Changing the Default Log Facility

Changing the Default Log Facility

Problem

You want to change the default logging facility.

Solution

Use the logging facility configuration command to change the syslog facility that the router sends error messages to:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging facility local6
Router(config)#end
Router#

The default syslog facility setting is local7.

Discussion

By default, the router will forward all syslog messages to the server's local7 log facility. You can modify this behavior and forward all of your router's syslog messages to another facility by utilizing the logging facility configuration command. Table 18-3 illustrates the possible logging facilities that a router will accept.

Table 18-3. Cisco logging facility types
Facility Description
Auth Authorization system
Cron Cron/at facility
Daemon System daemons
Kern Kernel
local0 Local use
local1 Local use
local2 Local use
local3 Local use
local4 Local use
local5 Local use
local6 Local use
local7 Local use (Default facility for Cisco routers)
Lpr Line printer system
Mail Mail system
News USENET news
sys9 System use
sys10 System use
sys11 System use
sys12 System use
sys13 System use
sys14 System use
Syslog Syslog itself
User User process
Uucp Unix-to-Unix copy system


We generally recommend that you choose one of the "local" facilities, as these are intended specifically for this type of use.


There are a number of reasons why it can be quite useful to choose a facility other than the default. First, another application on the syslog server itself may already be using the logging facility local7. Although most applications provide a means by which to change the default logging facility, some, regrettably, do not.

Second, you might want to separate log messages from routers and switches, or other types of network equipment. This makes parsing through the logfiles much easier. For example, you could configure your switches to forward all log messages to local7, and your routers to local6.

Third, it can often be important for security auditing reasons to be able to separate perimeter router logs from those of internal company routers. Perimeter routers protect the organization from outsiders and require more diligent attention. Sending their log messages to a separate file so that they are not lumped in with the rest of the organization's router messages makes it easier to give them this extra attention. For instance, perimeter router logs may require different archive periods, or might have specialized scripts to parse through them. Assigning a different log facility to them is generally a good idea.

The example below shows a sample portion of a syslog.conf file that forwards log messages from all perimeter routers to facility local5, all other router logs to facility local6, and all switch logs to facility local7:

local5.info                    /var/log/seclog
local6.info /var/log/rtrlog
local7.info /var/log/switchlog

The sample router configuration in the solution section forwards router log messages to log facility local6. The next example illustrates how to configure the perimeter routers to forward their log messages to log facility local5:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging facility local5
Router(config)#end
Router#

One final useful thing to do with your syslog configuration is to send high severity log messages to a separate file to make parsing easier. The following example shows a sample syslog.conf configuration that logs all router log messages to a single file called /var/log/rtrlog, and all high severity log messages to a file called /var/log/rtrpriority:

local7.info                        /var/log/rtrlog
local7.err /var/log/rtrpriority

See Also