What Is Syslog?
Essentially, the Syslog server allows all of the network devices to send their log information to one centralized place. So, the log messages will be sent on UDP port 514 to the syslog server. From there, the network administrators can manage, search and archive all of the log information and centrally manage their logs.
Basically, log information is very important when troubleshooting problems and by default, Cisco devices store log information in their RAM. This means when a device reboots, the logs are erased. In other hand, Other vendors may write the log information to a separate disk which tend to have a small amount of storage available. You can find a syslog message template in the following figure:
It is like the messages that you see when configuring routers and switches. These type of messages follow an industry-standard which makes it easy to correlate logs from different vendors. The first part is the timestamp or sequence number, on Cisco devices like Cisco Catalyst 9000 series switches or Cisco ISR 4000 series routers, you can choose which one you want to use. The next part is called the facility which shows the source of the message. Next, we have severity that shows you how urgent the log message is. Then we have something called the mnemonic which is a code to identify the message. And finally, we have the description which contains the log message. There are two key bits of information that we need to look at further. These are facility and severity.
The above table is showing all available facilities. The facility represents the process that generated the message. Because syslog was adopted early by Unix systems, these facility codes are mostly Unix-based. For example, if a Unix kernel generated a message the facility would be kern, if an authentication message was locked the facility may show auth.
At the bottom we have 16 to 23 local use, these are undefined custom values that are generally used for network devices.
So, the most important bit of information in syslog is the severity. Syslog has eight severity levels ranging from 0-7.
For debug messages, the top is the most urgent, so the severity is 0 and the bottom is the least urgent which is 7. The administrator can choose which messages should be sent to syslog server, based on their severity. Using this, your server doesn’t get clogged up with messages you would rather not to see.