Skip to main content
Skip table of contents

Cisco Devices (syslog)

For additional information, see Configuring Cisco Devices to Use a Syslog Server.

LogRhythm uses the standard newline character - '\n' - to parse TCP syslog messages. If you need to support the '\r\n', '\r', or '\0' delimiters, you must enable SyslogUseEnhancedTCPDelimiters in the Advanced Agent Properties.

Syslog Configuration

Syslog reserves facilities local0 through local7 for log messages received from remote servers and network devices. Routers, switches, firewalls, and load balancers each logging with a different facility can each have its own log files for easy troubleshooting. The following examples will show how to have a different log file for each class of device.

If you have a large data center, then you may also want to switch off all logging to /var/log/messages. In all the network device configuration examples below, we are logging to the remote Linux logging server 192.168.1.100.

Cisco Routers

By default Cisco routers send syslog messages to their logging server with a default facility of local7. We do not set the facility in this case, but we can tell the router to timestamp the messages and make the messages have the source IP address of the loopback interface.

service timestamps log datetime localtime
no logging console
no logging monitor
logging 192.168.1.100

General Steps for Configuration of Syslog Servers on Cisco Devices

The following steps contain generic commands that can be run to configure a syslog server across Cisco devices.

These are generalized steps that may not be perfect on all Cisco devices. See your Cisco device documentation for more specific guidelines.

  1. Enter global configuration mode:

CODE
configure terminal
  1. Specify the syslog server:

CODE
logging host <IP address of syslog server>
  1. Set the severity level:

CODE
logging trap <severity level>
  1. Enable logging:

CODE
logging on
  1. (Optional.) Configure additional parameters (for example, timestamps or source interface):

CODE
service timestamps log datatime msec
logging soure-interface <interface>

Catalyst CAT Switches running CATOS

set logging server enable
set logging server 192.168.1.100
set logging level all 5
set logging server severity 6

Cisco Local Director

By default Cisco switches also send syslog messages to their logging server with a default facility of local7. We will not change this facility either, therefore making routers and switches log to the same file.

Local Directors use the "syslog output" command to set their logging facility and severity. The value provided must be in the format FF.SS (facility.severity) using the numbering scheme below:

Facility

FF Value

Severity

SS Value

local 0

16

System unusable

0

local 1

17

Immediate action required

1

local 2

18

Critical condition

2

local 3

19

Error conditions

3

local 4

20

Warning conditions

4

local 5

21

Normal but significant conditions

5

local 6

22

Informational messages

6

local 7

23

Debugging messages

7

Here we using facility LOCAL4 and logging debugging messages and above.
syslog output 20.7
no syslog console
syslog host 192.168.1.100

Cisco PIX Firewalls

PIX firewalls use the following numbering scheme to determine their logging facilities.

Facility

Logging Facility Command Value

local 0

16

local 1

17

local 2

18

local 3

19

local 4

20

local 5

21

local 6

22

local 7

23

This configuration example assumes that the logging server is connected on the side of the "inside" protected interface. We're sending log messages to facility LOCAL3 with a severity level of 5 (Notification) set by the "logging trap" command.

logging on
logging standby
logging timestamp
logging trap notifications
logging facility 19
logging host inside 192.168.1.100

Cisco CSS11000 (Arrowpoints)

The configuration for this is more straight forward. You specify the facility with an intuitive number using the "logging host" command and set the severity with the "logging subsystem" command. This example shows the CSS11000 logging facility LOCAL 6 and severity level 6 (Informational)

logging host 192.168.1.100 facility 6
set logging subsystem all info-6
logging commands enable

Sample Cisco syslog.conf File

CODE
#
# All LOCAL3 messages (debug and above) go to the firewall file ciscofw
#local3.debug /
var/log/cisco/ciscofw
## All LOCAL4 messages (debug and above) go to the Local Director file ciscold
#
local4.debug /var/log/cisco/ciscold## All LOCAL6 messages (debug and above) go to the CSS file ciscocss
#
local6.debug /var/log/cisco/ciscocss
#
# All LOCAL7 messages (debug and above) go to the ciscoacl
# This includes ACL logs which are logged at severity debug#
local7.debug /var/log/cisco/ciscoacl#
# LOCAL7 messages (notice and above) go to the ciscoinfo
# This excludes ACL logs which are logged at severity debug
#
local7.notice /var/log/cisco/ciscoinfo


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.