Home > Articles > Cisco > CCNP Routing and Switching

CCNP SWITCH 642-813: Syslog Messages

  • Print
  • + Share This
Catalyst switches can be configured to generate an audit trail of messages describing important events that have occurred. These system message logs (syslog) can then be collected and analyzed to determine what has happened, when it happened, and how severe the event was. In this article, expert network architect and author of best-selling CCNP SWITCH 642-813 Official Certification Guide Dave Hucaby shows you how to configure a switch to generate syslog messages that are occurring at or above a certain level of importance.
From the author of

Catalyst switches can be configured to generate an audit trail of messages describing important events that have occurred. These system message logs (syslog) can then be collected and analyzed to determine what has happened, when it happened, and how severe the event was.

When system messages are generated, they always appear in a consistent format as shown in Figure 1. Each message contains the following fields:

  • Timestamp—The date and time from the internal switch clock. By default, the amount of time that the switch has been up is used.
  • Facility Code—A system identifier that categorizes the switch function or module that has generated the message; the facility code always begins with a percent sign.
  • Severity—A number from 0 to 7 that indicates how important or severe the event is; a lower severity means the event is more critical.
  • Mnemonic—A short text string that categorizes the event within the facility code
  • Message Text—A description of the event or condition that triggered the system message.

Figure 1 Catalyst Switch Syslog Message Format

In Figure 1, an event in the “System” or SYS facility has triggered the system message. The event is considered to be severity level 5. From the mnemonic CONFIG_I, you can infer that something happened with the switch configuration. Indeed, the text description says that the switch was configured by someone connected to the switch console port.

Generally, you should configure a switch to generate syslog messages that are occurring at or above a certain level of importance. Otherwise, you might collect too much information from a switch that logs absolutely everything or too little information from a switch that logs almost nothing.

You can use the severity level to define that threshold. Figure 2 shows each of the logging severity levels, along with a general list of the types of messages that are generated. Think of the severity levels as concentric circles. When you configure the severity level threshold on a switch, the switch will only generate logging messages that occur at that level or at any other level that is contained within it.

Figure 2 Syslog Severity Levels

For example, if the syslog severity level is set to “critical” (severity level 2), the switch will generate messages in the “critical,” “alerts,” and “emergencies” levels—but nothing else. Notice that the severity levels are numbered such that the most urgent events are reported at level 0, and the least urgent at level 7.

System messages can be sent to the switch console, collected in an internal memory buffer, and sent over the network to be collected by a syslog server. The configuration commands for each of these destinations are covered in the following sections.

Logging to the Switch Console

By default, system messages are sent to the switch console port at the debugging level. You can change the console severity level with the following command:

Switch(config)# logging console severity

The severity parameter can be either a severity level keyword, such as informational, or the corresponding numeric value (0 to 7).

Remember that syslog information can be seen on the console only when you are connected to the console port. Even then, the console isn’t a very efficient way to collect and view system messages because of its low throughput. If you are connected to a switch through a Telnet or SSH session, you can redirect the console messages to your remote access session by using the terminal monitor command.

  • + Share This
  • 🔖 Save To Your Account