How to Configure Syslog on a Cisco IOS Switch or Router
In this tutorial, I’ll step through the process of configuring syslog on Cisco IOS based devices. For this example, I will be configuring syslog on a Cisco Catalyst 9200 switch running IOS-XE following best practices from Cisco’s documentation. These steps will be applicable to most Cisco network switches running IOS or IOS-XE or Cisco routers running IOS-XR.
For most Cisco devices, enabling syslog is as simple as entering the ‘logging host’ command, where ‘host’ is the IP address of your syslog server. However, there are many more parameters that we should configure to obtain the most useful and reliable syslog setup.
Before diving in, it’s crucial to ensure your device has the correct date, time, and time zone settings and that they correlate with the settings on any syslog servers or analytical software you plan to use. Once you’ve sorted that, we can proceed.
Prerequisites
Before you begin, make sure you have the following prerequisites in place:
- Access to the Cisco Catalyst Switch via a console, Telnet, or SSH session.
- Credentials with administrative privileges to configure syslog settings.
- Basic understanding of syslog concepts and network terminology.
- A Syslog server to forward log message from your switch
- The syslog protocol sends clear text messages over UDP port 514 by default so make sure the port is open in between syslog server and the switch.
Step 1. Check current syslog settings in your running-configuration
Connect to your Cisco Catalyst Switch using your preferred method (console, Telnet, or SSH) and log in with administrative credentials. Once logged in, you will be in User EXEC mode. Enter the enable command to access Privileged EXEC mode.
> Enable #
From Privileged EXEC Mode enter the command “show running-config | include logging” to show the current setting:
# show running-config | include logging #
If you see no information, you do not have logging/syslog active in your running-configuration and are ready to begin.
If you need to remove existing syslog configuration use ‘no logging host’, ‘no logging on’, ‘no logging trap’, ‘no logging buffered’ and ‘no logging console’ to remove all configuration related to logging and start with a clean slate.
You can also run the command ‘show logging’ to verify no syslog logging settings exist before we begin:
# show logging
The output above shows all logging inactive after disabled.
Step 2. Enter Global Configuration mode
After entering Privileged EXEC mode, enter Global Configuration mode by typing ‘configure terminal’.
# configure terminal (config)#
Step 3. Enable logging
To enable logging type the command ‘logging on’ to enable logging on your devices. Often this setting is enabled default and thus necessary but I wanted to include it just in case your device has had it explicitly turned off.
(config)# logging on
Step 4. Specify syslog logging severity level
Now you need to set the severity level that you want to generate syslog messages for. The severity level indicates how urgent or critical the log message is. A number is attached to every syslog message that correlates with the severity level. The severity of syslog messages is defined in accordance with RFC 3164. There are eight severity levels available:
| Level | Name | Explanation | Example of effects |
| 0 | Emergencies | Switch is unusable | Rare but destructive |
| 1 | Alerts | Immediate action must be taken | Such as loss of connectivity |
| 2 | Critical | Critical conditions | Systems failure |
| 3 | Errors | error conditions | Not urgent but must solve within a timeframe |
| 4 | Warnings | warning conditions | A Notice |
| 5 | Notifications | Normal but important event | Normal but should be considered. |
| 6 | Informational | Informational message | Normal operation |
| 7 | Debugging | Debug message | To find potential error |
In this example, we are configuring our Cisco switch with the default logging level, which is “informational.” Whatever level you choose, the switch will send all messages from your chosen security level and higher. Higher here means a lower numerical value but higher severity. So Informational logging sends everything from Informational (6) to Emergencies (0).
I recommend using a logging level of 6 (Informational). This will capture the most important information while not being too chatty. Only enabling Debugging (7) if you’re actively troubleshooting an issue since it can quickly overwhelm a syslog server depending on your server specs and overall network setup/activity.
(config)# logging trap informational
Step 5. Modify the logging facility
The “facility” specifies the source or type of the log message. The default logging facility on most Cisco devices is ‘local7’. However, there might be several reasons you would want to change the default facility such as organizing messages from different device types (routers, switches, firewalls, etc..) or to reduce conflicts with other systems or software that may be using the same facility code.
To set a facility code, use the following command, where X is any number between 0-7:
(config)# logging facility localX
For this guide, we’ll leave it at the default logging facility local7.
Step 6. Specify the syslog destination port and IP address
To configure syslog settings, you need to specify the IP address of the syslog server. Here we use our syslog server 192.168.136.3 and UDP port 514 to send log messages to the syslog server. Make sure you’re using the port that your syslog server is listening on. If you have multiple servers you can enter the following command multiple times, once for each server.
(config)# logging host 10.190.42.85 transport udp port 514
Step 7. Specify the source IP address syslog will use
Network devices usually have multiple interfaces, each with its own IP address. This means a device might report a “link down” event using one IP and a “link up” event with another. This can make searching logs tricky. So, it’s helpful to set a specific IP or interface for sending syslog messages. Usually this will be either a loopback or management interface.
Here I set a loopback interface as the source because it’s always up, unlike physical interfaces which might be down sometimes. Using a loopback ensures the device is uniquely identified. Remember, if you go this route, you’ll need to create the loopback interface if you haven’t already.
(config)# logging source-interface loopback0
Step 8. Configure the system NTP (Optional but recommended)
In this step, you have to verify the system NTP server. You should configure all network devices to use NTP. Using NTP ensures a correct and synchronized system clock on all devices within the network. Setting the devices with the accurate time is helpful for event correlation.
(config)# ntp server <ntp server IP>
(config)# clock timezone <required time zone>
Step 9. Configure the system to timestamp messages (Optional but recommended)
In this step you have to enable logging timestamp and preview the log message as required.
- log uptime – Enable timestamps on log messages, showing the time since the system was rebooted.
- log datetime – Enable timestamps on log messages. Depending on the options selected, the time stamp can include the date, time in milliseconds relative to the local time zone, and the time zone name.
(config)# service timestamps log uptime
(config)# service timestamps log datetime show-timezone msec
(config)# service timestamps debug datetime show-timezone msec
Step 10. Enabling Sequence Numbers (Optional but recommended)
If multiple log messages have the same timestamp, you can show sequence numbers to separate them. By default, these numbers aren’t shown in logs. To enable them, enter the following command:
(config)# service sequence-numbers
Step 11. Increase logging buffer (Optional)
The logging buffer is space in memory that saves logs on the local device. This can be useful for troubleshooting a device that has lost connection to the syslog server for a multitude of reasons. This is usually enabled by default but usually has a low level of 4096 configured. You can increase the size if you wish to store more logs for troubleshooting. This same command will also enable the logging buffer if it was previously disabled on your device.
(config)# logging buffered 40960
Step 12. Set Console Logging (Optional)
Usually console logging is enabled by default with a severity level of debugging. If it has been disabled on your device you can enable it and set your preferred logging level (independently of the syslog server logging level) with the following command:
(config)# logging console informational
Step 13. Verify Configuration
Verify your Syslog configuration using the ‘show logging’ or ‘show running-config | include logging’ commands.
(config)# end # show logging # show running-configuration | include logging
Step 14. Save Configuration
Finally, you have to save all the configuration that you have done using ‘write memory’ or ‘copy running-configuration startup-configuration’ and hit enter to write configuration file into memory.
# copy running-config startup-config
Step 15. Check your Firewall rules (if any) to permit the device IP and syslog server
If you have a firewall in between your syslog server and device, make sure that you have allowed the source device IP to permit communication through the syslog protocol you chose earlier (in our case UDP/514).
Step 16. Test Configuration
View your syslog information using the ‘show logging’ command. In this example we can see our syslog messages forwarded to 10.190.42.85 with severity level 6 (informational).
Then you’ll want to hop onto your syslog server and verify logs are being received. For this example I will use Visual Syslog Server to check the syslog messages. Here we can see a user access notification (login) and interface up/down notifications so we know the server is receiving messages from our switch.
