What is Syslog? An introduction to the system log protocol

According to Technopedia, the system log (syslog) contains a log of operating system (OS) events, with information on how system processes and drivers were loaded and informational events, such as error and warning related to the computer operating system.

What is SysLog and what is its relevance?

The relevance of syslog is that operating systems have event logs to help monitor, manage, and troubleshoot a system. Information is obtained about important events and processes that refer to being notified to the user, including system errors, warnings, startup messages, system changes, abnormal failures or shutdowns, etc., considering software, hardware and system components, which exist in most versions of the three common operating systems (Windows, Linux and Mac OS). All entries are classified by type, such as error, information, warning, success audit and failure audit for Windows systems, and emergency, alert, criticality, error, warning, information and debugging for Mac OS and Linux systems.

Syslog entries have a header and the event description, including details about it.

The syslog also indicates whether the processes were loaded successfully or not, with information that can be used to diagnose the sources of computer problems. Notifications or warnings can be used to predict potential problems, helping to take proactive action.

What is a Syslog server?

A Syslog server allows you to send log data from all devices within your business network (computers, printers, routers, servers, etc.) to a centralized place, from which it is possible to search, manage and archive all log information.

The syslog standard defines three layers:

  • Content layer: Actual data contained in the event message, with some informational elements such as facility codes and severity levels.
  • Application layer: Where the message is generated, interpreted, routed and stored.
  • Syslog transport layer: Where the message is transmitted over a network.

The syslog format contains the following:

  • Seq: A sequence number indicating the sequence/order of a message.
  • Marca de tiempo: hora en que se generó el mensaje.
  • Instalación: indica qué proceso en el dispositivo generó este mensaje.
  • Severity: It indicates the severity of the recorded event- up to 8 levels of severity:
    • Level 0, emergency, system-disabling events.
    • Level 1, alert, is for events for which action should be taken immediately.   So, these are also very urgent/serious events.
    • Level 2 is called critical and the description is simply “critical conditions”.
    • Level 3, error.
    • Level 4, warning.
    • Level 5, notice/notification, is used for messages representing a ‘normal but significant condition’.
    • Level 6 is‘ Informational’, and finally.
    • Level 7,  is Debugging. These are the least serious messages.
  • MNEMONIC: Shortcode for the message, indicating what happened.
  • Description: Detailed information about the event being reported.

Example: We will explain later its basic operation, its usefulness and most common forwarding methods.

Basic operation

To understand how syslog works, you must first understand that a device (computer or network server) of the company may have been configured to generate syslog messages and that these messages are sent to a syslog server, or daemon or collector that collects, sorts, classifies and configures the alert and location of the event within the network, in order to track and evaluate events or problems that may arise in systems. The installation codes are:

Code Keyword Description
0 core Core Messages
1 user User-level messages
2 email Mail system
3 daemon System Demons
4 authentication Safety/Authorization Messages
5 system log Messages generated internally by syslog
6 lpr Line Printer Subsystem
7 news Network News Subsystem
8 uucp UUCP Subsystem
9 cron Clock demon
10 Private authorization Safety/Authorization Messages
11 ftp FTP Daemon
12 ntp NTP subsystem
13 seguridad Log Audit
14 consola Log alert
15 solaris-cron Clock demon
16-23 local Local use 0-7 (local 0-7)

Of course, it is important to configure it properly to avoid server saturation and high network traffic. 

Syslog messages are sent from the sending device to the receiver (syslog server), using a protocol that does not require a connection, in short texts that do not exceed 1024 bytes, to speed up and make their understanding easier. To transport syslog messages to the log server (physical or virtual) there are common methods such as UDP or encrypted TSL network transport over TCP, which we will sum up below.

Forwarding Protocols: UDP and TCP

In protocol UDP, messages are transmitted and sent to the network in a packet on port 514. Each message fits in a single packet, without acknowledgement, in which there is no acknowledgement or relay mechanism. This means that, if there is a problem in the network, there is no way to ensure that the packet is delivered in a timely manner, and it is even possible not to know if the network is down. The risk is that packets, especially essential ones, may get lost or damaged during transmission and the system administrator would not be informed of this.

Another problem is that, in UDP, there is no encryption, so messages can be intercepted or falsified with terrible consequences for business security. A possible resource might be to use the UDP syslog from an encrypted VPN.

In the case of TCP, messages are encrypted and session-based, in addition to leveraging security TLS (Transport Layer Security). This protects user and device data from security threats (e.g., malware and denial-of-service or DoS attacks), as only authorized users can access data using encryption. TCP port Syslog 6514 is used as the same authentication certificates in HTTPS. The advantage is that each device has a unique certificate, so that the server can detect whether the devices have been hijacked or if unauthorized or spoofed access has been incurred. Also, the delivery of each message is guaranteed. Of course, sessions and devices will be required to be connected uninterruptedly.

Analyzing the UDP and TCP protocols, it is important to consider that if a computer is disconnected or blocked, it will not be able to send the message. This tells us that syslog has some challenges when monitoring device active and inactive status.

Benefits of tools like Syslog for Business

The simplicity of syslog messages has made their implementation easier on most devices and the data they provide makes report, diagram and graph generation easier on the IT infrastructure. This information and visibility allows the organization to undertake cybersecurity strategies, as well as making daily work easier for technical staff and the administrator of business networks.

Syslog also allows storing log information in a centralized way, streamlining its administration and concentrating a single data version.

For device and network management, syslog allows equipment tracking and monitoring. To understand this, there is a Simple Network Management Protocol (SNMP), which is a protocol for exchanging data between an SNMP-enabled device and a network management solution. This allows monitoring the network, in addition to streamlining and efficiently managing network performance or growth and identifying network problems.

When to Use Syslog

Both Syslog and SNMP are used to send alerts and messages to central servers to track and know the status of devices and the enterprise network. The difference lies in the traps. Traps are unsolicited messages that can send asynchronous notifications that alert the SNMP administrator to a condition or event on the network. SNMPs have special predefined formats contained in a MIB file, this allows software users to know in advance what information the message will have in its content.

In the case of Syslog, its use is recommended for events within the general scope or mass ones, which may be more difficult to predict, in addition to considering the large volume of records from different vendors. To meet this challenge, the Syslog protocol can include special fields called “Facility” and “Severity”, with their identification codes to make analysis easier:

  • Severity: These are simple values, with a number between 0 and 7 samples to identify the level of importance of a message, as shown in the following table:
    Numeric Code Severity Meaning
    1 Emergency System is unusable
    2 Alert Act Immediately
    3 Critical Critical conditions
    4 Error Error conditions
    5 Warning Warning Conditions
    6 Notice Normal but significant condition
    7 Informative Informational messages
    8 Debugging Debug Level Messages
  • Codes Facility are concentrated in a shared common database Facility function as search keys. The Facility code works as a filter, so that the message is forwarded to the remote Syslog server only for those events whose function matches the one defined in this field.
    Number Description
    0 Kernel messages
    1 Message at user level
    2 Email system
    3 System daemons
    4 Default security/authorization messages
    5 Messages generated internally by syslog
    6 Online printer subsystem
    7 Network news subsystem
    8 Copying subsystem from Unix to Unix (UUPC)
    9 Clock daemon
    10 Security/authorization messages
    11 FTP Daemon
    12 NTP Subsystem
    13 Log Audit
    14 Log Alert
    15 Clock daemon
    16 Local Use 0 (Local 0))
    17 Local Use 1 (Local 1)
    18 Local Use 2 (Local 2)
    19 Local Use 3 (Local 3)
    20 Local Use 4 (Local 4)
    21 Local Use 5 (Local 5)
    22 Local Use 6 (Local 6)
    23 Local Use 7 (Local 7)

Comparison with SNMP Traps

By means of SNMP, network administrators can monitor and control device performance and even remotely configure and diagnose problems. Its use is recommended for defined events, unlike syslog, which is recommended for general events.

Now let’s discuss the SNMP advantages and disadvantages compared to syslog:

Advantages:

  1. Easy implementation and configuration, since it does not require a complex infrastructure nor a high amount of resources for its operation.
  2. Support for multiple devices and manufacturers, in addition to being separate from the computer or device manufacturer, which can be used for different brands or models..
  3. Proactive monitoring, based on real time on the state and performance of network devices, making measuring easier before the network suffers an impact on its performance or causing service interruptions.
  4. Efficiency in bandwidth use, considering that data are only sent and received when a major change takes place within the device, avoiding network overflowing and improving overall performance.
  5. Wide management tool availability that supports SNMP, which streamlines device supervision and management. Today there are tools with more intuitive interfaces and advanced features to make network administrator tasks easier.

Drawbacks:

  1. Lack of advanced security such as intruder detection or sensitive data protection. This can become a critical issue for the organization.
  2. Performance and scalability limitations, particularly when you know that digital ecosystems grow in size and complexity, making high data volume and multiple device management harder. This leads to wasting the performance and scalability of the SNMP solution.
  3. Dependence on stable and reliable network connectivity to make it work. SNMP capacity may be affected with crashes or connection failures to monitor and manage devices.
  4. Limitations to monitor applications, since SNMP does not have the capabilities to retrieve data about internal application performance.
  5. Need for additional configuration in each of the devices, which implies additional time and effort from the technical team in charge of network administration.

Which leads us to say that SNMP does contribute to network device monitoring and management, but there are security, performance and scalability limitations.

FAQ about Syslog

What is syslog?

Syslog is a protocol for sending data about devices and their status to a central location for storage, analysis, and management. Data follows a standard in its format and uses facility codes and severity levels to identify the source and urgency of messages. Syslog facilitates the exchange of log information and compatibility between different operating systems. As limitations we can mention the possibility of losing messages when devices are disconnected from the network in addition to security weaknesses due to unencrypted messages.

How do Syslog ports work on servers?

A Syslog server opens port 514 (for the UDP method) or port 6514 (for the TCP method) and takes alerts of incoming Syslog events generated by devices. Alerts or messages follow a protocol, such as RFC 5424 to transmit event notification messages, in a layered architecture. The protocol has been designed to be independent of message transport and can be used over TCP, UDP or any other transport protocol.

How to see syslog messages?

To see syslog messages, install a syslog server on a server or workstation on the same network where the device is installed. There are  free syslog servers such as Kiwi Syslog Server, compatible with Windows 2008, 2012, Windows 8.1 and 1012 and Pandora FMS Log Server, free. It allows not only to collect logs to store them centrally, but also to set alerts in real time.

How to enable or disable multi-device syslog?

Since most manufacturers already include syslog protocols in equipment and devices, if you want to enable syslogs for different devices, you have to use the automation script templates (Configlets), from which you may select the device provider and choose to activate or deactivate the syslog. You may also use these script templates to forward syslog messages instantly.

Can one tool have global visibility?