The syslog protocol was first defined as part of the UNIX operating system to log messages within the OS. Syslogs allow a computer or device to deliver messages to another computer. Syslog messages have a particular format that associates a facility, and a severity or priority with a message.
The facility code allows syslog to group messages from different sources and take action based on this facility or group. The facilities are described in Table 8-7 and the priorities supported are described in Table 8-8.
Facility | Description |
---|---|
Auth | Authorization system |
Cron | Cron facility |
Daemon | System daemon |
Kern | Kernel |
local0-7 | Reserved for locally defined messages |
Lpr | Line printer system |
Mail system | |
News | USENET news |
sys9 | System use |
sys10 | System use |
sys11 | System use |
sys12 | System use |
sys13 | System use |
sys14 | System use |
Syslog | System log |
User | User process |
Uucp | UNIX-to-UNIX copy system |
Level Name | Level | Description | Syslog Definition |
---|---|---|---|
Emergencies | 0 | System unusable | LOG_EMERG |
Alerts | 1 | Immediate action needed | LOG_ALERT |
Critical | 2 | Critical conditions | LOG_CRIT |
Errors | 3 | Error conditions | LOG_ERR |
Warnings | 4 | Warning conditions | LOG_WARNING |
Notifications | 5 | Normal but significant condition | LOG_NOTICE |
Informational | 6 | Informational messages only | LOG_INFO |
Debugging | 7 | Debugging messages | LOG_DEBUG |
Syslog is usually used to deliver log messages from devices to a central repository. A syslog daemon runs in this central repository, which is most often a UNIX system. What is done with syslog messages is controlled by the configuration of the syslog daemon. On UNIX systems, this configuration is normally kept in the /etc/syslog.conf file. A typical line in a syslog.conf file to direct syslog messages coming in on the local7 facility to a log file would be formatted as follows:
local7.info /var/log/messages
Cisco devices can use the syslog protocol to deliver log messages, including messages you would see if you were on the console of the device or typed show log on the device. These messages complement (and sometimes duplicate) SNMP notifications.
Cisco devices normally use the local7 facility, but that can be changed using the logging facility facility-type global IOS command, or the set logging level or set logging server facility Catalyst commands. The severity or priority of the syslog message is hardcoded into the message itself, but you can control what severity of messages are delivered via syslog by using the logging history level global IOS command, or the set logging level or set logging server severity Catalyst commands. Note that all messages of equal or higher severity are delivered. See Table 8-8 for the order of severities.