Cisco Log File Generator
Generate realistic mock log files from Cisco network devices for testing, demos, and training. Everything runs in your browser — nothing is uploaded anywhere. If you need non-Cisco server logs (Apache, Nginx, syslog, MySQL), see the Log File Generator.
Options
1 – 5,000 lines
Output
Supported Cisco Log Formats
Cisco IOS (Routers & Switches)
The classic IOS syslog format used on Catalyst switches, ISR and ASR routers, and many other Cisco platforms. Each message follows the pattern *timestamp: %FACILITY-SEVERITY-MNEMONIC: description. The generator covers common facilities including SYS, LINK, LINEPROTO, OSPF, BGP, HSRP, CDP, DHCPD, SEC, and EIGRP. Severity levels range from 0 (Emergency) to 7 (Debugging) and are controlled by the error rate slider — a higher value produces more severity 0–4 messages.
Cisco ASA (Adaptive Security Appliance)
Cisco ASA firewalls use the format %ASA-severity-msgid: description. Generated messages include connection build/teardown events (302013, 302014, 302015, 302016), access-list denies (106023), NAT translations, VPN tunnel events (713228), failover messages, threat detection alerts, and login successes and failures. The tool simulates a realistic mix of inside, outside, and DMZ interface names with associated security levels.
Cisco NX-OS (Nexus Data-Centre Switches)
NX-OS logs are similar to IOS but include the year in the timestamp and use facilities like ETHPORT, VPC, STP, PORT-CHANNEL, VSHD, ACLMGR, and LICMGR. Interface names use the Ethernet slot/port naming convention (e.g. Ethernet1/12) commonly seen on Nexus 9000, 7000, and 5000 series switches.
Cisco WLC (Wireless LAN Controller)
Wireless LAN Controller logs record AP association and disassociation events, client roaming, RADIUS authentication, rogue AP detection, RF channel changes, and DHCP operations. Messages are prefixed with the originating process or task name (e.g. *spamApTask7, *emWeb) and use the %APF, %DOT1X, %LWAPP, and %DHCP facilities.
Cisco Meraki (Cloud-Managed Devices)
Meraki devices emit syslog in a distinct format that begins with an epoch timestamp followed by the device model (MX, MR, MS). Log categories include flows (firewall flow tracking with src/dst/port/protocol), urls (content filtering), events (client association, DHCP, VPN), and ids-alerts (intrusion detection). Because Meraki is cloud-managed, its logs often supplement the Meraki Dashboard data when forwarded to a local SIEM.
Cisco ISE (Identity Services Engine)
ISE authentication and authorization logs record RADIUS transactions, 802.1X authentication results, MAB (MAC Authentication Bypass) events, posture assessment outcomes, guest portal logins, and profiling data. Generated entries include the ISE message code, session ID, endpoint MAC, NAS IP, and authorization profile — mirroring the CSV-style structured format found in ISE prrt-server.log files.
Common Use Cases
- SIEM testing: Feed Cisco-formatted logs into Splunk, Elastic, or Graylog to validate parsing rules, CIM field mappings, and correlation searches before connecting to production devices.
- Network monitoring lab work: Populate syslog receivers with realistic data for CCNA, CCNP, or CCIE lab practice without needing physical hardware.
- Incident response training: Create log sets containing firewall deny events, failed VPN logins, or spanning-tree topology changes for tabletop exercises and threat-hunting drills.
- Parser development: Build and test regex or Grok patterns against known-good Cisco log samples. Pair this tool with the Log File Generator when your pipeline also ingests Linux, Apache, or database logs.
- Documentation and runbooks: Include realistic Cisco log snippets in internal documentation, wiki pages, and incident-response playbooks without exposing real infrastructure details.
- Compliance audits: Demonstrate that your log collection and retention pipeline handles Cisco device logs correctly during SOC 2 or PCI-DSS readiness reviews.
Cisco Syslog Severity Levels
All Cisco syslog messages include a single-digit severity level. The generator uses the error rate slider to control the proportion of high-severity (0–4) versus informational (5–7) messages.
| Level | Name | Description | IOS Keyword |
|---|---|---|---|
| 0 | Emergency | System unusable | emergencies |
| 1 | Alert | Immediate action needed | alerts |
| 2 | Critical | Critical condition | critical |
| 3 | Error | Error condition | errors |
| 4 | Warning | Warning condition | warnings |
| 5 | Notification | Normal but significant | notifications |
| 6 | Informational | Informational messages | informational |
| 7 | Debugging | Debug-level messages | debugging |
Frequently Asked Questions
Are these real Cisco logs?
No. The tool generates mock logs that follow the same format as real Cisco device output. Hostnames, IPs, MAC addresses, and serial numbers are randomly generated and do not correspond to real hardware or networks.
What is the %FACILITY-SEVERITY-MNEMONIC format?
Cisco IOS and NX-OS syslog messages use this three-part tag. The facility identifies the subsystem (e.g. LINK, OSPF, SEC). The severity is a single digit 0–7. The mnemonic is a short code describing the event (e.g. UPDOWN, ADJCHG). Together they let SIEM tools parse and categorize messages reliably.
How do I send these to a syslog server?
Download the .log file and replay it with a tool like logpai/logparser or logger on Linux. For Splunk, import the file directly as a one-shot input with source type cisco:ios, cisco:asa, or the appropriate TA source type.
What Cisco Splunk Technology Add-ons work with these logs?
The Splunk Add-on for Cisco ASA (Splunk_TA_cisco-asa), Splunk Add-on for Cisco IOS (Splunk_TA_cisco-ios), and Cisco Networks App for Splunk Enterprise all parse the formats this tool generates. Elastic users can use the cisco Filebeat module.
Can I combine Cisco and non-Cisco logs?
Yes. Generate Cisco logs here and Linux/web server logs with the Log File Generator, then concatenate and sort them by timestamp to simulate a mixed-environment SIEM feed.
Do these logs include sequence numbers?
IOS logs generated by this tool include optional sequence numbers (the six-digit counter before the timestamp) to match what you see when service sequence-numbers is enabled on a real device. ASA logs include their numeric message IDs (e.g. 302013, 106023) as they appear in production.
