Defined in RFC 3164, Syslog has been used for many years to carry event notification messages across a network. Network administrators use it to centralize the recording of messages from network devices for further inspection and correlation. Typically, Syslog servers are implemented using Unix-/Linux-based devices. Such devices record and store messages, but they can also provide filtering and action (e.g., send emails or web pages to support staff in critical circumstances). The facility information on a Syslog server describes the information’s origin.
Log Severity Descriptions
Syslog includes a measure of severity with every message (an important feature). Appropriate action can then be taken. Emergency events might cause an alert (e.g., a page, email, SMS, or phone call) to support staff, where as Notification messages might only warrant casual inspection during regular perusal of the log files. The severities are defined by RFC 3164, the BSD Syslog protocol. In addition the message will contain further vendor-specific details about the event that has occurred.
An Example Syslog Application: Cisco's Debug Command
Debug is a useful command found within Cisco's IOS. It is a tool for troubleshooting a problem from the perspective of a given router. Debug, however, can generate thousands of messages for inspection, which can be a serious problem. The amount of buffer space on the router is limited, so it is possible that interesting information is lost before it is seen. The Cisco console can also become unresponsive and difficult to use while the debug data scrolls up the screen. If debug is being viewed from a Telnet session, the Telnet window also usually has limited buffer space.
A useful mechanism for performing debug is to log the resulting messages to a Syslog server. The network link is faster than a console connection, and the data is stored for later inspection (even if the router is short on buffer or if it reboots). This is a good example of how Syslog can be used to support network diagnostics.