How to Configure Syslog Server on Cisco Router for Logging

In this article I covered configuration steps you need to take on your Cisco Router or Switch to send messages to remote syslog server. Most of the Cisco devices use the syslog protocol to manage system logs and alerts. Syslog server is used to maintain log messages at centralized location, It improves the manageability of any size network and can decrease response times to resolve problems. Sending router log messages to a remote server also allows longer archiving of messages because Syslog server will have more storage than Cisco Router or Switch. Messages stored by syslog Server have permanence but Router doesn’t. When a router is reloaded or power cycled, the messages in its log are erased. In Syslog server there is a change view log messages even if Router power off.

Note: Before configuring a Cisco device to send syslog messages, make sure that it is configured with the right date, time, and time zone. Syslog data would be useless for troubleshooting if it shows the wrong date and time. You should configure all network devices to use NTP. Using NTP ensures a correct and synchronized system clock on all devices within the network. Setting the devices with the accurate time is helpful for event correlation.

Step by Step Syslog Server Configuration on Cisco Router

If you are configuring a Cisco Router for syslog logging then please follow the steps below:

1. Configure the Router to timestamp syslog messages and it helpful for troubleshooting. The options for the type keyword are debug and log.

Router(config)#logging ?
Hostname or A.B.C.D  IP address of the logging host
alarm                Configure syslog for alarms
buffered             Set buffered logging parameters
buginf               Enable buginf logging for debugging
cns-events           Set CNS Event logging level
console              Set console logging parameters
count                Count every log message and timestamp last occurance
discriminator        Create or modify a message discriminator
esm                  Set ESM filter restrictions
event                Global interface events
exception            Limit size of exception flush output
facility             Facility parameter for syslog messages
filter               Specify logging filter
history              Configure syslog history table
host                 Set syslog server IP address and parameters
ip                   IP configuration
listen               MWAM/SAMI remote console and logging listen enabler
message-counter      Configure log message to include certain counter value
monitor              Set terminal line (monitor) logging parameters
on                   Enable logging to all enabled destinations
origin-id            Add origin ID to syslog messages
persistent           Set persistent logging parameters
prefix               Configure logging prefix version
rate-limit           Set messages per second limit
reload               Set reload logging level
source-interface     Specify interface for source address in logging transactions
system               enable/disable System Event Log
trap                 Set syslog server logging level
userinfo             Enable logging of user info on privileged mode enabling
Router(config)# service timestamps type datetime [msec] [localtime] [show-timezone]

2.  Enable logging on Router by issuing the logging on command from global configuration mode.

Router(config)# logging on

3. In order to specify the Essentials server that is to receive the router syslog messages, issue the logging ip_address command. ip_address is the address of the server that collects the syslog messages.

Router(config)# logging 203.123.158.66

4. Now you can limit the types of messages that can be logged to the Syslog server, set the appropriate logging trap level with the logging trap command. The informational portion of the command signifies severity level 6. This means all messages from level 0-5 (from emergencies to notifications) are logged to the Essentials server.

Router(config)# logging trap informational

Valid logging facilities are local0 through local7. Valid levels are:

Emergency: 0
Alert: 1
Critical: 2
Error: 3
Warning: 4
Notice: 5
Informational: 6
Debug: 7

5. Specifies the facility level used by the syslog messages; the default is local7. Possible values are local0, local1, local2, local3, local4, local5, local6, and local7.

Router(config)# logging facility facility-type

6. In order to verify if the device sends syslog messages, run the sh logging command.

Example: Syslog Server Configuration on Router

Router#Router#config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging on

Router(config)#logging 203.123.158.66

Router(config)#service timestamps debug datetime localtime show-timezone  msec

Router(config)#service timestamps log datetime localtime show-timezone msec

Router(config)#logging facility local3

Router(config)#logging trap informational

Router(config)#end

Find Syslog Logging Statistics with Show Logging Command

Router#show logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

Console logging: level debugging, 79 messages logged

Monitor logging: level debugging, 0 messages logged

Buffer logging: disabled

Trap logging: level informational, 80 message lines logged

Logging to 203.123.158.66, 57 message lines logged