show logging – Viewing & Analyzing Syslog Messages

What is Syslog?

Definition: Syslog is a widely adopted protocol used by network devices (routers, switches, firewalls, servers, etc.) to send, store, and relay log messages about events, operational status, and errors. It is a cornerstone for monitoring, auditing, and troubleshooting IT infrastructures.

  • Supports both local (device buffer) and remote (central syslog server) logging.
  • Enables event tracking, alerting, and compliance reporting.

Understanding show logging Command

  • Usage: show logging
  • Displays syslog messages stored in the device's internal logging buffer.
  • Shows the configuration of logging destinations, buffer size, and recent log events.

Sample Output and Key Fields

*Jul 10 14:03:12.123: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
FieldExplanation
TimestampDate and time the event occurred
Facility/SourceSubsystem generating the log (e.g., %LINK)
Severity LevelNumeric/word: 0 (emergency) to 7 (debug)
Message ContentDescribes the event or condition

Syslog Message Components

  • Timestamp: When the event happened (with or without milliseconds).
  • Severity Level: Indicates urgency/importance (0 is most severe).
  • Facility/Source: Which subsystem (e.g., LINK, LINEPROTO, CONFIG).
  • Message Content: The actual description of the event.

Syslog Severity Levels

LevelKeywordMeaning
0EmergencySystem unusable
1AlertImmediate action required
2CriticalCritical conditions
3ErrorError conditions
4WarningWarning conditions
5NoticeNormal but significant events
6InformationalInformational messages
7DebugDebugging messages

Tip: Lower numbers are more severe. Filter for higher severity when troubleshooting outages.

Syslog Configuration Basics

  • Logging Destinations:
    • Buffer – Stores logs in device RAM (viewed with show logging).
    • Console – Shown to users on the console terminal.
    • Monitor – Shown to users on vty/SSH sessions.
    • Syslog Server – Sent externally for central archiving and analysis.
  • Setting Levels and Filters:
    Specify which severity levels go to each destination. 
    logging buffered 5
logging host 192.168.1.10
logging trap warnings

Interpreting Syslog Messages

Sample MessageWhat It Means
%LINK-3-UPDOWN: Interface changed state (Error) Interface went up or down—watch for outages or hardware issues.
%LINEPROTO-5-UPDOWN: Line protocol state change (Informational) Usually accompanies interface status change—layer 2 or 3 issue.
%SYS-5-CONFIG_I: Configuration change made (Notice) Someone changed the running configuration—track who and what was changed.

Syslog Buffer Management

  • Buffer Size: Determines how many log messages are stored. 
    logging buffered 64000
  • Clearing Buffer: Removes old logs to free space. 
    clear logging

Syslog Server Integration

  • Forward syslog messages to a central server for archival, security, and compliance.
    • logging host 192.168.1.100
logging trap informational
logging on
  • Optionally set the source interface:
    • logging source-interface Vlan1
Benefits:
  • Centralized logs for longer retention and easier event correlation across devices.
  • Supports compliance reporting and security monitoring.

Security Considerations

  • Protect log integrity: Use secure syslog (TLS) and limit log access.
  • Be aware that logs may include sensitive data (e.g., passwords, configs).
  • Use encrypted channels for log forwarding and restrict access to syslog files.

Advanced Features & Best Practices

  • Ensure accurate timestamps using NTP: 
    ntp server 192.168.1.1
service timestamps log datetime msec
  • Use logging synchronous to control log display during configuration sessions.
  • Increase buffer size for more historical logs, but export to syslog server for long-term storage.

Example Use Case: Troubleshooting with show logging

Scenario: John is investigating a network outage. He runs show logging and finds: 
*Jul 19 09:05:01.123: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down

He quickly identifies the cause (interface down) and can begin remediation.

Sample Syslog Troubleshooting Question

Scenario: John receives complaints of intermittent internet loss. On the core switch, he runs: 
show logging
*Jul 20 10:12:05.789: %LINK-3-UPDOWN: Interface Gi1/0/24, changed state to down
*Jul 20 10:12:08.799: %LINEPROTO-5-UPDOWN: Line protocol on Gi1/0/24, changed state to down
*Jul 20 10:12:18.111: %LINK-3-UPDOWN: Interface Gi1/0/24, changed state to up
*Jul 20 10:12:21.345: %LINEPROTO-5-UPDOWN: Line protocol on Gi1/0/24, changed state to up
  • Diagnosis: The port is "flapping" (rapidly going up and down)—likely cable, port, or connected device issue.
  • Troubleshooting:
    1. Physically check and reseat/replace the cable.
    2. Inspect the connected device for power/hardware faults.
    3. Run show interfaces Gi1/0/24 for errors or CRC count.
    4. If needed, move to a different port.
  • Key Learning: Syslog pinpoints root cause rapidly—crucial for quick incident response.

Quick Guide: Configuring Syslog Server Integration (Cisco IOS)

  1. Identify your syslog server IP, e.g., 192.168.1.100.
  2. Configure logging host and severity: 
    configure terminal
logging host 192.168.1.100
logging trap informational
logging on
end
  3. Optionally set the source interface: 
    configure terminal
logging source-interface Vlan1
end
  4. Sync time using NTP: 
    configure terminal
ntp server 192.168.1.1
service timestamps log datetime msec
end
  5. Verify with show logging.

Tip: Use centralized syslog for compliance and security monitoring!

Exam Tips and Key Points

  • Memorize syslog severity levels (0–7) and meaning.
  • Interpret show logging fields (timestamp, facility, severity, content).
  • Know how to configure logging destinations and filters for effective monitoring.
  • Understand buffer sizing, NTP/time sync, and log security best practices.
  • Always start troubleshooting with show logging—focus first on high-severity (0–3) messages.
  • Use syslog server integration for centralization, compliance, and deep analysis.

Syslog and show logging Quiz

1. What is the primary purpose of the syslog protocol?

Correct answer is B. Syslog is used to send and store log messages from network devices for monitoring and troubleshooting.

2. What command shows the syslog messages stored in a Cisco device’s internal buffer?

Correct answer is C. The 'show logging' command displays the device’s current syslog messages in the logging buffer.

3. What does the severity level number 3 indicate in syslog messages?

Correct answer is A. Severity level 3 corresponds to error conditions that require attention.

4. Which syslog severity level represents a 'System Unusable' condition?

Correct answer is D. Severity level 0 is Emergency, meaning the system is unusable.

5. What is the purpose of configuring 'logging host' on a Cisco device?

Correct answer is B. 'logging host' configures the device to send syslog messages to a remote server.

6. Which command clears the syslog buffer on a Cisco device?

Correct answer is C. The 'clear logging' command empties the device’s internal logging buffer.

7. What is the advantage of configuring 'service timestamps log datetime msec' on a Cisco device?

Correct answer is D. This command adds precise timestamping to syslog messages for accurate event correlation.

8. Which severity levels should you focus on first when troubleshooting outages?

Correct answer is A. Severity levels 0 to 3 indicate critical conditions requiring immediate attention.

9. What might repeated log entries showing interface state changes (up/down) indicate?

Correct answer is B. Frequent up/down states in logs usually indicate interface flapping or faulty hardware.

10. Why is synchronizing device time with NTP important for syslog?

Correct answer is C. NTP sync ensures all logs have accurate and consistent timestamps for troubleshooting.

← Back to Home