Syslog is a standard for logging and is designed to allow logs to be created on an endpoint server, system, or device, and then bestored locally or sent to a central server or storage system. Because syslog is a standardized format, logs sent in syslog format can be more readily analyzed by log analysis packages. However, there is no required standard for content for the actual log message itself, requiring analysis tools to have plug-ins, modules, or rules designed to handle syslog data from each vendor or device that they analyze.
Syslog contains specific codes to provide information about the program that logs a given message (the facility); the severity level of the message, from level 7 debugging messages to level 0
emergency messages; and of course, the actual message that is being sent.
You can view system logs on a Windows machine (in this case a Windows 2012 Server) by typing on the Search bar: event > click Event Viewer.
You'll see different types of logs under Event Viewer such as Windows logs for Application, Security Setup, System, etc.
You can view system logs on a network device by issuing the show logging or show log command. The syslog are stored in a buffer memory and will be lost if the device reboots. Below are the show log output from a Cisco router, switch and ASA firewall in my lab.
R1#show logging
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 23 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 23 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 26 message lines logged
Logging Source-Interface: VRF Name:
Log Buffer (8192 bytes):
*Feb 21 11:14:47.803: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory
*Feb 21 11:15:04.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Feb 21 11:15:04.847: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Feb 21 11:15:04.855: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Feb 21 11:15:04.863: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Feb 21 11:15:05.791: %SYS-5-CONFIG_I: Configured from memory by console
*Feb 21 11:15:06.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
*Feb 21 11:15:06.163: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
*Feb 21 11:15:06.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
*Feb 21 11:15:06.319: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)M11, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 16-Oct-16 07:53 by prod_rel_team
*Feb 21 11:15:06.347: %SNMP-5-COLDSTART: SNMP agent on host R1 is undergoing a cold start
*Feb 21 11:15:06.463: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Feb 21 11:15:06.467: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Feb 21 11:15:07.799: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Feb 21 11:15:07.811: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Feb 21 11:15:07.839: %LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down
*Feb 21 11:15:25.487: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*Feb 21 11:15:39.299: %SYS-5-CONFIG_I: Configured from console by console
*Feb 21 11:17:06.147: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Feb 21 11:17:07.147: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Feb 21 11:17:07.687: %SYS-5-CONFIG_I: Configured from console by console
*Feb 21 11:17:08.975: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Feb 21 11:17:09.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
SW1#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
Active Message Discriminator:
EXCESS severity group drops 6
msg-body drops EXCESSCOLL
No Inactive Message Discriminator.
Console logging: level debugging, 62 messages logged, xml disabled,
filtering disabled, discriminator(EXCESS),
0 messages rate-limited, 1366 messages dropped-by-MD
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1428 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
Trap logging: level informational, 1428 message lines logged
Logging Source-Interface: VRF Name:
Log Buffer (50000 bytes):
*Feb 18 02:36:10.265: %LINK-5-CHANGED: Interface Ethernet2/3, changed state to administratively down
*Feb 18 02:36:11.270: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet2/3, changed state to down
*Feb 18 02:36:25.809: %LINK-3-UPDOWN: Interface Ethernet2/3, changed state to up
*Feb 18 02:36:27.820: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet2/3, changed state to up
*Feb 18 02:36:29.510: %SYS-5-CONFIG_I: Configured from console by console
*Feb 18 02:47:00.774: %LINK-5-CHANGED: Interface Ethernet1/1, changed state to administratively down
*Feb 18 02:47:01.778: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to down
*Feb 18 02:47:02.886: %SYS-5-CONFIG_I: Configured from console by console
*Feb 18 02:47:03.810: %LINK-3-UPDOWN: Interface Ethernet1/1, changed state to up
*Feb 18 02:47:05.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to up
*Feb 18 10:34:34.974: %LINK-5-CHANGED: Interface Ethernet1/3, changed state to administratively down
*Feb 18 10:34:35.979: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/3, changed state to down
*Feb 18 10:34:38.116: %SYS-5-CONFIG_I: Configured from console by console
*Feb 18 10:34:39.212: %LINK-3-UPDOWN: Interface Ethernet1/3, changed state to up
*Feb 18 10:34:40.216: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/3, changed state to up
*Feb 19 12:19:39.277: %SYS-5-CONFIG_I: Configured from console by console
*Feb 19 12:20:49.850: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to up
*Feb 19 13:12:48.851: %AMDP2_FE-6-EXCESSCOLL: Ethernet3/3 TDR=0, TRC
ciscoasa# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 22 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
%ASA-5-111008: User 'enable_15' executed the 'logging buffered 6' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffered 6'
%ASA-5-111005: console end configuration: OK
%ASA-5-111007: Begin configuration: console reading from terminal
%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'configure terminal'
%ASA-5-111008: User 'enable_15' executed the 'interface GigabitEthernet 2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'interface GigabitEthernet 2'
%ASA-5-111008: User 'enable_15' executed the 'shutdown' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'shutdown'
%ASA-4-411002: Line protocol on Interface GigabitEthernet2, changed state to down
%ASA-4-411003: Interface GigabitEthernet2, changed state to administratively up
%ASA-5-111008: User 'enable_15' executed the 'no shutdown' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'no shutdown'
%ASA-4-411001: Line protocol on Interface GigabitEthernet2, changed state to up
%ASA-4-411004: Interface GigabitEthernet2, changed state to administratively down
%ASA-5-111008: User 'enable_15' executed the 'shutdown' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'shutdown'
%ASA-4-411002: Line protocol on Interface GigabitEthernet2, changed state to down
%ASA-5-111005: console end configuration: OK
The Cisco ASA firewall has a graphical user interface (GUI) called Adaptive Security Device Manager (ASDM). To view real-time firewall syslogs, go to Monitoring > Logging > Real-Time Log Viewer > View.
You can click Pause to temporarily stop generating real-time syslogs. Click on a specific log to view more info under Syslog Details.
It's a best practice to send syslogs to a remote syslog server. I used a Kiwi Syslog Server which is free (for 14 days) in my lab. You need to configure the device to send its syslogs to the syslog server's IP address by issuing the command logging host <SYSLOG IP ADDRESS>.
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#logging ?
Hostname or A.B.C.D IP address of the logging host
alarm Configure syslog for alarms
buffered Set buffered logging parameters
buginf Enable buginf logging for debugging
cns-events Set CNS Event logging level
console Set console logging parameters
count Count every log message and timestamp last occurance
delimiter Append delimiter to syslog messages
discriminator Create or modify a message discriminator
dmvpn DMVPN Configuration
esm Set ESM filter restrictions
exception Limit size of exception flush output
facility Facility parameter for syslog messages
filter Specify logging filter
history Configure syslog history table
host Set syslog server IP address and parameters
message-counter Configure log message to include certain counter value
monitor Set terminal line (monitor) logging parameters
on Enable logging to all enabled destinations
origin-id Add origin ID to syslog messages
persistent Set persistent logging parameters
policy-firewall Firewall configuration
queue-limit Set logger message queue size
rate-limit Set messages per second limit
reload Set reload logging level
server-arp Enable sending ARP requests for syslog servers when
first configured
source-interface Specify interface for source address in logging
transactions
trap Set syslog server logging level
userinfo Enable logging of user info on privileged mode enabling
R2(config)#logging host ?
Hostname or A.B.C.D IP address of the syslog server
ipv6 Configure IPv6 syslog server
R2(config)#logging host 192.168.1.50
R2(config)#log
*Feb 25 20:19:53.650: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.50 port 514 started - CLI initiated
R2(config)#end
R2#
*Feb 25 20:20:25.414: %SYS-5-CONFIG_I: Configured from console by console
Just follow the Kiwi Syslog Server installation wizard.
Syslog contains specific codes to provide information about the program that logs a given message (the facility); the severity level of the message, from level 7 debugging messages to level 0
emergency messages; and of course, the actual message that is being sent.
You can view system logs on a Windows machine (in this case a Windows 2012 Server) by typing on the Search bar: event > click Event Viewer.
You'll see different types of logs under Event Viewer such as Windows logs for Application, Security Setup, System, etc.
Double-click a specific log to view more
details. In this case I went to Windows Logs > Security.
To view System logs in a Linux (in this case on Ubuntu) click on
Search (topmost icon) > type log > click System log
It will open syslog by default. You can click on the other
log types: auth.log (authentication log), dpkg.log (package manager) and
Xorg.0.log (server log).
You can view system logs on a network device by issuing the show logging or show log command. The syslog are stored in a buffer memory and will be lost if the device reboots. Below are the show log output from a Cisco router, switch and ASA firewall in my lab.
R1#show logging
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 23 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 23 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 26 message lines logged
Logging Source-Interface: VRF Name:
Log Buffer (8192 bytes):
*Feb 21 11:14:47.803: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory
*Feb 21 11:15:04.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Feb 21 11:15:04.847: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Feb 21 11:15:04.855: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Feb 21 11:15:04.863: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Feb 21 11:15:05.791: %SYS-5-CONFIG_I: Configured from memory by console
*Feb 21 11:15:06.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
*Feb 21 11:15:06.163: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
*Feb 21 11:15:06.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
*Feb 21 11:15:06.319: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)M11, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 16-Oct-16 07:53 by prod_rel_team
*Feb 21 11:15:06.347: %SNMP-5-COLDSTART: SNMP agent on host R1 is undergoing a cold start
*Feb 21 11:15:06.463: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Feb 21 11:15:06.467: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Feb 21 11:15:07.799: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Feb 21 11:15:07.811: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Feb 21 11:15:07.839: %LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down
*Feb 21 11:15:25.487: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*Feb 21 11:15:39.299: %SYS-5-CONFIG_I: Configured from console by console
*Feb 21 11:17:06.147: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Feb 21 11:17:07.147: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Feb 21 11:17:07.687: %SYS-5-CONFIG_I: Configured from console by console
*Feb 21 11:17:08.975: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Feb 21 11:17:09.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
SW1#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
Active Message Discriminator:
EXCESS severity group drops 6
msg-body drops EXCESSCOLL
No Inactive Message Discriminator.
Console logging: level debugging, 62 messages logged, xml disabled,
filtering disabled, discriminator(EXCESS),
0 messages rate-limited, 1366 messages dropped-by-MD
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1428 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
Trap logging: level informational, 1428 message lines logged
Logging Source-Interface: VRF Name:
Log Buffer (50000 bytes):
*Feb 18 02:36:10.265: %LINK-5-CHANGED: Interface Ethernet2/3, changed state to administratively down
*Feb 18 02:36:11.270: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet2/3, changed state to down
*Feb 18 02:36:25.809: %LINK-3-UPDOWN: Interface Ethernet2/3, changed state to up
*Feb 18 02:36:27.820: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet2/3, changed state to up
*Feb 18 02:36:29.510: %SYS-5-CONFIG_I: Configured from console by console
*Feb 18 02:47:00.774: %LINK-5-CHANGED: Interface Ethernet1/1, changed state to administratively down
*Feb 18 02:47:01.778: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to down
*Feb 18 02:47:02.886: %SYS-5-CONFIG_I: Configured from console by console
*Feb 18 02:47:03.810: %LINK-3-UPDOWN: Interface Ethernet1/1, changed state to up
*Feb 18 02:47:05.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to up
*Feb 18 10:34:34.974: %LINK-5-CHANGED: Interface Ethernet1/3, changed state to administratively down
*Feb 18 10:34:35.979: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/3, changed state to down
*Feb 18 10:34:38.116: %SYS-5-CONFIG_I: Configured from console by console
*Feb 18 10:34:39.212: %LINK-3-UPDOWN: Interface Ethernet1/3, changed state to up
*Feb 18 10:34:40.216: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/3, changed state to up
*Feb 19 12:19:39.277: %SYS-5-CONFIG_I: Configured from console by console
*Feb 19 12:20:49.850: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to up
*Feb 19 13:12:48.851: %AMDP2_FE-6-EXCESSCOLL: Ethernet3/3 TDR=0, TRC
ciscoasa# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 22 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
%ASA-5-111008: User 'enable_15' executed the 'logging buffered 6' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffered 6'
%ASA-5-111005: console end configuration: OK
%ASA-5-111007: Begin configuration: console reading from terminal
%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'configure terminal'
%ASA-5-111008: User 'enable_15' executed the 'interface GigabitEthernet 2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'interface GigabitEthernet 2'
%ASA-5-111008: User 'enable_15' executed the 'shutdown' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'shutdown'
%ASA-4-411002: Line protocol on Interface GigabitEthernet2, changed state to down
%ASA-4-411003: Interface GigabitEthernet2, changed state to administratively up
%ASA-5-111008: User 'enable_15' executed the 'no shutdown' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'no shutdown'
%ASA-4-411001: Line protocol on Interface GigabitEthernet2, changed state to up
%ASA-4-411004: Interface GigabitEthernet2, changed state to administratively down
%ASA-5-111008: User 'enable_15' executed the 'shutdown' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'shutdown'
%ASA-4-411002: Line protocol on Interface GigabitEthernet2, changed state to down
%ASA-5-111005: console end configuration: OK
The Cisco ASA firewall has a graphical user interface (GUI) called Adaptive Security Device Manager (ASDM). To view real-time firewall syslogs, go to Monitoring > Logging > Real-Time Log Viewer > View.
You can click Pause to temporarily stop generating real-time syslogs. Click on a specific log to view more info under Syslog Details.
It's a best practice to send syslogs to a remote syslog server. I used a Kiwi Syslog Server which is free (for 14 days) in my lab. You need to configure the device to send its syslogs to the syslog server's IP address by issuing the command logging host <SYSLOG IP ADDRESS>.
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#logging ?
Hostname or A.B.C.D IP address of the logging host
alarm Configure syslog for alarms
buffered Set buffered logging parameters
buginf Enable buginf logging for debugging
cns-events Set CNS Event logging level
console Set console logging parameters
count Count every log message and timestamp last occurance
delimiter Append delimiter to syslog messages
discriminator Create or modify a message discriminator
dmvpn DMVPN Configuration
esm Set ESM filter restrictions
exception Limit size of exception flush output
facility Facility parameter for syslog messages
filter Specify logging filter
history Configure syslog history table
host Set syslog server IP address and parameters
message-counter Configure log message to include certain counter value
monitor Set terminal line (monitor) logging parameters
on Enable logging to all enabled destinations
origin-id Add origin ID to syslog messages
persistent Set persistent logging parameters
policy-firewall Firewall configuration
queue-limit Set logger message queue size
rate-limit Set messages per second limit
reload Set reload logging level
server-arp Enable sending ARP requests for syslog servers when
first configured
source-interface Specify interface for source address in logging
transactions
trap Set syslog server logging level
userinfo Enable logging of user info on privileged mode enabling
R2(config)#logging host ?
Hostname or A.B.C.D IP address of the syslog server
ipv6 Configure IPv6 syslog server
R2(config)#logging host 192.168.1.50
R2(config)#log
*Feb 25 20:19:53.650: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.50 port 514 started - CLI initiated
R2(config)#end
R2#
*Feb 25 20:20:25.414: %SYS-5-CONFIG_I: Configured from console by console
Just follow the Kiwi Syslog Server installation wizard.
No comments:
Post a Comment