Description: This Knowledge Base article describes the functions of the Syslog in a LANCOM router or access point.
Functions: Syslog is a service that collects status messages from the network at a central location. Syslog transfers the status messages as plain text, which is a far more convenient service than SNMP traps, for example, as SNMP offers only a small number of standardized traps and also because SNMP requires the delivery of a MIB (Management Information Base) in order for the device-related traps to be translated. Syslog classifies messages according to priority and facility, which enables particular messages to be sent or suppressed.
The size of the syslog buffer depends on the system memory (RAM) and the firmware version: - More than ca. 85 MB free RAM and a firmware as of version 10.12 = maximum of 23000 Syslog messages
- Example: 1781VA with 256 MB RAM
- At least 32 MB available RAM = maximum of 2048 Syslog messages
- Example: 1721+ VPN with 32 MB RAM
| Info |
|---|
A router with 128 MB RAM (e.g. the 1781A) usually has less than 85 MB free RAM, thereby only supporting a maximum of 2048 Syslog messages. |
Classifying Syslog messages: Syslog messages are divided into various groups (facilities) and are sorted according to priority within a group. The Syslog server (recipient of Syslog messages) can be instructed to display messages of a certain priority for each group, i.e. all messages of the same or of a higher priority will be displayed. An example of a well known Syslog server is the Kiwi Syslog server.
Priorities: Syslog defines eight priority levels. In LANCOM devices several levels are aggregated, so that there are only five priority levels.
| Priority in LANCOM devices | Description | Mapping to Syslog severity |
|---|
| Alert | This priority conveys all messages, the administrator should check upon immediately (e.g. a login error). | EMERGENCY, ALERT, CRITICAL | | Error | This priority conveys all error messages of the system, which interfere with normal operation (e.g. a connection error). | ERROR | | Warning | This priority conveys error messages, which don't interfere with the normal operation (e.g. a connection doesn't use compression albeit it is configured). | WARNING | | Information | This priority conveys all messages, which only have informative character (e.g. Accounting information). | NOTICE, INFORM | | Debug | This is the lowest priority. Debug messages should never be conveyed. | DEBUG |
Facilities: Syslog messages are divided into different message groups (facilities) and indicate at least the message source. On LANCOM devices not alle Syslog facilities are used, so that there are eight different facilities.
| Quelle Source in LANCOM Gerätendevices | Description | Zuordnung zu Assignment to Syslog - Facility |
|---|
| System | Operating system messages (e.g. a reboot of the device). | KERNEL | | Login | Messages regarding the login and logout of a user during the PPP negotiation as well as errors. | AUTH | | System time | Messages regarding the change of the system time. | CRON | | Console login | Messages regarding logins on the CLI (e.g. via Telnet orr SSH) as well as errors. | AUTHPRIV | | Connections | Messages regarding the establishment and termination of connections as well as errors. The Syslog messages correspond to the display trace (contains the error and status trace). | LOCAL 0 | | Accounting | Messages regarding Acounting information, which is created after a connection is terminated. Among other things it contains information regarding the user, the online time and the transferred data volume). | LOCAL 1 | | Administration | Messages regarding configuration changes. | LOCAL 2 | | Router | Regular statistics regarding the most used services (broken down by ports) as well as messages regarding filtered packets and routing errors. | LOCAL 3 |
Syslog message structure: Syslog messages are transmitted in plain text (ASCII). The classification by priority and facility is a decimal number in angle brackets placed as a prefix before the message. The Syslog server uses this number to decide how to handle the message. When the message is stored the number is removed so only the message remains. To be able to identify where the message came from, the LANCOM device adds the message source and the alarm level to the message as plain text. Thus a Syslog message appears as follows (note: in the PF field, source and level are not reduced): <PF>SOURCE_LEVEL: message
Example:
<81>ADMIN_ALERT: Login from outband failed
<149>ADMIN_INFO: Firmware upload started from 10.0.0.170 {ntserver} via TFTP | 
