Syslog
Local logging is covered in Part I, but a device can only hold a certain amount of data. Centralized logging for easier access, correlation and historical tracking is something a good network needs.
Configuring remote syslog is a fairly easy process:
Switch(config)#logging host <ip-address>
That’s it. Of course, many extra options are possible:
- ‘vrf vrf‘ behind the command to define the management/logging vrf to use.
- ‘transport udp port port‘ behind the command to change the default port of 514. You can also use TCP here, but I don’t see the advantage as this will not save the logs in case of network issues.
- ‘logging source-interface interface‘ can be used to define the source interface. A loopback can be useful if it’s a router with multiple interfaces, so the device always has the same IP address on the logging server.
- ‘logging trap 0-7‘ to define the level of messages to send to the syslog server.
As a syslog server, many free and commercial ones are available. For a simple lab or home setup, I’m using tftpd32 (and tftpd64 for 64-bits systems). A very useful tool, and the TFTP function can also be used to upload IOS files to Cisco devices.
Log optimization
Great, now logging works, but what further tweaks can be added? Quite a few, but I’m just going to describe the three things I find most useful.
First, it’s possible to log commands configured in the switch using the following configuration:
Switch(config)#archive
Switch(config-archive)#log config
Switch(config-archive-log-cfg)#logging enable
Switch(config-archive-log-cfg)#hidekeys
Switch(config-archive-log-cfg)#notify syslog contenttype plaintext
Switch(config-archive-log-cfg)#end
From now on, logging shows which user typed which command. Useful for an audit trail and seeing what went wrong during configuration.
Second, a link up/down event generates a severity 3 log message, but not every interface is equally important, and in an office environment a lot of these events may be generated during the day. This can be changed on a per-interface basis:
Switch(config-if)#logging event link-status
It’s also possible to toggle STP, PoE and DTP events. By default, they are all active, but ‘no’ in front of the command disables it. This way, logging and alerting of just the important ports becomes possible.
And last: when logged in through the console at a default speed of 9600 bps, it’s possible to become overwhelmed by the many logging messages. It can be rate-limited, with exceptions for certain severity levels, e.g.:
Switch(config)#logging rate-limit console 3 except 1
This logs a maximum of three messages per second towards the console, with exception of severity 1 alerts and up, who will always show.
Reggle 
Don’t forget the useful ‘logging synchronous’ on the console. Helps when you need to access the console and it’s dumping local syslog… You can still see what you are typing. Although this isn’t really syslog related, it’s still worthy mentioning it as many people don’t know 😉