Cisco Catalyst SD-WAN Control Components and Device Management Guide, Releases 26.x and Later

PDF

Configure system logging

Updated: June 9, 2026

Want to summarize with AI?

Log in

Describes configuration of system logging using configuration groups, templates, and CLI commands. Covers local and remote log storage, and provides procedures for certificate installation to enable secure log transmission and authentication.

Use one of these methods to configure system logging:

Note

Some configurations and protocols are identified as insecure and is a security risk for Cisco devices. Existing deployments continue to function, but new installations require intentional enablement. For more information on remediation, refer to Resilient Infrastructure: Cisco Catalyst SD-WAN and Routing

Configure system logging using a configuration group

System logging is the process of keeping a text log of system events.

Before you begin

On the Configuration > Configuration Groups page, choose SD-WAN as the solution type.

Follow these steps to configure system logging for a device, using a configuration group:

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

2.

Create and configure a Logging feature in a System profile.

  1. Enter the disk information.

    Table 1. Disk

    Field

    Description

    Enable Disc

    Enable this option to allow syslog messages to be saved in a file on the local hard disk, or disable this option to disallow it. By default, logging to a local disk file is enabled on all Cisco IOS XE Catalyst SD-WAN devices.

    Max File Size(In Megabytes)

    Enter the maximum size of syslog files. The syslog files are rotated on an hourly basis based on the file size. When the file size exceeds the configured value, the file is rotated and the syslog process is notified.

    Range: 1 to 20 MB

    Default: 10 MB

    Rotations

    Enter the number of syslog files to create before discarding the oldest files.

    Range: 1 to 10

    Default: 10

  2. Enter the TLS Profile information.

    Table 2. TLS Profile

    Field

    Description

    Add TLS Profile

    TLS Profile Name*

    Enter the name of the TLS profile.

    TLS Version

    Choose a TLS version:

    • TLSv1.1

    • TLSv1.2

    Authentication Type*

    Choose Server.

    Cipher Suite List

    Choose groups of cipher suites (encryption algorithm) based on the TLS version.

    Cipher suites:

    • aes-128-cbc-sha: Encryption type tls_rsa_with_aes_cbc_128_sha

    • aes-256-cbc-sha: Encryption type tls_rsa_with_aes_cbc_256_sha

    • dhe-aes-cbc-sha2: Encryption type tls_dhe_rsa_with_aes_cbc_sha2 (TLS1.2 and above)

    • dhe-aes-gcm-sha2: Encryption type tls_dhe_rsa_with_aes_gcm_sha2 (TLS1.2 and above)

    • ecdhe-ecdsa-aes-gcm-sha2: Encryption type tls_ecdhe_ecdsa_aes_gcm_sha2 (TLS1.2 and above) SuiteB

    • ecdhe-rsa-aes-cbc-sha2: Encryption type tls_ecdhe_rsa_aes_cbc_sha2 (TLS1.2 and above)

    • ecdhe-rsa-aes-gcm-sha2: Encryption type tls_ecdhe_rsa_aes_gcm_sha2 (TLS1.2 and above)

    • rsa-aes-cbc-sha2: Encryption type tls_rsa_with_aes_cbc_sha2 (TLS1.2 and above)

    • rsa-aes-gcm-sha2: Encryption type tls_rsa_with_aes_gcm_sha2 (TLS1.2 and above)

  3. Enter the server information.

    Table 3. Server

    Field

    Description

    Add Server

    Hostname/IPv4 Address*

    Enter the DNS name, hostname, or IP address of the system on which to store syslog messages.

    To add another syslog server, click the plus sign (+). To delete a syslog server, click the trash icon to the right of the entry.

    VPN*

    Enter the identifier of the VPN in which the syslog server is located or through which the syslog server can be reached.

    Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here.

    Source Interface

    Enter the specific interface to use for outgoing system log messages. The interface must be located in the same VPN as the syslog server. Otherwise, the configuration is ignored. If you configure multiple syslog servers, the source interface must be the same for all of them.

    Priority

    Select the severity of the syslog message to save. The severity indicates the seriousness of the event that generated the message. Priority can be one of these:

    • informational: Routine condition (the default) (corresponds to syslog severity 6)

    • debugging: Prints additional logs to help debugging the issue.

    • notice: A normal, but significant condition (corresponds to syslog severity 5)

    • warn: A minor error condition (corresponds to syslog severity 4)

    • error: An error condition that does not fully impair system usability (corresponds to syslog severity 3)

    • critical: A serious condition (corresponds to syslog severity 2)

    • alert: Action must be taken immediately (corresponds to syslog severity 1)

    • emergency: System is unusable (corresponds to syslog severity 0)

    TLS Enable*

    Enable this option to allow syslog over TLS. When you enable this option, these fields appear:

    TLS Properties Custom Profile: Enable this option to choose a TLS profile. When you enable this option, the following field appears:

    TLS Properties Profile: Choose a TLS profile that you have created for server or mutual authentication in the IPv4 server configuration.

    Add IPv6 Server

    Hostname/IPv6 Address*

    Enter the DNS name, hostname, or IP address of the system on which to store syslog messages.

    To add another syslog server, click the plus sign (+). To delete a syslog server, click the trash icon to the right of the entry.

    VPN*

    Enter the identifier of the VPN in which the syslog server is located or through which the syslog server can be reached.

    Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here.

    Source Interface

    Enter the specific interface to use for outgoing system log messages. The interface must be located in the same VPN as the syslog server. Otherwise, the configuration is ignored. If you configure multiple syslog servers, the source interface must be the same for all of them.

    Priority

    Select the severity of the syslog message to save. The severity indicates the seriousness of the event that generated the message. Priority can be one of these:

    • informational: Routine condition (the default) (corresponds to syslog severity 6)

    • debugging: Prints additional logs to help debugging the issue.

    • notice: A normal, but significant condition (corresponds to syslog severity 5)

    • warn: A minor error condition (corresponds to syslog severity 4)

    • error: An error condition that does not fully impair system usability (corresponds to syslog severity 3)

    • critical: A serious condition (corresponds to syslog severity 2)

    • alert: Action must be taken immediately (corresponds to syslog severity 1)

    • emergency: System is unusable (corresponds to syslog severity 0)

    TLS Enable*

    Enable this option to allow syslog over TLS.

    TLS Properties Custom Profile*

    Enable this option to choose a TLS profile.

    TLS Properties Profile

    Choose a TLS profile that you have created for server or mutual authentication in the IPv6 server configuration.

What to do next

Refer to Deploy a Configuration Group in the Cisco Catalyst SD-WAN Configuration Groups Reference Guide.

Configure system logging using a template

System log (syslog) messages are a text log of system events.

On Cisco IOS XE Catalyst SD-WAN devices, you can save system log messages locally or to a remote server.

Before you begin

Follow these steps to configure system logging for a device, using a feature template.

Procedure

1.

Create a System Logging feature template.

Refer to Create a System Logging feature template.
2.

Choose whether to save system log messages locally or to a syslog server. If saving messages to a server, choose whether to use the Transport Layer Security (TLS) protocol.

Configure a device to save system log messages to a server, using TLS

  1. If you choose to save syslog messages locally, do this:

    Configure a device to save system log messages locally

  2. If you choose to save syslog messages to a syslog server, without using TLS, do this:

  3. If you choose to save syslog messages to a syslog server, using TLS, with authentication by the server, do this:

  4. If you choose to save syslog messages to a syslog server, using TLS, with mutual authentication by the edge device and the server, do this:

Create a System Logging feature template

System log (syslog) messages are a text log of system events.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
2.

Click Feature Templates, and select Add Template.

In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.
3.

From Select Devices, select the device for which you wish to create a template.
4.

To create a template for logging, select Cisco Logging.

The Cisco logging template form displays fields for naming the template and defining the logging parameters. Click a tab or the plus sign (+) to view additional fields.

When you first open a feature template, SD-WAN Manager sets the scope to default, for parameters that have a default value. The default setting or value appears next to each parameter. To change the default or enter a value, select a different option from the scope drop-down list to the left of the parameter field.
5.

In Template Name, enter a name for the template.

The name may contain up to 128 alphanumeric characters.
6.

In Template Description, enter a description of the template.

The description may contain up to 2048 alphanumeric characters.

Configure a device to save system log messages locally

System log (syslog) messages are a text log of system events.

You can save system log messages locally or to an external server. This procedure configures a device to save system messages locally.

Before you begin

Follow these steps to configure a device to save system log messages to a local drive.

Procedure

1.

In a System Logging template, in the Disk section, configure these parameters:

Field

Description

Enable Disk

To save syslog messages in a file on the local hard disk, click On or Off to disallow saving.

Default: Logging to a local disk file is enabled.

Maximum File Size

Enter the maximum size of syslog files. The system log files are rotated on an hourly basis based on the file size. When the file size exceeds the configured value, the file is rotated and the syslogd process is notified.

Range: 1-20 MB

Default: 10 MB

Rotations

Enter the number of syslog files to create before discarding the earliest created files.

Range: 1-10 MB

Default: 10 MB
2.

To save the feature template, click Save.

Configure a device to save system log messages to a server, using TLS

System log (syslog) messages are a text log of system events.

You can send system log messages to an external server over a Transport Layer Security (TLS) connection.

For the TLS connection, there are two methods of authentication, configured by the Authentication Type parameter.

  • Server authentication: Authentication by the server.

  • Mutual authentication: Authentication by both the device and the server.

See Sending system log messages to a server, using TLS.

Before you begin

For the server authentication option, edge devices must have a root certificate authority (CA) preinstalled, which you configure using cryptographic module CLIs. See Install root CA on Cisco IOS XE Catalyst SD-WAN device.

Follow these steps to configure the TLS parameters for saving syslog messages to an external server over a TLS connection.

Procedure

1.

In a System Logging template, in the TLS section, click New Profile.
2.

Configure these parameters:

Field

Description

Profile Name

Enter the TLS profile name.

TLS Version

Choose TLS versions v1.1 or v1.2.

Authentication Type

Choose the authentication type:

  • Server

    With server authentication, edge devices verify the identity of the syslog server. If the syslog server and the certificate are legitimate entities, the device establishes a TLS connection with the server.

    As part of server authentication, the syslog server shares its public certificate with the devices.

    See the prerequisite in the "Before you begin" section of this procedure.

    With this option, all information about TLS profiles, except the trustpoint information, is saved.

  • Mutual

    With mutual authentication, edge devices and the syslog server authenticate each other at the same time.

    Devices require root or identity certificates for mutual authentication of the TLS session.

    With this option, a trustpoint, such as SYSLOG-SIGNING-CA certificate, is saved on the device. This enables SD-WAN Manager to install the certificate from the edge device.

Ciphersuites

Choose cipher suites (encryption algorithms) based on the TLS version.
3.

To save the feature template, click Save.

Configure a device to save system log messages to a server

System log (syslog) messages are a text log of system events.

Before you begin

Follow these steps to configure a device to save system log messages to a server.

Procedure

1.

Click Server.
2.

Click Add New Server, and configure these parameters:

Field

Description

Hostname/IP Address

Enter the DNS name, hostname, or IPv4, IPv6 address of the system on which to store syslog messages.

To add another syslog server, click +.

To delete a syslog server, click .

VPN ID

Enter the identifier of the VPN in which the syslog server is located or through which the syslog server can be reached.

VPN ID Range: 0 to 65530

Source Interface

Enter the specific interface to use for outgoing system log messages. The interface must be located in the same VPN as the syslog server. Otherwise, the configuration of syslog servers is ignored. If you configure multiple syslog servers, the source interface must be same for all of them.

Priority

Choose a severity of the syslog message to be saved. The severity indicates the seriousness of the event that generated the syslog message. See System log message levels.

TLS

For Cisco IOS XE Catalyst SD-WAN devices, click On to enable syslog over TLS.

Custom Profile

For Cisco IOS XE Catalyst SD-WAN devices, click On to enable choosing a TLS profile, or click Off to disable choosing a TLS profile.

TLS Profile

For Cisco IOS XE Catalyst SD-WAN devices, choose a TLS profile that you have created for server or mutual authentication in IPv4 or IPv6 server configuration.
3.

To save the feature template, click Save.

Configure system logging using CLI commands

Configure system logging, saved locally, using CLI commands

System logging is the process of keeping a text log of system events.

By default, a priority level of “information” is enabled when you log syslog messages to a file on a local device.

For more information about logging disk commands, see the logging disk command.

Before you begin

Follow these steps to configure system logging for a device, saving syslog messages locally, using CLI commands:

Procedure

1.

Log syslog messages to a drive.

logging disk
2.

Enable logging to a drive.

enable
3.

Specify the size of syslog files in megabytes (MB).

By default, the syslog files are 10 MB. You can configure the size of syslog files to be 1 to 20 MB.

file size size

4.

Rotate syslog files on an hourly basis based on the size of the file.

By default, 10 syslog files are created. You can configure the rotate command to be a number from 1 through 10.

file rotate number

Example

Device(config-system)# logging disk
Device(config-logging-disk)# enable
Device(config-logging-disk)# file size 3
Device(config-logging-disk)# file rotate 3

Configure system logging, saved remotely, using CLI commands

System logging is the process of keeping a text log of system events.

If the syslog server is unreachable, the system suspends sending syslog messages for 180 seconds. When the server becomes reachable, logging resumes. For more information about logging server commands, see the logging server command.

Before you begin

Follow these steps to configure system logging for a device, saving syslog messages a remote server, using CLI commands:

Procedure

1.

Log syslog messages to a remote host or syslog server.

You can configure the name of the server by DNS name, hostname, or IP address. You can configure up to four syslog servers.

logging server
2.

If using a VPN, specify the VPN ID of the syslog server.

vpn vpn-id

3.

(Optional) Specify the source interface to reach the syslog server.

The interface name can be a physical interface or a sub-interface (a VLAN-tagged interface). Ensure that the interface is located in the same VPN as the syslog server. Otherwise, the configuration is ignored. If you configure multiple syslog servers, the source interface must be the same for all of them.

source interface interface

4.

Specify the severity of the syslog message to be saved.

The default priority value is "informational" and by default, all syslog messages are recorded. See the logging server command reference documentation for priority values.

priority alert

Example

Device(config-system)# logging server 192.168.0.1
Device(config-server-192.168.0.1)# source interface eth0
Device(config-server-192.168.0.1)# priority notice

Install a root certificate on a device for mutual authentication

To configure Cisco IOS XE Catalyst SD-WAN devices with Transport Layer Security (TLS) syslog protocol, the devices must have root or identity certificates for mutual authentication of TLS session. You can either use a third-party Certificate Authority (CA) to get public key infrastructure (PKI) services, or Microsoft Active Directory Certificate Services (AD CS). AD CS allows you to build a PKI and provide public key cryptography, digital certificates, and digital signature capabilities for your requirement.

Before you begin

Follow these steps to install a root certificate on a device for mutual authentication.

Procedure

1.

Generate the enterprise root certificate using a third party CA or Microsoft Active Directory Certificate Services.

2.

Download the root CA in base 64 format, select and copy the content of root CA.
3.

From the Cisco SD-WAN Manager menu, choose Administration > Settings.
4.

Click Enterprise Feature Certificate Authorization.
5.

Paste the root CA content in the Enterprise Root Certificate box.

6.

If you want to generate a certificate signing request (CSR), check the Set CSR Properties check box.
7.

Click Close.

The root CA is uploaded to SD-WAN Manager, and SD-WAN Manager saves the root certificate to the device.

Install a root certificate authority on a syslog server for server authentication

This procedure sets up the syslog-ng server tool on a server using Linux. The tool supports TLS.

The details of setting up a server, and installing the syslog-ng tool are beyond the scope of this documentation. The basic information provided here is for reference, and is subject to change.

Before you begin

Follow these steps to install a root certificate authority on a syslog server for server authentication.

Procedure

1.

On the Linux server, install the syslog-ng package.

apt-get install syslog-ng openssl
2.

In the directory of the syslog-ng tool, create directories to store root certificates.

# cd /etc/syslog-ng
# mkdir cert.d
# mkdir key.d
# mkdir ca.d
# cd cert.d
# openssl req -new -x509 -out cacert.pem -days 1095 -nodes
# mv privkey.pem ../key.d
After using the openssl command, an encoded root certificate is available in cacert.pem file. The file is located in the cd/etc/syslog-ng/cert.d directory.
3.

Copy the contents of the cacert.pem file when installing root certificate on a device.

Install a root certificate authority on a device for server authentication, using CLI commands

Before you begin

Generate an encoded CA certificate on the syslog server. This is required in one of the steps. For instructions, see Install a root certificate authority on a syslog server for server authentication.

Follow these steps to install a root certificate authority on a device, for server authentication.

Procedure

1.

To configure a public key infrastructure (PKI) trustpoint for a certificate authority, use these commands on a device, for authorizing and revocation of certificates in PKI.

  1. Enable privileged EXEC mode.

    enable

  2. Enter configuration mode.

    config-transaction

  3. Declare the trustpoint and a given name and enter CA-trustpoint configuration mode. Specify the enrollment parameters and fingerprint for the CA. Obtain the fingerprint from the fingerprint.txt.

    crypto pki trustpoint name

    Example:

    Device(config)# crypto pki authenticate PROXY-SIGNING-CA
        enrollment url bootflash:
        revocation-check none
        rsakeypair PROXY-SIGNING-CA 2048
        subject-name cn=proxy-signing-cert
        fqdn none
        fingerprint 54F371C8EE2BFB06E2C2D0944245C288FBB07163

  4. If the authentication in the previous step fails, contact the PKI team for assistance.

    For information about syslog configuration, see Cisco SD-WAN IOS XE TLS Syslog Configuration on syslog-ng Server.

  5. Configure the level to which a certificate chain is processed on all certificates.

    chain-validation [{stop | continue}[parent-trustpoint]]

    Example:

    Device (ca-trustpoint)# chain-validation stop

  6. Optionally, check the revocation status of a certificate.

    revocation-check method

    Example:

    Device (ca-trustpoint)# revocation-check none

  7. Return to global configuration mode.

    exit

    Example:

    Device (ca-trustpoint)# exit
2.

Authenticate the root CA.

This is necessary before installing the server's root certificate.

crypto pki authenticate

Example:

Device(config)# crypto pki authenticate root
3.

Copy the block of text containing the base 64 encoded CA certificate from the syslog server, and paste it at the prompt.

The prerequisites section refers to the instructions for generating the encoded CA certificate on the syslog server.

Example:

An example encoded CA certificate:

-----BEGIN CERTIFICATE-----
MIID9jCCAt6gAwIBAgIJAM5b3nyjDAKIMA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD
VQQGEwJJTjESMBAGA1UECAwJS2FybmF0YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUx
...
+3RcM0VqjScIOZhp97dqfBlHEdqUE/QfKlBt12KU+0sj8yJJC+cuKlHQj5JGmGLI
Y6r7bMcn99Y6Rw==
-----END CERTIFICATE-----
4.

Enter yes to confirm the acceptance of the certificate.

The root CA certificate from the syslog server is installed on a device, enabling server authentication.

crypto pki trustpoint PROXY-SIGNING-CA
    enrollment url bootflash:
    revocation-check none
    rsakeypair PROXY-SIGNING-CA 2048
    subject-name cn=proxy-signing-cert
    fqdn none 
    fingerprint 54F3...7163  >> The fingerprint configured was obtained from the fingerprint.txt file.
commit
crypto pki authenticate PROXY-SIGNING-CA
Reading file from bootflash:PROXY-SIGNING-CA.ca
Certificate has the following attributes:
Fingerprint MD5: 7A97B30B ... 66488DCF
Fingerprint SHA1: 21E0F09B ... D39A268A
Trustpoint Fingerprint: 21E0F09B ... D39A268A
Certificate validated - fingerprints matched.
Trustpoint CA certificate accepted.