Lab 20: Centralised Logging with Syslog + NTP
Logs are useless without accurate clocks. Sync the router to NTP, ship its events to a syslog server, and generate test events to watch them arrive correctly timestamped. Difficulty: Beginner+ · Time: ~25 min.
Lab objectives
- Sync device time from an NTP server
- Enable service timestamps
- Send logging to a syslog server
- Generate and observe events
Topology & addressing
Router + server (PT "Server" with NTP and Syslog services on) at 192.168.1.5, both on 192.168.1.0/24.
Step-by-step configuration
ntp server 192.168.1.5 | Set the time source |
service timestamps log datetime msec | Real timestamps on log messages |
logging host 192.168.1.5 | Ship events to the syslog server |
Generate events: shutdown/no shutdown an interface | Interface up/down messages to observe |
Verification
show ntp status → "Clock is synchronized". Bounce an interface, then open the server's Syslog service — LINK-UPDOWN entries listed with real date-times. This tiny lab is the seed of a SOC: centralised, time-aligned evidence (exactly what SIEMs consume at scale — see the CyberOps course).
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
Why does NTP matter for logging?
Correlating events across devices requires one time truth — investigations die when clocks disagree.
What severity levels does syslog send?
0 (emergencies) through 7 (debugging); logging trap sets the threshold shipped to the server.
Where do logs go without a syslog server?
Console/buffer only (show logging) — lost on reload and invisible centrally, which is why real networks always ship logs off-box.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.