example Use Case |
|---|---|---|---|
| 0 | Emergency | System is unusable | Total system failure |
| 1 | Alert | Immediate action required | Hardware failure detected |
| 2 | Critical | Critical conditions | Interface down |
| 3 | Error | Error conditions | Authentication failure |
| 4 | Warning | Warning conditions | High CPU usage |
| 5 | Notice | Normal but significant | Configuration change |
| 6 | Informational | Informational messages | User login |
| 7 | Debug | Debug-level messages | Protocol debugging |
Recommended Log Level for Production
Use level 6 (Informational) for standard production logging. This captures all meaningful events without the noise of debug messages. Set level 7 (Debug) only temporarily when actively troubleshooting a specific issue.
Timestamping — Critical for Log Correlation
Accurate timestamps transform raw logs into a forensic timeline. Without precise, synchronized timestamps across all devices, correlating events during an incident becomes nearly impossible.
Cisco IOS — Enable Precise Timestamps
# Enable millisecond timestamps on all logs
Router(config)# service timestamps log datetime localtime show-timezone msec
Router(config)# service timestamps debug datetime localtime show-timezone msec
Correlated Event Timeline Example
10:15:32.123 Router-A: %LINEPROTO-5-UPDOWN: GigabitEthernet0/1 changed state to down 10:15:32.125 Switch-B: %LINK-3-UPDOWN: GigabitEthernet1/0/24 changed state to down 10:15:32.127 Router-C: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 from Full to Down 10:15:32.890 Router-A: %DUAL-5-NBRCHANGE: EIGRP 100, Nbr 10.0.0.2 is down
Platform Support
Network Devices
- Cisco IOS, IOS-XE, IOS-XR, NX-OS
- Juniper Junos
- Fortinet FortiOS
- HP/Aruba ArubaOS, ProCurve
- Arista EOS
- Ubiquiti UniFi OS
Servers & OS / Cloud
- Linux: rsyslog, syslog-ng
- BSD: native syslog daemon
- Windows: NXLog, Splunk UF agents
- AWS CloudWatch Logs
- Azure Monitor Logs
- Google Cloud Logging
Configuration Examples
Cisco IOS — Full Syslog Configuration
! Enable timestamps service timestamps log datetime localtime show-timezone msec service timestamps debug datetime localtime show-timezone msec ! Configure syslog server logging host 192.168.10.100 logging trap informational # Send level 0-6 to server logging facility local0 # Use local0 facility logging source-interface Loopback0 ! Local buffer for immediate console review logging buffered 32768 informational
Linux rsyslog.conf — Receive Network Logs
# Enable UDP reception on port 514 module(load="imudp") input(type="imudp" port="514") # Separate logs by device facility local0.* /var/log/network/cisco.log local1.* /var/log/network/juniper.log local2.* /var/log/network/fortinet.log # Forward to remote SIEM *.* @@192.168.10.200:514 # TCP (@@) for reliable delivery
Log Rotation — /etc/logrotate.d/network
/var/log/network/*.log {
daily
missingok
rotate 30
compress
delaycompress
copytruncate
}
Log Analysis Tools
| Tool | Best For | Key Features |
|---|---|---|
| Graylog | Mid-size networks | Real-time alerting, scalable, user-friendly |
| ELK Stack | Large enterprises | Powerful search, custom dashboards, real-time analytics |
| Splunk | Complex environments | Advanced analytics, machine learning, extensive integrations |
| SolarWinds SEM | Enterprise networks | SNMP/NetFlow correlation, vendor support |
| Wazuh | Security-focused | Open-source SIEM with compliance reporting |
Best Practices
Key Recommendations
- Enable millisecond timestamps on all devices:
service timestamps log datetime localtime msec - Synchronize all devices with NTP before deploying Syslog; timestamps are useless without it
- Use TCP (port 1468) or TLS Syslog instead of UDP 514 for reliable log delivery
- Use
logging source-interface Loopback0for consistent log source identification - Send logs to at least two destinations for redundancy
- Set log level to Informational (6) in production; not Debug (7)
- Configure local buffer (
logging buffered 32768) for local troubleshooting - Implement log retention policy; minimum 90 days for compliance, 1 year for forensics
Subscribe
0 Comments
Oldest