Syslog
This chapter covers some aspects related to system syslog, which is a
feature that allows the user to manage the underlying Syslog protocol.
The syslog protocol makes possible the generation of log messages on various subsystems and store them into a local file or forwarding them to a central syslog server, which collects and stores the messages. This serves to network management that helps identify potetntial issues and security threats.
Concepts
To help the recollection of the log messages between multiple devices along the system (routes, switches, etc.), a syslog server is set up to store the log messages and, afterwards, filter among them.
Thes log messages have a header with information about the date of generation, the facility which makes the message, the error code and the subsystem generator of the message.
Let’s suppose we have the following log message, extracted from inside the router:
2023-05-10 09:40:39.181655 authpriv-info , sshd[2390]: Server listening on 0.0.0.0 port 22.
2023-05-10 09:40:39.181655 is the timestamp when the message was
received, authpriv-info represents that the authprive facility (Security and authentication messages) had generated the
message with a code of info. sshd[2390] indicate the name of the subsystem
that generated the message, sshd being the name of the subsystem and the number
being a distinctive between subsystems with the same name . The rest of the message is the content of the message.
Filters
Each part of the inner system syslog feature has the capacity of filtering among
every generated log messages. The regex filter only returns log messages which content
matches with the POSIX-Extended Regular Expression. The app filter allows to accept
only the syslog messages generated from a particular subsystem (e.g., sshd for
service ssh subsystem), the subsystem name appears right before the message
content.
The level option only returns the log messages with a severity level higher or
equal to the selected level.
These are the error codes, from more to less severe:
Emergency: system is unusable
Alert: action must be taken immediately
Critical: critical conditions
Error: error conditions
Warning: warning conditions
Notice: normal but significant condition
Info: informational messages
Debug: debug-level messages
Options
There are options for the compression of the stored log files in the case the logs are redirected to an internal file and the number and size of them.
There are more options in the case of the forwarding of the log messages to an external server is going to be UDP or TCP, the option to encrypt the traffic with TLS or to communicate with the Syslog server on a specific interface or VRF.