Syslog Servers 101: Five Log Management Best Practices

A  Syslog server lets you collect error and system logs in a single location.  It can also be used to decode system events across multiple systems during forensic investigations.

Syslog clients use UDP to deliver messages to Syslog servers.  It’s the best way to analyze your data.  Operating systems and applications generate messages, as do printers, hubs, routers, switches, and some workstations.  The amount of data can be overwhelming if you can’t see it in one central Syslog server for storage and review.

The Syslog Messaging Format

The Syslog format is comprised of three parts:

PRI

PRI establishes the priority level of the message from debug to emergency.  It also details the facility levels to distinguish the program or part of the system that produced the logs.

HEADER

The header is made of the TIMESTAMP and the HOSTNAME.  This establishes the timing of the message and the machine that sent the log

MSG

This is where the body of the message is saved.  It will contain information about the event, divided into a TAG and CONTENT field.

Your Syslog server can be set up to sort messages based on various triggers, such as priority events.  Here are the typical priority codes:

 

NUMERICAL VALUE

PRIORITY

KEYWORD

0

EMERGENCY

emerg

1

ALERT

alert

2

CRITICAL

crit

3

ERROR

err

4

WARNING

warning

5

NOTICE

notice

6

INFORMATION

info

7

DEBUG

debug

Syslog Server Components

Syslog servers are made up of three main components:

Syslog Listener

The Syslog listener gathers and processes the data sent over UDP.

Syslog Database

This is where Syslog server stores messages and data for quick retrieval and sorting

Syslog Management

The software you use to manage your Syslog server is your best friend.  Let the automation sort and filter Syslog messages to surface those that need your attention.  This software will generate alarms, alerts, and notifications so you can respond quickly when there’s a problem.

Syslog Server Best Practices

When using Syslog to build your logging architecture, it’s important that you have reliable communication protocols.  User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) can be used, but there are differences in the way the two operate.   UDP sends messages but does not provide any guarantee the data will be delivered or have a way to retransmit data if it is corrupted or lost during transmission.  TCP is considered a more reliable protocol.  It sends individual packets and supports host-to-host communication.

Here are some of the other best practices:

  1. Configure your hosts with the Network Time Protocol (NTP) to make sure your servers are synchronized.   This puts consistent timestamps on your messages and is especially important for real-time log debugging.
  2. Make sure your logs are secure.  This means encrypting your Syslog messages to make sure only authenticated users have access to information and that threat actors are less likely to be able to manipulate them.  Since you will have many devices that generate data, you should funnel all of your log data to a dedicated host that is hardened.
  3. Across your network, you can log almost any event.  It’s easy to generate an abundance of messages that are easy to ignore.  Avoid overlogging or sorting messages so that the most important ones get your attention.
  4. You should backup your log data regularly.  You may need to do this for compliance or audit purposes.  If there is a problem, it helps to review historical data.  If you don’t back them up, someone with malicious intent could prevent access or delete log data.
  5. Use a separate file system for key components for quick identification.  For example, separate OS-related file systems from those used for applications.
  6. Many IT teams rotate their logs when they hit a certain age.  Regardless of your preference, it is important to set up standard log retention policies.

Free Syslog Software

WhatsUp Gold’s free Syslog server lets you easily collect and view Syslog messages from anywhere on the network.  You can filter and sort Syslog messages by hostname, IP address, or message contents.  Messages can be forwarded and received via TCP and/or UDP protocols. You can also write messages directly to the Windows Event Log file and create flexible rules for processing.

You can also upgrade to WhatsUp Log Management Suite.  This allows you to collect Syslog and Windows event logs across your network, store information, protect log files, and generate compliance reports.

 

Tags

Get Started with WhatsUp Gold

Subscribe to our mailing list

Get our latest blog posts delivered in a weekly email.

<p class='-pt2 -m0'>Thanks for subscribing!</p> Loading animation

Comments
Comments are disabled in preview mode.