WEBVTT 0:00:03.060000 --> 0:00:07.300000 Hello and welcome to this video titled Introduction to Cyslog. 0:00:07.300000 --> 0:00:11.280000 In this video I'm going to talk about Cyslog. 0:00:11.280000 --> 0:00:13.840000 I'm going to give you an introduction to what it is and why you would 0:00:13.840000 --> 0:00:17.900000 use it. We'll talk about the Cyslog messages and the transport mechanism 0:00:17.900000 --> 0:00:22.760000 to get those messages off your router switch and on to a Cyslog server. 0:00:22.760000 --> 0:00:26.680000 We'll look at the Cyslog message format and we'll also talk about facility 0:00:26.680000 --> 0:00:28.500000 levels and severity levels. 0:00:28.500000 --> 0:00:33.020000 And then lastly, I'll show you the basic configuration on Cisco iOS devices 0:00:33.020000 --> 0:00:38.380000 to get them to send their Cyslog messages to an external Cyslog server. 0:00:38.380000 --> 0:00:42.340000 All right, so what is Cyslog? 0:00:42.340000 --> 0:00:45.260000 First of all, why do we need logging in general? 0:00:45.260000 --> 0:00:49.820000 So clearly, we want to see what's happening on our router switch or firewall. 0:00:49.820000 --> 0:00:53.040000 And logging is the most primitive basic way of doing that. 0:00:53.040000 --> 0:00:56.660000 So with logging, we can see when events happen. 0:00:56.660000 --> 0:00:58.000000 It's as simple as that. 0:00:58.000000 --> 0:01:02.220000 We can see when routing processes start and stop, we can see when somebody 0:01:02.220000 --> 0:01:06.540000 shaves the configuration, we can see when an interface went up or down, 0:01:06.540000 --> 0:01:09.960000 we need that stuff, we need visibility to that stuff. 0:01:09.960000 --> 0:01:12.740000 So we can see here there's several benefits. 0:01:12.740000 --> 0:01:15.780000 I'm not going to read these to you, you can read these yourself. 0:01:15.780000 --> 0:01:19.560000 But there's many, many benefits to having logging done on a router or 0:01:19.560000 --> 0:01:22.880000 a switch or any device for that matter. 0:01:22.880000 --> 0:01:26.540000 So Cyslog stands for System Logging. 0:01:26.540000 --> 0:01:28.640000 That's what Cyslog is. 0:01:28.640000 --> 0:01:30.800000 And it's a tool for system logging. 0:01:30.800000 --> 0:01:34.460000 It is standardized in RFC 5424. 0:01:34.460000 --> 0:01:37.600000 Originally came out in RFC 3164. 0:01:37.600000 --> 0:01:40.020000 So the idea is simply this. 0:01:40.020000 --> 0:01:44.360000 If you have spent any more than about five minutes on a Cisco router or 0:01:44.360000 --> 0:01:47.880000 switch, and I'm sure other vendors have exactly the same thing, you have 0:01:47.880000 --> 0:01:51.980000 probably noticed a log message pop up while you're configuring or changing 0:01:51.980000 --> 0:01:54.100000 things. That is called a Cyslog. 0:01:54.100000 --> 0:01:59.400000 Log message saying configuration was changed by console or interface, 0:01:59.400000 --> 0:02:02.440000 changed status to up or something of that nature. 0:02:02.440000 --> 0:02:03.980000 That is a logging message. 0:02:03.980000 --> 0:02:08.300000 Now by default, that logging message just stays right there in the router 0:02:08.300000 --> 0:02:14.100000 switch, which is great if you have to be logged in at that time to see 0:02:14.100000 --> 0:02:18.180000 it. But what if a logging message comes up that's pretty important, like 0:02:18.180000 --> 0:02:22.320000 an interface going down or a routing peer going away and you're not there 0:02:22.320000 --> 0:02:26.900000 to see it? Well then, how do we get access to that log message? 0:02:26.900000 --> 0:02:34.040000 All right. Well, so these log messages are stored in the memory of the 0:02:34.040000 --> 0:02:36.780000 device, but they're not stored for very long. 0:02:36.780000 --> 0:02:40.920000 And these routers with switches only store a minimal quantity of Cyslogs 0:02:40.920000 --> 0:02:43.920000 and then they override it with newer Cyslogs. 0:02:43.920000 --> 0:02:48.960000 So the whole Cyslog standard was, A, let's make these messages sort of 0:02:48.960000 --> 0:02:51.140000 standardized in format. 0:02:51.140000 --> 0:02:55.880000 So if the message that's spitting out on a Cisco device and a message 0:02:55.880000 --> 0:03:00.320000 that's spitting out on a Juniper or an arrested device follows the Cyslog 0:03:00.320000 --> 0:03:04.840000 protocol as defined in the RFC, it will have certain elements to that 0:03:04.840000 --> 0:03:07.900000 message. It will follow a certain format. 0:03:07.900000 --> 0:03:12.440000 For example, every Cyslog message will have a severity level and all the 0:03:12.440000 --> 0:03:16.560000 severity levels are well known and they're given distinctive names. 0:03:16.560000 --> 0:03:20.260000 Every Cyslog message will have a certain header followed by a body of 0:03:20.260000 --> 0:03:22.000000 what the actual message was. 0:03:22.000000 --> 0:03:26.720000 Cyslog also defines a way that you can take those messages and send them 0:03:26.720000 --> 0:03:29.400000 externally to a Cyslog server. 0:03:29.400000 --> 0:03:32.060000 And that's the best of all worlds because that way, even if we're not 0:03:32.060000 --> 0:03:36.400000 on the router switch at the time, we can just peruse those logs from all 0:03:36.400000 --> 0:03:40.460000 of our devices on a central place called a Cyslog server. 0:03:40.460000 --> 0:03:45.400000 All right. So Cyslog messages, by definition, they need to include a timestamp, 0:03:45.400000 --> 0:03:48.620000 a timestamp, a event message, and a severity. 0:03:48.620000 --> 0:03:51.320000 And then they might also include some other optional things like a host 0:03:51.320000 --> 0:03:54.960000 IP address and some diagnostic information. 0:03:54.960000 --> 0:04:00.280000 Now, when we're sending Cyslog messages externally to a Cyslog server, 0:04:00.280000 --> 0:04:07.000000 that is carried over the user datagram protocol, UDP, as UDP port 514. 0:04:07.000000 --> 0:04:11.800000 Now the Cyslog server is also called the event message collector. 0:04:11.800000 --> 0:04:14.960000 So depending on the paper you're reading, it might be called a Cyslog 0:04:14.960000 --> 0:04:18.360000 server, or it might be called the event message collector. 0:04:18.360000 --> 0:04:23.260000 All right. Diving a little bit deeper into the actual message format of 0:04:23.260000 --> 0:04:24.540000 a Cyslog message. 0:04:24.540000 --> 0:04:30.240000 So the RFC 5424 goes into great detail about what the Cyslog message is 0:04:30.240000 --> 0:04:35.100000 supposed to look like, but at a high level is composed of three main elements, 0:04:35.100000 --> 0:04:39.240000 a header, some structured data, and then the message itself. 0:04:39.240000 --> 0:04:43.560000 Now the Cyslog header is very, very simple, really just two pieces of 0:04:43.560000 --> 0:04:47.960000 information. And then that's it, a priority value and a version. 0:04:47.960000 --> 0:04:51.740000 Now the priority value, we'll see a stiffer trace here of this in just 0:04:51.740000 --> 0:04:53.900000 a second. Here's the formula for it. 0:04:53.900000 --> 0:04:56.420000 And we'll talk about that when we get closer to it. 0:04:56.420000 --> 0:05:00.120000 And the version, it's not what you would normally think of as version 0:05:00.120000 --> 0:05:04.440000 like there's OSPF version two, version three, SNMP version two, version 0:05:04.440000 --> 0:05:09.240000 three. In this case, we're not talking about a version of the Cyslog protocol 0:05:09.240000 --> 0:05:13.460000 itself. In this case, versions, it's more of a counter. 0:05:13.460000 --> 0:05:19.300000 For example, if I'm a router and you're the Cyslog server, every single 0:05:19.300000 --> 0:05:23.260000 time I send you a Cyslog message in UDP, the version number is just going 0:05:23.260000 --> 0:05:25.120000 to increase incrementally. 0:05:25.120000 --> 0:05:27.340000 It'll be one, two, three, four, five. 0:05:27.340000 --> 0:05:33.640000 So that's what they call the version of the Cyslog message. 0:05:33.640000 --> 0:05:37.540000 Okay, so Cyslog messages have two different characteristics. 0:05:37.540000 --> 0:05:41.960000 They have facility levels and they have severity levels. 0:05:41.960000 --> 0:05:45.980000 So the facility level is a value, it's a number. 0:05:45.980000 --> 0:05:50.260000 And like it says here, it represents what was the process in the machine? 0:05:50.260000 --> 0:05:54.380000 Like what was the process in the router or the switch or a server? 0:05:54.380000 --> 0:05:56.200000 Lots of things could generate Cyslogs. 0:05:56.200000 --> 0:06:00.300000 What was the CPU process that generated the event? 0:06:00.300000 --> 0:06:01.420000 So what was the CPU process that generated the event? 0:06:01.420000 --> 0:06:04.540000 The way of determining which process in the machine created the message. 0:06:04.540000 --> 0:06:08.920000 Now, for talking about Cisco, iOS, routers and switches, most of the time, 0:06:08.920000 --> 0:06:13.160000 they use facility 23, which is local use. 0:06:13.160000 --> 0:06:16.600000 So you'll actually see that in wire shark sniffer captures when you capture 0:06:16.600000 --> 0:06:20.820000 a Cyslog message, you'll say facility level 23. 0:06:20.820000 --> 0:06:25.380000 But you can see there are other ones in here, for example, for FTP, NTP 0:06:25.380000 --> 0:06:32.260000 and others. And each Cyslog message has a priority level. 0:06:32.260000 --> 0:06:34.120000 You've probably seen this. 0:06:34.120000 --> 0:06:37.540000 So when you're on a router switching in the console, and all of a sudden, 0:06:37.540000 --> 0:06:40.760000 a Cyslog message interrupts you and says, oh, you're routing peer just 0:06:40.760000 --> 0:06:43.200000 went down or your interface just went up. 0:06:43.200000 --> 0:06:46.960000 Each one of those messages will have a priority value or a severity level 0:06:46.960000 --> 0:06:51.540000 inside of it. And you can see here where the lower the number, the more 0:06:51.540000 --> 0:06:53.460000 critical that message is. 0:06:53.460000 --> 0:06:55.000000 So zero is emergency. 0:06:55.000000 --> 0:06:57.280000 That means I am about to die. 0:06:57.280000 --> 0:06:58.380000 I'm letting you know. 0:06:58.380000 --> 0:07:00.260000 I'm about to shut down and blow up. 0:07:00.260000 --> 0:07:03.600000 So ideally, we don't want to see any level zero messages. 0:07:03.600000 --> 0:07:08.720000 All the way up to level six, which is informational and level seven. 0:07:08.720000 --> 0:07:12.640000 You'll only see level sevens if you actually turn on some debugging messages. 0:07:12.640000 --> 0:07:16.800000 So certainly, if you're ever studying for any certification exam, hint 0:07:16.800000 --> 0:07:21.400000 hint, you'll want to memorize these levels, the names and the numbers 0:07:21.400000 --> 0:07:24.960000 they correspond with. 0:07:24.960000 --> 0:07:30.980000 Okay, so within a router switch, certainly, we can use the logging buffer 0:07:30.980000 --> 0:07:35.260000 command to store our Cyslog messages. 0:07:35.260000 --> 0:07:38.300000 Now, how do you know if you log into an existing device like this right 0:07:38.300000 --> 0:07:42.440000 here, how do I know if he's already doing that? 0:07:42.440000 --> 0:07:44.700000 Well, for example, see this right here? 0:07:44.700000 --> 0:07:47.640000 That is a Cyslog message, right? 0:07:47.640000 --> 0:07:52.140000 And this right here, that number five, that is our severity level. 0:07:52.140000 --> 0:07:56.960000 So if I go back to what we were just looking at, that is a notice. 0:07:56.960000 --> 0:07:58.480000 That was a notice message. 0:07:58.480000 --> 0:08:01.920000 Events that are unusual, but not error conditions. 0:08:01.920000 --> 0:08:06.460000 So in this device, when he printed out that, hey, some way he just configured 0:08:06.460000 --> 0:08:10.500000 it from console, that was a severity level of five. 0:08:10.500000 --> 0:08:15.300000 Now, if we go in here, if we type enable, and we just say show logging. 0:08:15.300000 --> 0:08:21.980000 Okay, so this says here on the console, I'm going to see level seven all 0:08:21.980000 --> 0:08:22.860000 the way on down to zero. 0:08:22.860000 --> 0:08:24.400000 I'm going to see everything. 0:08:24.400000 --> 0:08:27.940000 On buffer is disabled. 0:08:27.940000 --> 0:08:30.600000 So right now, nothing is being logged to the buffer. 0:08:30.600000 --> 0:08:34.520000 So if I'm not actually on this device, show log. 0:08:34.520000 --> 0:08:40.720000 See that? So we saw the Cyslog message up here, because I was on the device 0:08:40.720000 --> 0:08:43.580000 at the time. But that wasn't stored anywhere. 0:08:43.580000 --> 0:08:45.220000 It wasn't stored in the buffer. 0:08:45.220000 --> 0:08:49.860000 So if I want to store it in that buffer to where buffer logging says something 0:08:49.860000 --> 0:08:56.440000 other than disabled, I would say logging buffer. 0:08:56.440000 --> 0:09:00.140000 And then I get to choose what level I want. 0:09:00.140000 --> 0:09:03.020000 So whatever number, so you could pick a name or a number. 0:09:03.020000 --> 0:09:06.120000 For example, I could say errors. 0:09:06.120000 --> 0:09:12.040000 I could say that or I could say three, because that also corresponds to 0:09:12.040000 --> 0:09:17.640000 errors. So if I do that, then all my Cyslog levels that are a priority 0:09:17.640000 --> 0:09:22.620000 or severity level of three on down to zero will be logged. 0:09:22.620000 --> 0:09:24.800000 So this isn't just level three. 0:09:24.800000 --> 0:09:30.180000 This says I want level three, two, one, and zero to be stored in my buffer. 0:09:30.180000 --> 0:09:34.220000 So that's how you get your Cyslog saved to your buffer. 0:09:34.220000 --> 0:09:37.880000 But ideally, you don't want them to stay to the buffer. 0:09:37.880000 --> 0:09:42.540000 You want them also sent to an external Cyslog message server. 0:09:42.540000 --> 0:09:46.120000 And that's simply the logging host command. 0:09:46.120000 --> 0:09:50.160000 Logging host and then the IP address of wherever the Cyslog server is. 0:09:50.160000 --> 0:09:53.720000 And then when you do that, whenever it creates a Cyslog, you'll see something 0:09:53.720000 --> 0:09:58.180000 like this. So this is an actual Cyslog message that was captured in Wireshark. 0:09:58.180000 --> 0:10:02.320000 You can see it goes across using IP. 0:10:02.320000 --> 0:10:07.780000 There it is. UDP port 514. 0:10:07.780000 --> 0:10:11.740000 So that's the port number for Cyslog. 0:10:11.740000 --> 0:10:13.280000 And then here's our Cyslog message. 0:10:13.280000 --> 0:10:15.540000 It's not very big. 0:10:15.540000 --> 0:10:21.300000 So you can see right here, this number right here, this 189, that's the 0:10:21.300000 --> 0:10:23.160000 Cyslog priority level. 0:10:23.160000 --> 0:10:27.200000 Now, not that you'd ever really care about this, but if you're wondering 0:10:27.200000 --> 0:10:29.760000 where the heck did it come up with 189? 0:10:29.760000 --> 0:10:38.680000 There was that calculation for it, where you take the facility. 0:10:38.680000 --> 0:10:43.460000 Remember, Cisco routers and devices typically use the number of 23 as 0:10:43.460000 --> 0:10:45.020000 their facility level. 0:10:45.020000 --> 0:10:55.680000 Times 8 plus the level or priority of the message. 0:10:55.680000 --> 0:11:01.000000 So if we take those numbers, if we take the facility of 23, and that's 0:11:01.000000 --> 0:11:03.980000 right here, right? 0:11:03.980000 --> 0:11:10.960000 So if we add those up, so 1011, actually 1, so it's this whole thing right 0:11:10.960000 --> 0:11:14.700000 here, that number equals 23. 0:11:14.700000 --> 0:11:19.240000 We've got the 16, the 4, the 2, and the 1 bit, so that's facility. 0:11:19.240000 --> 0:11:22.820000 That's local 7, reserved for local use 23. 0:11:22.820000 --> 0:11:27.320000 So if we take 23 times 8, that gives us 184. 0:11:27.320000 --> 0:11:32.840000 And then this particular message was a severity level 5. 0:11:32.840000 --> 0:11:38.120000 So 184 plus 5 gives us 189. 0:11:38.120000 --> 0:11:40.060000 That's where that number comes from. 0:11:40.060000 --> 0:11:42.820000 So I suppose you could lock onto that in some sort of a filter, something 0:11:42.820000 --> 0:11:44.220000 if you wanted to. 0:11:44.220000 --> 0:11:48.900000 And then you can actually see the Cyslog message itself, right here in 0:11:48.900000 --> 0:11:52.160000 plain text, carried across to that server. 0:11:52.160000 --> 0:11:53.720000 So it's not encrypted or anything. 0:11:53.720000 --> 0:11:57.540000 It's a real basic message that goes over to your Cyslog server. 0:11:57.540000 --> 0:12:02.260000 So that is how Cyslog works. 0:12:02.260000 --> 0:12:04.460000 That's how we save it to the buffer. 0:12:04.460000 --> 0:12:07.680000 We've talked about facility levels and priority levels, and we've talked 0:12:07.680000 --> 0:12:11.400000 about how to get those Cyslog messages to an external Cyslog server for 0:12:11.400000 --> 0:12:13.780000 storage and later viewing. 0:12:13.780000 --> 0:12:16.780000 So that concludes this video on Cyslog. 0:12:16.780000 --> 0:12:17.660000 Thank you for watching.