5.5. Syslog
💡 First Principle: Without centralized logging, troubleshooting means logging into every device individually to search for clues. Think of it like a hospital's medical records—imagine if each nurse kept patient notes only in their own pocket. When a doctor needs the full history, they'd have to track down every nurse who ever treated the patient. Syslog is the central medical chart: every device sends its events to one place so you can see the complete picture.
What would happen if your logging infrastructure fails during a security incident? You lose the evidence trail entirely. Syslog also matters for security because if an attacker compromises a device, one of the first things they'll do is clear the local logs. But if those logs are already copied to a remote server, you still have the evidence. Centralized logging is a detective control—it won't prevent the attack, but it ensures you can reconstruct what happened.
Syslog Severity Levels (memorize these!):
| Level | Keyword | Meaning | Example |
|---|---|---|---|
| 0 | Emergency | System unusable | Hardware failure, system crash |
| 1 | Alert | Immediate action needed | Temperature critical |
| 2 | Critical | Critical condition | Memory allocation failure |
| 3 | Error | Error condition | Interface down, config error |
| 4 | Warning | Warning condition | Config change, approaching limits |
| 5 | Notice | Normal but significant | Interface up, system restart |
| 6 | Informational | Informational | Successful login, debug info |
| 7 | Debug | Debug messages | Verbose protocol output |
Memory Aid: "Every Awesome Cisco Engineer Will Need Ice cream Daily" (0-7)
How severity filtering works: When you configure logging trap 4, the device sends severity 0-4 (Emergency through Warning) to the syslog server. Levels 5-7 are filtered out. Lower number = more critical = always sent.
Configuration:
Router(config)# logging host 10.1.1.100 ! Send logs to this server
Router(config)# logging trap informational ! Send levels 0-6 to server
Router(config)# logging console warnings ! Show levels 0-4 on console
Router(config)# logging buffered 16384 debugging ! Store all levels locally (16KB)
Router(config)# service timestamps log datetime ! Add timestamps (essential!)
⚠️ Exam Trap: Without service timestamps, your logs just say "Interface went down." With timestamps, you know it happened at 3:47:23 AM—critical for correlating events across devices.