Syslog, is a standardized way (or Protocol) of producing and sending Log and Event information from Unix/Linux and Windows systems (which produces Event Logs) and Devices (Routers, Firewalls, Switches, Servers, etc) over UDP Port 514 to a centralized Log/Event Message collector which is known as a Syslog Server.
One of the main reasons Syslog was so widely accepted throughout the industry was because of its simplicity – There is little to no uniformity or standardization when it comes to the content that a Device, Server or Operating system is written and sends log information.
It simply sends and transports messages over Syslog protocol with no acknowledgement of receipt (hence the use of UDP).
Furthermore, there is no complex requirements between the Sending device and Receiving/Collecting Server, as Syslog messages are simply just sent regardless if there is a Receiver configured on the other end or not.
Definition and Overview
Syslog stands for “System Logging Protocol,” and is used on Devices such as routers, switches, firewalls, wifi access points, Unix/Linux Servers (Windows servers use Event Logs, which can be used in conjunction with a Syslog server) and other network devices.
It is used to store events or log messages locally within the device and send the Event/Log Information to a Collector (otherwise known as a Syslog Server) to collect, organize and filter all the logs and data.
Simply, a Server or other Network device on your network can be Configured to generate Syslog/Event Messages and forward them to a Syslog Server (or Daemon), which then allows network administrators to track and monitor those networked devices of any issues or problems that need to be attended to immediately.
A message/event is sent from the Device to a collector (or Server) using UDP, which is a connection-less protocol.
Messages are usually text and usually no larger than 1024 bytes.
Since they are sent using UDP, no receipt of transmission or arrival is sent to the originator, which means that if a packet gets lost during transmission, its gone!
A Server/Daemon allows you to collect, filter, organize, setup alerts for certain events from one location within your network.
Having all the log information data in one place also gives you the ability to create elaborate reports, diagrams and charts to visualize certain aspects of your systems and infrastructure.
Port and OSI Layer
Syslog is part of the Transport layer in the OSI Model, using User Datagram Protocol (UDP) to transport/transfer information across the network.
Syslog Port Number: UDP 514
Syslog Server/Daemon or Collector
The Server/Daemon listens for Syslog messages being sent to it, but unlike other monitoring protocols, such as SNMP, the server cannot Request information to be sent from a Device, as the protocol does not support that type of behavior.
Simply, its like watching Live Television, what they show you on Live TV is what you get, you cannot request for them to show you anything else, its a one-way broadcast.
Its recommended that Syslog Servers be heavily equipped with large amounts of Disk space, CPU and Memory for running larger reports and having a lengthy history of logs from multiple devices, as well as keeping older events/logs for historical purposes.
Collecting, compiling and calculating large amounts of data, along with configuring alerts and monitors is a very important part of making sure you know the status of your network and the components that make it up.
What Makes a Syslog Message/Packet
A Syslog Packet is made up of 3 parts and cannot exceed 1,204 bytes (or 1 Kb):
- PRI – Priority Value
- HEADER – Header
- MSG – Message
PRI – Priority Value
The Priority Value is the first part of the Syslog Message, spanning exactly either 3, 4 or 5 characters and bound by Angle Brackets (“<” and “>”), and represents the Facility and theSeverity of the message.
Priority Values are calculated as follows: Facility Value * 8 + Severity Value = Priority Value
For example: if you get a “Mail System” Facility, the value is 2, and a Severity Value of 1 (Alert: action must be taken immediately), then the Priority Value = <17> (priority values are enclosed in Angle brackets, or in between less-than and greater-than brackets).
Facility and Severity values are coded Numerically with Decimal Values and have the following values assigned to them.
Facility Codes is a component of either an application or operating system that generates a Log/Event Message from the table below:
|5||messages generated internally by syslogd|
|6||line printer subsystem|
|7||network news subsystem|
|16||local use 0|
|17||local use 1|
|18||local use 2|
|19||local use 3|
|20||local use 4|
|21||local use 5|
|22||local use 6|
|23||local use 7|
Severity Codes is a numerical code or number that tranlates into a Severity Level or message. A list of Numerical Codes and its corresponding message are highlighted in the table below:
|0||Emergency: System is Unusable|
|1||Alert: Action must be taken immediately|
|2||Critical: Critical Conditions|
|3||Error: Error Conditions|
|4||Warning: Warning Conditions|
|5||Notice: Normal but Significant Condition|
|6||Informational: Informational messages|
|7||Debug: Debug-Level messages|
The header portion of a Syslog packet contains the following informatin:
- Timestamp – the Combination of the DATE and TIME that the message was initially generated (based on each individuals systems' time). Be sure that each system's time is in sync in order to maintain proper timestamps.
- Hostname or IP Addresss of the Network Device
MSG – (Message portion of the Packet)
The last part of the Syslog packet is the MSG, which will use the remainder of the available space of a packet. The MSG will contain information generated by the device with information regarding the log or event. The MSG contains 2 fields as well:
- TAG – indicates the Process or Program that has triggered or generated the message.
- CONTENT – contains details of the message.