Syslog cheat sheet
Entities
The protocol specifies three main entities:
- Originator: The entity that generates a syslog message (for example a router).
- Collector: The entity that receives information about an event in syslog format.
- Relay: An entity that forwards messages from the originator to the collector.
Is designed not to provide acknowledgement and can use UDP or TCP as transport methods.
Security can be added at the transport layer with DTLS or TLS. But you'll need to get a collector that supports it.
Syslog Facilities
The facility code indicates the system, process or application that generated the syslog message. These are listed in the RFC.
Severity Codes
The severity code represents the severity of the message, these are also listed in the RFC.
Example:
Aug 03 2019 01:56:06: %ASA-5-111008: User 'administrator' executed the 'logging buffered 5' command.
The above syslog is a severity 5 message, which stands for "Notice" or "Notification", a normal but significant condition.
The 111008 number is a specific message identifier.
The rest of the message describes the event.
Message Header
The header of a syslog message contains the following information
- Priority (PRI): The priority is obtained by combining the numerical code of the facility and the severity. The formula is to obtain the PRI is as follows: facility * 8 + severity
- Timestamp
- Hostname
- Application name
- Process ID
Configuration Examples:
Note: Before configuring any logging you want to have accurate and synchronized time on your network, this will make sense when doing event correlation after an incident (a service outage for example). NTP should be used as per best practices.
Collector Config:
On a linux machine, edit the /etc/rsyslog.conf file and uncomment the following lines
module(load="imudp")
input(type="imudp" port="514")
Send the received logs to a file in the /var/log/ directory
Insert these lines below the module and input lines we have uncommented above.
template remote-incoming-logs,"/var/log/Network-Devices.log"
*.* ?remote-incoming-logs
& ~
Then restart the rsyslog service and set it to start upon system reboots with:
systemctl restart rsyslog
systemctl enable rsyslog
Look for the ports you've opened on the Collector, they should come up.
ss -ln | grep 514
Originator Config:
Here's an example on Cisco ASA, IOS-XE and NX-OS platforms:
ASA logging enable logging timestamp logging buffered debugging logging trap notifications logging host inside 172.16.20.20 IOS-XE logging on logging buffered debugging logging trap debugging logging host 172.16.20.20 NX-OS logging timestamp milliseconds logging server 172.16.20.20 5
Testing - Troubleshooting
On the collector make sure that the service is running, and restart it after you make changes for them to take effect.
Do a packet capture on the Collector to verify that messages are being received.
On the Cisco platforms the show logging command will tell you where are the logs being sent and which severity is being used. In Cisco the default transport protocol is UDP.
You can also use show run | inc logging on IOS-XE
and show run | grep logging on the ASA and NX-OS platforms to see the lines on the running config.