Syslog Configuration
Lab Objectives
- Configure local buffered syslog on R1 and set an appropriate severity level.
- Configure R1 to forward syslog messages to a remote syslog server on the management network.
- Verify syslog behavior and understand severity levels and their practical effects in production.
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
Task 1: Enable buffer logging on R1
Configure R1 so that system messages are stored in RAM (logging buffer). Choose a buffer size and set the severity level to informational so that normal operational messages appear.
Task 2: Configure remote syslog server
Point R1 at a remote syslog server located in the 10.10.40.0/24 network (management side). Ensure messages of severity informational and higher are sent to that server.
Task 3: Make console output synchronous
Prevent console line messages from interrupting command input by enabling console logging synchronization.
Think About It: Why would a production router send only severity levels of "informational" and higher to a remote server, but keep "debugging" messages local? Consider performance and network bandwidth impact.
Lab Solution
Topology (base lab topology — IPs shown exactly as required):
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1
Gi0/1: 10.10.20.1
Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | /
PC1 PC2 PC3 PC4 PC5
IP SCHEME listed in lab introduction applies.
Tip: In production, centralizing logs on a remote server is used for long-term storage, correlation (SIEM), and to keep device RAM free. Local buffered logs are useful for quick troubleshooting when you cannot access remote logging.
Task 1 Solution: Enable buffer logging on R1
What we are doing: Configure R1 to store syslog messages in memory so you can view recent messages locally with show commands. Set severity to informational so routine events (interface up/down, config changes, etc.) are captured without overwhelming the buffer with debug-level noise.
R1# configure terminal
R1(config)# logging buffered 4096 informational
R1(config)# service timestamps log datetime msec
R1(config)# end
logging buffered 4096 informational— allocates a 4096-byte in-memory buffer and records messages with severity informational (level 6) and more severe (levels 0–6). This matters because it controls what is stored locally and how much memory is used.service timestamps log datetime msec— adds readable timestamps with millisecond precision to log entries, which helps correlate events across devices and servers.
Verify:
R1# show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: level debugging, 257 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level informational, 12 messages logged, 4096 bytes buffer
Logging to 10.10.40.10: level informational, 0 message lines
Timestamp logging: disabled
Exception size (bytes): 4096
No active filter modules.
Log Buffer (4096 bytes):
*Mar 1 10:05:16.123: %OSPF-5-ADJCHG: Process 1, Nbr 10.10.10.2 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 10:05:20.456: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
- The
show loggingoutput shows buffer size, severity level, and sample buffered messages. The example shows buffer set to 4096 and level informational.
Warning: Buffer size consumes RAM. In large devices or high-logging loads, choose sizes carefully or offload logs to remote servers.
Task 2 Solution: Configure remote syslog server
What we are doing: Configure R1 to send syslog messages to a remote server on the 10.10.40.0/24 management network. In this lab we will use 10.10.40.10 as the syslog server IP (place the server in that network). We also set the trap level to informational so the remote server receives the same severity threshold.
R1# configure terminal
R1(config)# logging host 10.10.40.10
R1(config)# logging trap informational
R1(config)# end
logging host 10.10.40.10— designates the remote syslog server (UDP/514 by default). This matters because remote servers keep long-term logs and are used for centralized monitoring.logging trap informational— sets the severity level sent to remote servers to informational and above. Lower severity (numerically larger) messages like debugging are excluded to reduce network and server load.
Verify:
R1# show running-config | include logging
logging host 10.10.40.10
logging buffered 4096 informational
logging trap informational
R1# show logging
... (excerpt) ...
Buffer logging: level informational, 12 messages logged, 4096 bytes buffer
Logging to 10.10.40.10: level informational, 5 message lines
...
show running-config | include loggingverifies the configuration lines exist.show loggingconfirms remote logging is configured and how many lines have been sent.
Real-world context: Enterprises centralize logging for compliance and security monitoring. Sending only informational or higher reduces noise; debug-level logging is typically enabled only temporarily during troubleshooting.
Task 3 Solution: Make console output synchronous
What we are doing: Configure the console line so asynchronous syslog messages do not interrupt typed commands. The console will display messages but keep your input line intact.
R1# configure terminal
R1(config)# line con 0
R1(config-line)# logging synchronous
R1(config-line)# end
line con 0— enters console line configuration mode.logging synchronous— ensures unsolicited log messages are displayed without breaking your typed commands (they are reprinted after the message). This improves operator experience when connected to the console.
Verify:
R1# show running-config | section line con 0
line con 0
logging synchronous
exec-timeout 0 0
logging synchronous
show running-config | section line con 0shows the console line configuration includinglogging synchronous.
Tip: On production routers,
logging synchronousprevents you from losing commands while messages appear, especially during interface flaps or other noisy events.
Troubleshooting Scenario
Scenario: Remote logs are not appearing on the syslog server
Symptom: show logging on R1 shows "Logging to 10.10.40.10: level informational, 0 message lines" even though the buffer shows messages.
Your task: Find and fix the issue.
Hint: Check network reachability to the syslog server IP from R1, and confirm the correct server IP and that the server is expecting syslog on UDP/514.
Solution:
- From R1, verify connectivity to 10.10.40.10 (ping). If ping fails, fix routing or the server IP.
R1# ping 10.10.40.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.40.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
- If ping succeeds but server shows nothing, verify the server is listening on UDP/514 and firewall rules allow syslog traffic. If you used the wrong IP, remove it and add the correct one:
R1# configure terminal
R1(config)# no logging host 10.10.40.10
R1(config)# logging host 10.10.40.20
R1(config)# end
- If severity is too high, lower the trap level to include the messages you need:
R1# configure terminal
R1(config)# logging trap informational
R1(config)# end
Verification Checklist
- Buffer logging configured and buffer size confirmed with
show logging. - Remote syslog host configured and
show loggingshows messages forwarded. - Console line has
logging synchronousset.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| No messages on remote server | Remote host unreachable or firewall blocking UDP/514 | Ping the syslog host from R1; fix routing/firewall; ensure server listening on UDP/514 |
show logging shows 0 buffered messages | Buffer size too small or device just rebooted | Increase buffer size with logging buffered <size> level |
| Console input interrupted by messages | logging synchronous not configured on console | Enter line con 0 and apply logging synchronous |
Challenge Task
Add a second remote syslog server in the 192.168.3.0/24 management VLAN (pick an unused IP) and configure R1 to send warning and higher severity messages to the second server while continuing to send informational and higher to the first server. Do this without step-by-step guidance — decide how to prioritize what is sent to each remote host.
Key takeaway: Syslog severity levels and destinations let you control what gets stored locally vs. sent to centralized systems; use severity tuning and buffer sizing to balance visibility with device performance.