Enabling Syslog Messages in Access Points and Controller for Syslog Server

Information About Syslog Messages in Access Points and Controller for Syslog Server

Access points and controllers generate log messages and send them to various destinations, such as the in-memory logging buffer, terminal sessions, files stored in the device's flash memory, or an external syslog server. These messages help administrators monitor and troubleshoot the network. The syslog configurations for APs and controllers remain independent, which allow administrators to configure logging separately for each device to meet specific network needs.

Log messages are transmitted with one of eight severity levels.

Message Logging Level Keywords
Level Keyword Level Description Syslog Definition
Emergencies 0 System unstable LOG_EMERG
Alerts 1 Immediate action needed LOG_ALERT
Critical 2 Critical conditions LOG_CRIT
Errors 3 Error conditions LOG_ERR
Warnings 4 Warning conditions LOG_WARNING
Notifications 5 Normal but significant condition LOG_NOTICE
Informational 6 Informational messages only LOG_INFO
Debugging 7 Debugging messages LOG_DEBUG

Each log message is associated with one of 24 facility codes, which indicate the application or subsystem that issued the message.

Facility Code Keyword IOS Keyword Description
0 kern kern Kernel messages
1 user user User-level messages
2 mail mail Mail system
3 daemon daemon System daemons
4 auth auth Security/authentication messages
5 syslog syslog Messages generated internally by syslogd
6 lpr lpr Line printer subsystem
7 news news Network news subsystem
8 uucp uucp UUCP subsystem
9 cron sys9 Clock daemon
10 authpriv sys10 Security/authentication messages
11 ftp sys11 FTP daemon
12 ntp sys12 NTP subsystem
13 security sys13 Log audit
14 console sys14 Log alert
15 solaris-cron cron Scheduling daemon
16-23 local0 – local7 local0 - local7 Locally-used facilities

Configuring Message Logging in the IOS XE Controller

System Message Logging in Cisco Catalyst 9800 Series Controllers is a platform-independent IOS and IOS XE feature. For more information on message logging, see:

Configuring Syslog Server for the Controller (GUI)

Procedure

Step 1

Choose Troubleshooting > Logs.

Step 2

Click Manage Syslog Servers button.

Step 3

In Log Level Settings, from the Syslog drop-down list, choose a security level.

Step 4

From the Message Console drop-down list, choose a logging level.

Step 5

In Message Buffer Configuration, from the Level drop-down list, choose a server logging level.

Step 6

In IP Configuration settings, click Add.

Step 7

Choose the Server Type, from the IPv4 / IPv6 or FQDN option.

Step 8

For Server Type IPv4 / IPv6, enter the IPv4 / IPv6 Server Address. For Server Type FQDN, enter the Host Name, choose the IP type and the appropriate VRF Name from the drop-down lists.

To delete a syslog server, click 'x' next to the appropriate server entry, under the Remove column.

Note

 

When creating a host name, spaces are not allowed.

Step 9

Click Apply to Device.

Note

 

When you click on Apply to Device, the changes are configured. If you click on Cancel, the configurations are discarded.

Configuring Syslog Server for the Embedded Wireless Controller (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

logging host { hostname | ipv6}

Example:

Device(config)# logging host 124.3.52.62

Enables Syslog server IP address and parameters.

Step 3

logging facility { auth | cron | daemon | kern | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | sys10 | sys11 | sys12 | sys13 | sys14 | sys9 | syslog | user | uucp}

Example:

Device(config)# logging facility syslog

Enables facility parameter for the Syslog messages.

You can enable the following facility parameter for the Syslog messages:

  • auth —Authorization system.

  • cron —Cron facility.

  • daemon —System daemons.

  • kern —Kernel.

  • local0 to local7 —Local use.

  • lpr —Line printer system.

  • mail —Mail system.

  • news —USENET news.

  • sys10 to sys14 and sys9 —System use.

  • syslog —Syslog itself.

  • user —User process.

  • uucp —Unix-to-Unix copy system.

Step 4

logging trap { severity-level | alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}

Example:

Device(config)# logging trap 2

Enables Syslog server logging level.

severity-level - Refers to the logging severity level. The valid range is from 0 to 7.

The following are the Syslog server logging levels:

  • emergencies —Signifies severity 0. Implies that the system is not usable.

  • alerts —Signifies severity 1. Implies that an immediate action is required.

  • critical —Signifies severity 2. Implies critical conditions.

  • errors —Signifies severity 3. Implies error conditions.

  • warnings —Signifies severity 4. Implies warning conditions.

  • notifications —Signifies severity 5. Implies normal but significant conditions.

  • informational —Signifies severity 6. Implies informational messages.

  • debugging —Signifies severity 7. Implies debugging messages.

Note

 

To know the number of Syslog levels supported, you need to select a Syslog level. Once a Syslog level is selected, all the levels below it are also enabled.

If you enable critical Syslog level then all levels below it are also enabled. So, all three of them, namely, critical, alerts, and emergencies are enabled.

Step 5

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring Message Logging in the Access Points

AP Logging to the In-Memory Buffer and Flash

Access points always log messages to an in-memory buffer. Once the buffer reaches 40 KB, its contents are automatically written to flash memory, and a new buffer is created. This process ensures that logs are periodically stored for persistent access.

Administrators can manage and view these logs using AP commands.

  • show logging command to display the contents of the in-memory logging buffer

  • show flash syslogs command to list all log files stored in flash, along with other diagnostic files

  • <filename> command to display the contents of an individual log file stored in flash

  • copy syslogs <filename> command to transfer a specific syslog file to an external server. To see available options for this command, use copy syslogs <filename>

AP Logging to Terminal

Access points support real-time logging of messages to an active SSH terminal session. Administrators can enable this feature using the terminal monitor command. To disable real-time logging to the session, use the terminal monitor disable command.

In addition to SSH terminal sessions, APs send a subset of log messages to the serial console, which provide another method for real-time monitoring.

Configuring AP Logging to a Syslog Server

The syslog command under the AP join profile is used to configure the destination IP address for syslog messages and manage which messages are sent based on severity and facility levels.

Configuring the Syslog Host

  • Use the syslog host <IP address> command to specify the destination IP address for syslog messages.

  • By default, the syslog host is set to 255.255.255.255, which is the IPv4 limited broadcast address. To forward these broadcasts to one or more syslog servers, configure IP helper addresses on the AP subnet's router.

  • To reset the syslog host to 255.255.255.255, use either the default syslog host or no syslog hostt command.

  • To prevent the AP from sending syslog messages entirely, use syslog host 0.0.0.0.

  • If a subnet contains more than 20 access points, avoid logging to the broadcast address to prevent flooding the broadcast domain with log messages. Configure a specific syslog destination IP address. If the AP syslog feature is not in used, set the syslog host to 0.0.0.0 using the syslog host 0.0.0.0 command

Filtering Messages by Severity

  • Use the syslog level <levelname> command to filter messages based on severity level.

  • By default, the severity level is set to informational (severity=6), meaning all messages except debugging logs are sent to the server.

Filtering Messages by Facility

  • Use the syslog facility <facilityname> command to filter messages based on facility code. Only messages with a facility code value less than or equal to the configured facility name are sent to the server.

  • By default, the facility is set to kern (code=0), so only kernel-related messages are sent.

  • To send messages from all facilities, configure the facility as local7.

  • Additionally, the configured facility name is included in the facility field of transmitted syslog messages.


Note

Most AP log messages use the kern facility, while terminal access logs (e.g., SSH and console) use the auth facility.

Secured Syslog Transmission

  • The syslog secured command enables the use of Transport Layer Security (TLS) as defined in RFC 5425 to transmit syslog messages securely, instead of using UDP.

  • TLS-based syslog transmission is supported starting with software versions 17.9.6 and 17.12.1.

Viewing Syslog Settings

  • To display the AP's current syslog settings, use the show capwap client configuration command.

Configuring Syslog Server for an AP Profile

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ap profile ap-profile

Example:

Device(config)# ap profile xyz-ap-profile

Configures an AP profile and enters the AP profile configuration mode.

Step 3

syslog facility

Example:

Device(config-ap-profile)# syslog facility

Configures the facility parameter for Syslog messages.

Step 4

syslog host ip-address

Example:

Device(config-ap-profile)# syslog host 9.3.72.1

Configures the Syslog server IP address and parameters.

Step 5

syslog level { alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}

Example:

Device(config-ap-profile)# syslog level

Configures the Syslog server logging level.

The following are the Syslog server logging levels:

  • emergencies —Signifies severity 0. Implies that the system is not usable.

  • alerts —Signifies severity 1. Implies that an immediate action is required.

  • critical —Signifies severity 2. Implies critical conditions.

  • errors —Signifies severity 3. Implies error conditions.

  • warnings —Signifies severity 4. Implies warning conditions.

  • notifications —Signifies severity 5. Implies normal but significant conditions.

  • informational —Signifies severity 6. Implies informational messages.

  • debugging —Signifies severity 7. Implies debugging messages.

Note

 

To know the number of Syslog levels supported, you need to select a Syslog level. Once a Syslog level is selected, all the levels below it are also enabled.

If you enable critical Syslog level then all levels below it are also enabled. So, all three of them, namely, critical, alerts, and emergencies are enabled.

Step 6

end

Example:

Device(config-ap-profile)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring AP Syslog Settings (GUI)

Procedure

Step 1

Choose Configuration > Tags & Profiles > AP Join.

Step 2

Select the APs from the AP list.

The Edit AP Join Profile window is displayed.

Step 3

Click the Management tab.

Step 4

Select the Device tab.

Step 5

In the System Log section:

  1. From the Facility Value drop-down list, select a value.

  2. Enter the IP address in the Host IPv4/IPv6 Address field.

  3. From the Log Trap Value drop-down list, select a value.

  4. Check or uncheck the box to enable or disable Secured.

Step 6

Click Update & Apply to Device

Verifying Syslog Server Configurations

Verifying Global Syslog Server Settings for all Access Points

To view the global Syslog server settings for all access points that joins the controller, use the following command:

Device# show ap config general
Cisco AP Name : APA0F8.4984.5E48
=================================================

Cisco AP Identifier : a0f8.4985.d360
Country Code : IN
Regulatory Domain Allowed by Country : 802.11bg:-A 802.11a:-DN
AP Country Code : IN - India
AP Regulatory Domain
Slot 0 : -A
Slot 1 : -D
MAC Address : a0f8.4984.5e48
IP Address Configuration : DHCP
IP Address : 9.4.172.111
IP Netmask : 255.255.255.0
Gateway IP Address : 9.4.172.1
Fallback IP Address Being Used : 
Domain : 
Name Server : 
CAPWAP Path MTU : 1485
Telnet State : Disabled
SSH State : Disabled
Jumbo MTU Status : Disabled
Cisco AP Location : default location
Site Tag Name : ST1
RF Tag Name : default-rf-tag
Policy Tag Name : PT3
AP join Profile : default-ap-profile
Primary Cisco Controller Name : WLC2
Primary Cisco Controller IP Address : 9.4.172.31
Secondary Cisco Controller Name : Not Configured
Secondary Cisco Controller IP Address : 0.0.0.0
Tertiary Cisco Controller Name : Not Configured
Tertiary Cisco Controller IP Address : 0.0.0.0
Administrative State : Enabled
Operation State : Registered
AP Certificate type : Manufacturer Installed Certificate
AP Mode : Local
AP VLAN tagging state : Disabled
AP VLAN tag : 0
CAPWAP Preferred mode : Not Configured
AP Submode : Not Configured
Office Extend Mode : Disabled
Remote AP Debug : Disabled
Logging Trap Severity Level : notification
Software Version : 16.10.1.24
Boot Version : 1.1.2.4
Mini IOS Version : 0.0.0.0
Stats Reporting Period : 180
LED State : Enabled
PoE Pre-Standard Switch : Disabled
PoE Power Injector MAC Address : Disabled
Power Type/Mode : PoE/Full Power (normal mode)
Number of Slots : 3
AP Model : AIR-AP1852I-D-K9
IOS Version : 16.10.1.24
Reset Button : Disabled
AP Serial Number : KWC212904UB
Management Frame Protection Validation : Disabled
AP User Mode : Automatic
AP User Name : Not Configured
AP 802.1X User Mode : Global
AP 802.1X User Name : Not Configured
Cisco AP System Logging Host : 9.4.172.116
AP Up Time : 11 days 1 hour 15 minutes 52 seconds 
AP CAPWAP Up Time : 6 days 3 hours 11 minutes 6 seconds 
Join Date and Time : 09/05/2018 04:18:52
Join Taken Time : 3 minutes 1 second 
Join Priority : 1
Ethernet Port Duplex : Auto
Ethernet Port Speed : Auto
AP Link Latency : Disable
AP Lag Configuration Status : Disabled
AP Lag Operational Status : Disabled
Lag Support for AP : Yes
Rogue Detection : Enabled
Rogue Containment auto-rate : Disabled
Rogue Containment of standalone FlexConnect APs : Disabled
Rogue Detection Report Interval : 10
Rogue AP minimum RSSI : -90
Rogue AP minimum transient time : 0
AP TCP MSS Adjust : Enabled
AP TCP MSS Size : 1250
AP IPv6 TCP MSS Adjust : Enabled
AP IPv6 TCP MSS Size : 1250
Hyperlocation Admin Status : Disabled
Retransmit count : 5
Retransmit interval : 3
Fabric status : Disabled
FIPS status : Disabled
WLANCC status : Disabled
USB Module Type : USB Module
USB Module State : Enabled
USB Operational State : Disabled
USB Override : Disabled
Lawful-Interception Admin status : Disabled
Lawful-Interception Oper status : Disabled

Verifying Syslog Server Settings for a Specific Access Point

To view the Syslog server settings for a specific access point, use the following command:

Device# show ap name <ap-name> config general
show ap name APA0F8.4984.5E48 config general
Cisco AP Name : APA0F8.4984.5E48
=================================================

Cisco AP Identifier : a0f8.4985.d360
Country Code : IN
Regulatory Domain Allowed by Country : 802.11bg:-A 802.11a:-DN
AP Country Code : IN - India
AP Regulatory Domain
Slot 0 : -A
Slot 1 : -D
MAC Address : a0f8.4984.5e48
IP Address Configuration : DHCP
IP Address : 9.4.172.111
IP Netmask : 255.255.255.0
Gateway IP Address : 9.4.172.1
Fallback IP Address Being Used : 
Domain : 
Name Server : 
CAPWAP Path MTU : 1485
Telnet State : Disabled
SSH State : Disabled
Jumbo MTU Status : Disabled
Cisco AP Location : default location
Site Tag Name : ST1
RF Tag Name : default-rf-tag
Policy Tag Name : PT3
AP join Profile : default-ap-profile
Primary Cisco Controller Name : WLC2
Primary Cisco Controller IP Address : 9.4.172.31
Secondary Cisco Controller Name : Not Configured
Secondary Cisco Controller IP Address : 0.0.0.0
Tertiary Cisco Controller Name : Not Configured
Tertiary Cisco Controller IP Address : 0.0.0.0
Administrative State : Enabled
Operation State : Registered
AP Certificate type : Manufacturer Installed Certificate
AP Mode : Local
AP VLAN tagging state : Disabled
AP VLAN tag : 0
CAPWAP Preferred mode : Not Configured
AP Submode : Not Configured
Office Extend Mode : Disabled
Remote AP Debug : Disabled
Logging Trap Severity Level : notification
Software Version : 16.10.1.24
Boot Version : 1.1.2.4
Mini IOS Version : 0.0.0.0
Stats Reporting Period : 180
LED State : Enabled
PoE Pre-Standard Switch : Disabled
PoE Power Injector MAC Address : Disabled
Power Type/Mode : PoE/Full Power (normal mode)
Number of Slots : 3
AP Model : AIR-AP1852I-D-K9
IOS Version : 16.10.1.24
Reset Button : Disabled
AP Serial Number : KWC212904UB
Management Frame Protection Validation : Disabled
AP User Mode : Automatic
AP User Name : Not Configured
AP 802.1X User Mode : Global
AP 802.1X User Name : Not Configured
Cisco AP System Logging Host : 9.4.172.116
AP Up Time : 11 days 1 hour 15 minutes 52 seconds 
AP CAPWAP Up Time : 6 days 3 hours 11 minutes 6 seconds 
Join Date and Time : 09/05/2018 04:18:52
Join Taken Time : 3 minutes 1 second 
Join Priority : 1
Ethernet Port Duplex : Auto
Ethernet Port Speed : Auto
AP Link Latency : Disable
AP Lag Configuration Status : Disabled
AP Lag Operational Status : Disabled
Lag Support for AP : Yes
Rogue Detection : Enabled
Rogue Containment auto-rate : Disabled
Rogue Containment of standalone FlexConnect APs : Disabled
Rogue Detection Report Interval : 10
Rogue AP minimum RSSI : -90
Rogue AP minimum transient time : 0
AP TCP MSS Adjust : Enabled
AP TCP MSS Size : 1250
AP IPv6 TCP MSS Adjust : Enabled
AP IPv6 TCP MSS Size : 1250
Hyperlocation Admin Status : Disabled
Retransmit count : 5
Retransmit interval : 3
Fabric status : Disabled
FIPS status : Disabled
WLANCC status : Disabled
USB Module Type : USB Module
USB Module State : Enabled
USB Operational State : Disabled
USB Override : Disabled
Lawful-Interception Admin status : Disabled
Lawful-Interception Oper status : Disabled