header banner

Our funding comes from our readers, and we may earn a commission if you make a purchase through the links on our website.

What is Syslog, including Linux and Windows Servers, Ports and more.

What is Syslog and port number

Jeff Parker UPDATED: August 19, 2021

Syslog, is a standardized way (or Protocol) of producing and sending Log and Event information from Unix/Linux and Windows systems (which produces Event Logs) and Devices (Routers, Firewalls, Switches, Servers, etc) over UDP Port 514 to a centralized Log/Event Message collector which is known as a Syslog Server.

One of the main reasons Syslog was so widely accepted throughout the industry was because of its simplicity – There is little to no uniformity or standardization when it comes to the content that a Device, Server or Operating system is written and sends log information.

It simply sends and transports messages over Syslog protocol with no acknowledgement of receipt (hence the use of UDP).

Furthermore, there is no complex requirements between the Sending device and Receiving/Collecting Server, as Syslog messages are simply just sent regardless if there is a Receiver configured on the other end or not.

Kiwi Syslog Free

The Basics

Definition and Overview

Syslog stands for “System Logging Protocol,” and is used on Devices such as routers, switches, firewalls, wifi access points, Unix/Linux Servers (Windows servers use Event Logs, which can be used in conjunction with a Syslog server) and other network devices.

It is used to store events or log messages locally within the device and send the Event/Log Information to a Collector (otherwise known as a Syslog Server) to collect, organize and filter all the logs and data.

Simply, a Server or other Network device on your network can be Configured to generate Syslog/Event Messages and forward them to a Syslog Server (or Daemon), which then allows network administrators to track and monitor those networked devices of any issues or problems that need to be attended to immediately.

A message/event is sent from the Device to a collector (or Server) using UDP, which is a connection-less protocol.

Messages are usually text and usually no larger than 1024 bytes.

Since they are sent using UDP, no receipt of transmission or arrival is sent to the originator, which means that if a packet gets lost during transmission, its gone!

A Server/Daemon allows you to collect, filter, organize, setup alerts for certain events from one location within your network.

Having all the log information data in one place also gives you the ability to create elaborate reports, diagrams and charts to visualize certain aspects of your systems and infrastructure.

Port and OSI Layer

Syslog is part of the Transport layer in the OSI Model, using User Datagram Protocol (UDP) to transport/transfer information across the network.

Syslog Port Number: UDP 514

Syslog Server/Daemon or Collector

The Server/Daemon listens for Syslog messages being sent to it, but unlike other monitoring protocols, such as SNMP, the server cannot Request information to be sent from a Device, as the protocol does not support that type of behavior.

Simply, its like watching Live Television, what they show you on Live TV is what you get, you cannot request for them to show you anything else, its a one-way broadcast.

Its recommended that Syslog Servers be heavily equipped with large amounts of Disk space, CPU and Memory for running larger reports and having a lengthy history of logs from multiple devices, as well as keeping older events/logs for historical purposes.

Collecting, compiling and calculating large amounts of data, along with configuring alerts and monitors is a very important part of making sure you know the status of your network and the components that make it up.

What Makes a Syslog Message/Packet

A Syslog Packet is made up of 3 parts and cannot exceed 1,204 bytes (or 1 Kb):

  1. PRI – Priority Value
  2. HEADER – Header
  3. MSG – Message

PRI – Priority Value

The Priority Value is the first part of the Syslog Message, spanning exactly either 3, 4 or 5 characters and bound by Angle Brackets (“<” and “>”), and represents the Facility and theSeverity of the message.

Priority Values are calculated as follows: Facility Value * 8 + Severity Value = Priority Value

For example: if you get a “Mail System” Facility, the value is 2, and a Severity Value of 1 (Alert: action must be taken immediately), then the Priority Value = <17> (priority values are enclosed in Angle brackets, or in between less-than and greater-than brackets).

Facility and Severity values are coded Numerically with Decimal Values and have the following values assigned to them.

Facility Codes

Facility Codes is a component of either an application or operating system that generates a Log/Event Message from the table below:

Numerical Code Facility
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0
17 local use 1
18 local use 2
19 local use 3
20 local use 4
21 local use 5
22 local use 6
23 local use 7

Reference: http://www.ietf.org/rfc/rfc3164.txt

Severity Codes

Severity Codes is a numerical code or number that tranlates into a Severity Level or message. A list of Numerical Codes and its corresponding message are highlighted in the table below:

Numerical Code Severity
0 Emergency: System is Unusable
1 Alert: Action must be taken immediately
2 Critical: Critical Conditions
3 Error: Error Conditions
4 Warning: Warning Conditions
5 Notice: Normal but Significant Condition
6 Informational: Informational messages
7 Debug: Debug-Level messages

Reference: http://www.ietf.org/rfc/rfc3164.txt

Header

The header portion of a Syslog packet contains the following informatin:

  1. Timestamp – the Combination of the DATE and TIME that the message was initially generated (based on each individuals systems' time). Be sure that each system's time is in sync in order to maintain proper timestamps.
  2. Hostname or IP Addresss of the Network Device

MSG – (Message portion of the Packet)

The last part of the Syslog packet is the MSG, which will use the remainder of the available space of a packet. The MSG will contain information generated by the device with information regarding the log or event. The MSG contains 2 fields as well:

  1. TAG – indicates the Process or Program that has triggered or generated the message.
  2. CONTENT – contains details of the message.

 

Kiwi Syslog Download

Checkout our related articles here:

Event Log Forwarding (Windows)

Kiwi Syslog Server Review

PRTG Syslog Server Review

SNMP Syslog Watcher Review

6 Free Syslog Servers for Windows/Linux

footer banner