General understanding of Syslog

What is Syslog and logging: Syslog is the client server protocol uses port 514 it can be configured to use TCP but basically it uses UDP and transfer logs in clear text.We can define logging as documenting and storing the triggered events in any technological environment. Stored logs can be used for security investigations, troubleshooting purpose or technological environment analysis.

At present in our technological environment logging architecture is made up of two elementary devices:

Syslog server: A host that accepts and processes log messages from one or more syslog clients.

Syslog client: A host that generates log messages and forwards them to a syslog server.

Logging for Network devices

  • We can configure logging for each and every triggered activity on router, switches, firewalls, servers etc.
  • Routers should be configured to send log messages to one or more of these:
  1. Console
  2. Terminal lines
  3. Memory buffer
  4. SNMP traps
  5. Syslog
  • Syslog logging is a key security policy component.

Network Architecture overview

topology

In the above architecture we have a syslog server which is installed in the network and have full connectivity with the each and every device in the network .Some devices are configured as the syslog client. Clients are configured to forward log messages to server and server are configured to stores those log messages.

Cisco Log Severity levels

Cisco has divided logs into 8 severity levels to enhance the readability and to focus on comparatively more important log messages .Below is the list of log messages and their corresponding severity:

syslog levels

This division helps network administrators to focus on more critical network issues .Basically network administrators should act promptly when they see the log message of severity below 4 (3 LOG_ERROR).

Log Message Format:

Log messages are divided into 3 parts:

  • Time stamp: The time at which the log is generated.
  • Log name and severity: The identity and severity number.
  • Message Text: More information about specific error.

MessageFormat

Configuring Logging on Routers :

Basic configuration on logging on router involves just two steps :

  • On the logging services on router
  • Specify the IP of syslog server

Conf

But Cisco router gives some more facilities to configure, like if we don’t want all the logs to be forwarded to our syslog server then we can restrict it to some specific level by CLI

conf2

In this configuration mode we can define the trap level that means we can restrict syslog client to forward specific level of logs to syslog server. This feature helps saving the memory of the server and the time of system administrator as well when he/she examines the log. But all these decision should be taken only on the basis of business needs.

There is one more attribute which we can configure on Cisco routers that is log FACILITY this is used to redirect or save the logs into specific folders if we are using UNIX servers as syslog:

Conf3

Few syslog servers

  • Windows based syslog
  • Kiwi Syslog
  • Debian Linux syslog server

And many more……..

The kiwi syslog and other syslog server as well have a feature of showing logs in specific format .Where you can configure specific color for specific priority logs .So that the readability can be enhanced and the chance of missing critical messages can be reduced. For an example below figure shows the interface where we can assign the color to particular log:

syslog

Thank You and happy learning!!

Leave a Reply