Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
379
Views
0
Helpful
4
Replies

Understanding Syslog Facilities

Go to solution
xzevallos
Level 1
Level 1

‎04-17-2025 08:32 AM

I'm trying to understand what is "facility" in Syslog messages.  Please refer to the following link for this discussion:

https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html#wp1054470

In the "System Log Message Format" section, it states that the messages are displayed in this format:

seq no:timestamp: %facility-severity-MNEMONIC:description

Two examples are as follows:

00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
0:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

Therefore, the facility in these example messages are "LINK" and "LINEPROTO".

In Table 4, it shows a list of facilities that can be sent to a Syslog server.  Why aren't "LINK" and "LINEPROTO" included in the list?  Are the facilities listed in this table in any way related to the facilities displayed in the message logs appended to the % sign?  If not, this means that there are two types of facilities involved with Syslog messages.  In this case, what's the difference? Is the NMS able to recognize the two different facility types and be able to filter based on each facility type?  

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-17-2025 09:08 AM

Possibly what is causing your confusion, I believe there's both a source facility and a destination facility.

Table 4 is describing destination facilities known by 4.3 BSD UNIX syslog server.

As to what a NMS can or cannot do, depends on the NMS.  But your reference is discussing syslogging, which isn't a NMS, although a NMS may provide its own syslogging capability.

View solution in original post

0 Helpful

Go to solution
xzevallos
Level 1
Level 1

‎04-17-2025 10:37 AM

I just did a Wireshark capture.  After shutting down an interface, I saw that the "%LINK-3-UPDOWN" part of the message as seen in the console or monitor is not part of the Syslog protocol, but just part of the text string in the message payload.  Only the destination facility code is part of the protocol.  

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-17-2025 09:08 AM

Possibly what is causing your confusion, I believe there's both a source facility and a destination facility.

Table 4 is describing destination facilities known by 4.3 BSD UNIX syslog server.

As to what a NMS can or cannot do, depends on the NMS.  But your reference is discussing syslogging, which isn't a NMS, although a NMS may provide its own syslogging capability.

0 Helpful

Go to solution
xzevallos
Level 1
Level 1

‎04-17-2025 09:28 AM

I read that Cisco by default sends facility-type "local7" in all the syslog packets.  If this is the case, this means that the command "logging facility facility-type" is useless to the NMS because all the syslog packets received are not differentiated by the destination facility.  But is the source facility included in the syslog packet, such as %LINE for example?  Or is this just part of the text string in the message payload?    

0 Helpful

Go to solution
xzevallos
Level 1
Level 1

‎04-17-2025 10:37 AM

I just did a Wireshark capture.  After shutting down an interface, I saw that the "%LINK-3-UPDOWN" part of the message as seen in the console or monitor is not part of the Syslog protocol, but just part of the text string in the message payload.  Only the destination facility code is part of the protocol.  

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to xzevallos

‎04-17-2025 10:46 AM

Correct, but the Cisco source should allow one of 8 destination facility codes.

0 Helpful
Customers Also Viewed These Support Documents
Top