A fundamental part of any network engineer's toolbox is syslog. It is not only the tool to collect the logs but also knowing what the network is saying in real time, respectively. Syslog is a standardised protocol used to send system messages between the devices in the network. Think about it like a black box for your router/switch. It captures all relevant information and events happening on the network, providing valuable insights and troubleshooting capabilities.

Cisco IOS notifies users (network engineers) about the event on the device's command-line interface (CLI). This is a default setting of each router and switch. Users can customise these notifications to fit their specific needs and preferences, and I will write about it in the next paragraphs.

Given that there is not any action needed to activate logs on a Cisco router/switch when you first switch it on. The logs will automatically begin activating. Please note that this process may vary depending on the specific model and software version. But in most cases you do not need anything.

Nonetheless, if you need to ensure that logging system messages is activated, use the command below:

(config)# logging buffered

(config)# logging host 192.168.20.201

Imagine this scenario. You have about 100 routers and switches, and every single debug message is spamming your log server 24/7. This is total chaos. This is where the severity comes into place.

To make it make more sense, let's break down the eight severity levels one by one in the table below. The two top levels create the severe category. Messages from these levels (0, 1) are very serious and must be reacted to immediately.

Levels 2, 3, and 4 make up the next level, which is impactful. These logs inform about critical system conditions. Continuing down, levels 5 and 6 are messages from important notes to normal. Last, level 7 is about debugging.

The configuration is simple; we need to specify the level name or level number to select the service from the general configuration mode.

This allows for easy customisation of logging settings based on the specific needs of each service. By specifying the severity level, engineers can ensure that logs are appropriately filtered and stored for efficient troubleshooting.

To conclude, the command "show logging" is employed to inspect the current logging configuration and confirm that the modifications have been effectively implemented. Additionally, it is important to bear in mind that debug commands can be executed from the execution level (exec) of the terminal. This approach is particularly useful for resolving specific issues in real time. Debugging commands, however, should be used carefully because they can produce a lot of log data and possibly affect system performance.

Let's see how syslog messages work in practice. I set up a modest lab with two routers and two switches that exchange messages between devices.

Router 1 has been configured with varying levels of services, including the logging console, remote logon, buffering files, and logging server. I established a specific level of severity for each of these services. For instance, when a user logs in directly via a console connection, his screen will display the lower level of message severity (level 7), which is debugging. The same level was established for the user who is remotely connected to the router (second line on the script). The RAM memory system is the place where messages for levels 4 and above will be stored. It is defined by a simple command by the third line of this script. The IP address of the host server was set up at 192.168.20.105, and all records are transmitted directly to this location on the private network.

Figure 3 – Network topology.

R2(config)#logging console 7

R2(config)#logging monitor debugging

R2(config)#logging buffered 4

R2(config)#logging host 192.168.20.105

R2(config)#logging trap warning

Syslog is a crucial tool for network engineers, providing real-time information and troubleshooting capabilities. It is a standardised protocol used to send system messages between devices in the network, serving as a black box for routers and switches. Cisco IOS notifies users about events on the device's command-line interface (CLI), which can be customised to fit specific needs.

Logging system messages are activated automatically when a router/switch is switched on, but activation may vary depending on the specific model and software version. To enable remote users to see log messages, each user must enter the command "terminal monitor" in their local configuration mode. ISO has two options for saving logs: using the device's RAM to store messages or sending logs to the local server (syslog server).

Severity levels are used to categorise log messages into eight levels: emergency (0), alert (1), critical (2), error (3), warning (4), notification (5), informational (6), and debug (7). Configuring logging message levels for each service level allows for easy customisation of logging settings based on the specific needs of each service.