Configuring SYSLOG & NTP

Knowing how to properly use logging is a necessary skill for any network administrator. It's vital that you know how to use logging when it comes time to start troubleshooting.

Syslog messages that are generated by the network devices can be collected and archived on a syslog server. The information can be used for monitoring, debugging,and troubleshooting purposes. The administrator can control where the messages are stored and displayed. 

 

Syslog messages usually include information to help identify basic information about where, when, and why the log was sent: ip address, timestamp, and the actual log message. Messages are sometimes in a descriptive, human-readable format – but not always!

Syslog uses a concept called “facility” to identify the source of a message on any given machine. For example, a facility of “0” would be a Kernel message, and a facility of “11” would be an FTP message. This dates back to Syslog’s UNIX roots. Most Cisco network equipment uses the “Local6” or “Local7”facility codes.

Syslog messages can be time-stamped for analysis of the sequence of network events; therefore, it is important to synchronize the clock across the network devices with a Network Time Protocol (NTP) server.

The Cisco IOS offers a great many options for logging. To help bring you up to speed, let's check  how to configure logging.The logging command in Global Configuration Mode and the show logging command in Privileged Mode are two simple but powerful tools to configure and show all Cisco IOS logging options. Let's take a closer look.

 Let's check the syslog server..We have many devices to do that on our physical equipment and it can be confusing.

We will do the first part of our lab  a lab with Cisco packet tracer  , them the second part , only focusing in a Real Cisco switch ;so at the beginning  you can see graphically easier what we are doing in a network...

These are the steps that we are going to take:

1.-Configure Syslog service

2.-Generate logging events

3.-Manually set switch clock 

4.-Configure NTP Service

5.-Verify timestamp logs

You can download this lab here: http://tinyurl.com/gsfaxxm

Part 1: Configure Syslog service

1.-We will enable syslog, on the syslog server..

2.-We will enable intermediary service (router and switches) to use Syslog service

      2.1 We will configure R1 to send logs event to the Syslog server and BOTH switches

 Part 2 :Generate logging events

1 Change the status of the interfaces to create event logs

 -Configure  a loopback0 on interface R1 them disable

-Turn off and on the PC's

Part  2: Check the syslog events

 We will eventually clear the log

Part 3: Manually set the switch clocks in both switches

 #clock set 6:00:00 October 1 2016

Enable the logging timestamp on both switches and send the log to the Syslog server

Part 4: Configure the NTP Service

 Open the NTP service, check the service tab, turn it on and check the date

set the clock on the router

Part 5 : Verify the timestamped log

We will renable and disable  the loopback 0 on the router and turn Off and On the laptops 

Examine the syslog events

We could see the change in the clock settings , we see all the events recorded properly.

This lab is done in packet tracer, that we use because of the graphics , so you understand better.

Now let's check some command on real Cisco devices 

Second Part of our lab

When we check the tap option , all message of the numeric severity you choose and all those with lower numeric value  are sent to the logging server specified with hostname..Therefore, to send all log messages to the server , you only need to specify level 7.

You can change the beginning of the syslof message  to the timestamp format of your choice with service timestamp log.For example I don't want the msec no more and I would choose datetime format

If you prefer to see the uptime reflected  in Syslog messages , you simply choose that option

To change this severity value  use logging console

To send log messages to the local device's internal buffer , run logging buffered follow by the severity level.

To view the logs , run show logging

..continuation

In case that you have a very long log with message of "link up-down"

, and you want to keep your log message smaller, to make the log easier to read, you can use the command no logging event link-status, to get rid of those messages.

I hope that this lab was useful for you..If you like it click share