Syslog

Syslog is a process, or daemon, that runs on UNIX servers. The process collects information and stores it in log files. File management systems on the server are used to maintain the files.

Overview of Syslog

Messages are sent from various services running on the UNIX server, or from other network nodes. The service that sends the message indicates its facility type. The syslog daemon utilizes the indicated facility type when determining how to log the message. Table 9-3 lists the various facility types.

Table 9-3. Syslog Facility Types

A syslog daemon is configured by updating a file on the server in the /etc directory called syslog.conf. The syslog daemon reads this file upon startup to determine how to handle incoming messages. The file contains lines such as the following:

  local7.debugging     /user/adm/logs/cisco.log  

The preceding line indicates that local7 facility messages, with level debugging or higher, will get logged to the file cisco.log, located in the /user/adm/logs directory. The entries in the file are case-sensitive.

Any configuration file change requires the UNIX administrator to force the syslog daemon to reread the file.

Router Configuration for Syslog

Cisco routers use the local7 facility by default when sending messages to a syslog server. If this facility is being used by another process sending messages to the syslog server, you can change the facility type on the Cisco router using the following configuration command:

  logging facility   facility-type  

The router configuration in Example 9-17 enables syslog logging to the specified host. Messages with level notifications and above are logged.

Example 9-17 Enabling Syslog Logging to a Specified Host

  logging 172.16.1.2   logging trap notifications  

Include a line such as the following in the /etc/syslog.conf file on the UNIX server:

  local7.notice     /usr/adm/logs/cisco.log  

local7 specifies the logging facility, and notifications is the logging level. All information is stored in the file cisco.log in the /usr/adm/logs directory. The file must already exist, and the syslog daemon must have permission to write to it. Verify that the syslog daemon is running and that it has reread the configuration file after any configuration changes.

Some routers support the capability to send syslog messages via SNMP to the SNMP network manager. Enable this by entering the router command snmp-server enable traps syslog and specifying the level of logs to be sent using the command logging history level.

Example 9-18 shows a syslog message sent in an SNMP packet from the router.

Example 9-18 A Syslog Message Generated as the Result of a Configuration Change Is Sent via SNMP

 Cascade#  conf t  Cascade(config)#  snmp-server enable traps syslog  Cascade(config)#  logging history notification  Cascade(config)#  ^Z  SNMP: V1 Trap, ent ciscoSyslogMIB.2, addr 10.2.1.1  clogHistoryEntry.2.65 = SYS  clogHistoryEntry.3.65 = 6  clogHistoryEntry.4.65 = CONFIG_I  clogHistoryEntry.5.65 = Configured from console by console  clogHistoryEntry.6.65 = 30249161 

The syslog message is generated as the result of a router configuration modification. The 65 at the end of each HistoryEntry line is the index identifying the particular event. The syslog history entries range from values 1 through 6. A 2 indicates that the value of the OID is the facility that generated the message. The facility in Example 9-18 is SYS. 3 is the severity of the message. A value of 6 indicates notification. History entry 4 is a textual identification for the message type. History entry 5 is the actual text of the message. History entry 6 is the value of sysUpTime when this message was generated.

Sending the syslog message to the SNMP management station simplifies data management by collecting the data on a single server, under a single system.