Changing the Default Log Facility
Problem
You want to change the default logging facility.
Solution
Use the logging facility configuration command to change the syslog facility that the router sends error messages to:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging facility local6
Router(config)#end
Router#
The default syslog facility setting is local7.
Discussion
By default, the router will forward all syslog messages to the server's local7 log facility. You can modify this behavior and forward all of your router's syslog messages to another facility by utilizing the logging facility configuration command. Table 18-3 illustrates the possible logging facilities that a router will accept.
Facility | Description |
---|---|
Auth | Authorization system |
Cron | Cron/at facility |
Daemon | System daemons |
Kern | Kernel |
local0 | Local use |
local1 | Local use |
local2 | Local use |
local3 | Local use |
local4 | Local use |
local5 | Local use |
local6 | Local use |
local7 | Local use (Default facility for Cisco routers) |
Lpr | Line printer system |
Mail system | |
News | USENET news |
sys9 | System use |
sys10 | System use |
sys11 | System use |
sys12 | System use |
sys13 | System use |
sys14 | System use |
Syslog | Syslog itself |
User | User process |
Uucp | Unix-to-Unix copy system |
|
There are a number of reasons why it can be quite useful to choose a facility other than the default. First, another application on the syslog server itself may already be using the logging facility local7. Although most applications provide a means by which to change the default logging facility, some, regrettably, do not.
Second, you might want to separate log messages from routers and switches, or other types of network equipment. This makes parsing through the logfiles much easier. For example, you could configure your switches to forward all log messages to local7, and your routers to local6.
Third, it can often be important for security auditing reasons to be able to separate perimeter router logs from those of internal company routers. Perimeter routers protect the organization from outsiders and require more diligent attention. Sending their log messages to a separate file so that they are not lumped in with the rest of the organization's router messages makes it easier to give them this extra attention. For instance, perimeter router logs may require different archive periods, or might have specialized scripts to parse through them. Assigning a different log facility to them is generally a good idea.
The example below shows a sample portion of a syslog.conf file that forwards log messages from all perimeter routers to facility local5, all other router logs to facility local6, and all switch logs to facility local7:
local5.info /var/log/seclog
local6.info /var/log/rtrlog
local7.info /var/log/switchlog
The sample router configuration in the solution section forwards router log messages to log facility local6. The next example illustrates how to configure the perimeter routers to forward their log messages to log facility local5:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging host 172.25.1.1
Router(config)#logging facility local5
Router(config)#end
Router#
One final useful thing to do with your syslog configuration is to send high severity log messages to a separate file to make parsing easier. The following example shows a sample syslog.conf configuration that logs all router log messages to a single file called /var/log/rtrlog, and all high severity log messages to a file called /var/log/rtrpriority:
local7.info /var/log/rtrlog
local7.err /var/log/rtrpriority