Network devices, such as routers, firewalls, switches, and many other apps and servers (like ESXi and vCenter servers) all generate system log messages. These messages can be viewed locally per device or centrally on a Syslog server. Viewing them centrally can help paint a bigger and better picture while troubleshooting issues.
There are many great Syslog tools out there but for my lab I set up a simple, and free, Kiwi Syslog server. Grab a copy for yourself as I walk you thru the install and setup.
Installing Kiwi Syslog Server
There is one prerequisite for Kiwi Syslog and that is that .NET 3.5 needs to be installed. Depending on your Windows OS version instructions for installing .NET 3.5 will vary. If you’re running Windows 10 or Server 2016 or later you can simply add it under Add/Remove features.
Once you’ve installed .NET 3.5 you can find your download, extract it, then run the installer.
1. Accept the EULA
2. Run Kiwi as service or as an App. If you run it as a service then the app will continue to run even without anyone logged onto the sytem. Running as an app means it only runs when a user is logged in. Your scenario may dictate your selection here, for my lab I installed it as a service.
3. Since I selected to run Kiwi as a service I know have to tell the service to run under the Local System account, or to run as a specific privileged user, or service account. Service Account is probably best practice in a production environment.
4. Select your shortcut options.
5. Select your install location, or accept the default, and then click install.
6. Monitor the installation, or grab a cup of coffee…
7. Click finish!
And now you’ve got a running Syslog server ready to capture some syslog messages. Note that in the free version of Kiwi Syslog it only lets you recieve messages from up to 5 devices at time. If you support more than 5 devices then you’ll need to buy a full license.
Configuring your Cisco Device to Send Syslog Messages
Now that the Syslog Server is ready to receive messages we have to do some configuration on our Cisco devices to send messages. It’s super easy to do and to configure the detail of messages you want set. In fact let’s start with message details…
There are various types of messages that can be sent. You could easily flood your Syslog Server if your message types are too detailed and coming from a lot of devices. Conversely, if they aren’t detailed enough you might not capture the right info while you’re troubleshooting. Message types go in an ascending order, so you basically pick the lowest message type you’re willing to read and then get all messages types from that type and above. For example, the message types are as follows:
- informational (the default)
If you configure your device to send warnings then it will send warnings plug everything else above from errors to emergencies. Now, early I mentioned you could find yourself in a situation where you aren’t capturing enough information. This could happen if you configure your device to only send messages that are considered emergencies. Those messages are usually tied to a down state. The device is not able to function. Now, this is certainly a message you want to receive, however, you may miss critical notifications that lead up to that state. The issue could have been corrected before causing a failure.
Ultimately this configuration is up to use as the admin and may require some fine tuning based on your network. I would start with the lowest you’re willing to accept and then you can filter out what you don’t want to see on the Syslog, or fine tune over time.
Alright, lets configure a switch I have in my lab.
The first thing you need to do is enable logging and the command is simply:
Next, lets tell the switch where to send syslog messages. We do this with “logging host” where host is either an IP address or FQDN of your Syslog server.
After this you can sort of test right away that this is working. You can exit back to enable move and you should see syslog message come in:
Then, configure that minimum level of message you want to receive. You can do this by message type number or name. For reference, again:
- Emergencies – 0
- Alerts – 1
- Critical – 2
- Errors – 3
- Warnings – 4
- Notifications – 5
- Informational – 6
- Debugging – 7
The command for informational and above message types:
switch(config)#logging trap informational
To help with troubleshooting I want to see the time stamp in the message in my local time zone. The command for this is:
switch(config)#service timestamps log datetime localtime show-timezone
Of course, you should have your devices configured to use an NTP source so accurate time is displayed. If all the devices are reporting accurate time in their syslog events then it makes correlation of events much easier.
Okay, all together now for ease of viewing: (Swap out your variables as appropriate.)
switch(config)#logging enable switch(config)#logging 172.16.1.10 switch(config)#logging trap informational switch(config)#service timestamps log datetime localtime show-timezone
That’s it! Lather, rinse, and repeat on your other network devices and enjoy accurate and consolidated view of your Syslog messages!