Visibility Is the First Job of Operations
You can’t fix what you can’t see. Cisco IOS has three telemetry mechanisms that should be configured on every production device: syslog for ongoing event logging, SNMP for monitoring tools to poll metrics and receive traps, and EEM (Embedded Event Manager) for the router itself to react automatically to specific events.
This article covers all three on Cisco IOS, with the configuration patterns that should be in your baseline.
Syslog — Severity Levels
Syslog messages have eight severity levels. Lower number = more severe:
| Level | Name | What it means |
|---|---|---|
| 0 | Emergency | System unusable |
| 1 | Alert | Take action immediately |
| 2 | Critical | Critical conditions (hardware failure) |
| 3 | Error | Interface down, OSPF neighbor down |
| 4 | Warning | Non-fatal warnings |
| 5 | Notice | Normal but worth noting (config change) |
| 6 | Informational | Routine status |
| 7 | Debug | Verbose debug output |
Each syslog destination (console, terminal, buffer, host) can filter by severity. Always specify a severity threshold — defaulting to all levels (7) saturates the syslog server with debug noise.
Configuring Syslog
! Buffered logging (in router memory, viewable with show log)
R1(config)# logging buffered 32768 informational
! Console - keep at notice or higher; debug to console saturates the CPU
R1(config)# logging console notice
! Remote syslog server
R1(config)# logging host 10.1.1.5
R1(config)# logging trap informational
! Source interface (so messages always come from the same IP)
R1(config)# logging source-interface Loopback0
! Add millisecond timestamps - critical for correlation
R1(config)# service timestamps log datetime msec localtime show-timezone
R1(config)# service timestamps debug datetime msec localtime show-timezoneAlways use a loopback as source-interface. Without it, messages are sourced from whichever physical interface routed them — making the same router appear under different IPs in your SIEM. Loopback as source = stable identity.
Viewing logs
R1# show logging
R1# show logging | include OSPF
R1# clear loggingSNMP — Versions and Configuration
SNMP comes in three versions:
- v1 — obsolete. Avoid.
- v2c — community-string-based authentication. Plaintext but widely deployed.
- v3 — user-based authentication and (optionally) encryption. The right choice for production.
SNMPv2c (legacy but ubiquitous)
R1(config)# snmp-server community RO-COMM-STRING ro 99
R1(config)# snmp-server community RW-COMM-STRING rw 99
R1(config)# access-list 99 permit 10.1.1.5
R1(config)# access-list 99 deny any log
R1(config)# snmp-server location DataCenter-Rack-A12
R1(config)# snmp-server contact noc@corp.local
R1(config)# snmp-server enable traps
R1(config)# snmp-server host 10.1.1.5 version 2c RO-COMM-STRINGThe numbered ACL restricts which hosts can use the community string — without it, anyone who guesses your community can read SNMP data. Always include it.
SNMPv3 (recommended for production)
R1(config)# snmp-server group ROGROUP v3 priv read DEFAULTVIEW
R1(config)# snmp-server user nocuser ROGROUP v3 auth sha SecretAuth priv aes 128 SecretPriv
R1(config)# snmp-server host 10.1.1.5 version 3 priv nocuserThree security levels in v3: noauth (no authentication), auth (auth only), priv (auth + encryption). Use priv.
EEM — Embedded Event Manager
EEM lets the router run scripts in response to events. Useful for “when interface X goes down, do Y” without needing an external monitoring system.
Simple applet — log when an interface goes down
R1(config)# event manager applet INT-DOWN-ALERT
R1(config-applet)# event syslog pattern "LINEPROTO-5-UPDOWN.*GigabitEthernet0/1.*down"
R1(config-applet)# action 1.0 syslog priority alerts msg "CRITICAL: WAN link down"
R1(config-applet)# action 2.0 cli command "enable"
R1(config-applet)# action 3.0 cli command "show ip route"
R1(config-applet)# action 4.0 syslog msg "$_cli_result"This watches the syslog stream for a specific pattern (regex on syslog messages), then executes a sequence of actions. Actions can be: log a message, run CLI commands, send email, increment a counter, send an SNMP trap.
Time-based applet — auto-save config every hour
R1(config)# event manager applet AUTO-SAVE
R1(config-applet)# event timer cron cron-entry "0 * * * *"
R1(config-applet)# action 1.0 cli command "enable"
R1(config-applet)# action 2.0 cli command "copy running-config startup-config"
R1(config-applet)# action 3.0 cli command "" pattern "Destination filename"
R1(config-applet)# action 4.0 cli command ""Cron syntax matches Unix. 0 * * * * = top of every hour.
Counter applet — track an event over time
R1(config)# event manager applet COUNT-OSPF-RESETS
R1(config-applet)# event syslog pattern "OSPF-5-ADJCHG.*FULL to DOWN"
R1(config-applet)# action 1.0 increment OSPF_RESETS 1
R1(config-applet)# action 2.0 syslog msg "OSPF reset count: $OSPF_RESETS"Common Pitfalls
- Logging to console at level debug. Spams the console line and can pin a router’s CPU at 100% if there’s a syslog flood. Cap console at
noticeorinformational. - No source-interface for syslog. Messages come from whichever interface routes them. Use
logging source-interface Loopback0for stable identity. - SNMP community without ACL. Anyone who guesses or sniffs the community string can read or write the device. Always restrict with an ACL.
- SNMPv2c on Internet-facing devices. Community strings are plaintext. Use v3 with
privat minimum. - EEM applets without testing. A bad applet can run runaway loops. Use
show event manager session cli usernameto see what an applet has executed. - Forgetting timestamps. Without
service timestamps log datetime msec, log messages have no time, which makes correlation across devices impossible.
The Logging/SNMP Baseline
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
logging buffered 32768 informational
logging console notice
logging host 10.1.1.5
logging trap informational
logging source-interface Loopback0
snmp-server group ROGROUP v3 priv read DEFAULTVIEW
snmp-server user nocuser ROGROUP v3 auth sha SecretAuth priv aes 128 SecretPriv
snmp-server location $location
snmp-server contact noc@corp.local
snmp-server enable traps
snmp-server host 10.1.1.5 version 3 priv nocuserAdd an EEM applet for whatever events your operations team actually cares about. EEM is one of those features that, once you start using, you find dozens of small automations to write — auto-saves, auto-rollbacks, alert-on-syslog-pattern, scheduled config diffs.