In today's digital age, it's more important than ever to have a reliable system in place for logging events and errors that occur across your IT infrastructure. This is where syslog comes in. In this blog post, we'll explore what syslog is, how it works, and why it's essential for modern IT operations.

Note, you can also read about Syslog Basics on our Documentation website.

What is Syslog?

Syslog is a protocol used to send event messages from network devices, such as routers, switches, and servers, to a central server for storage and analysis. The term "syslog" is derived from the words "system logging," and it was first introduced in 1980 as part of the UNIX operating system.

How Does Syslog Work?

Syslog works by creating log messages that are sent over the network to a centralized syslog server. The messages contain information about events that have occurred on a device, such as system errors, network activity, and security incidents.

When a device generates a syslog message, it includes information about the severity of the event, the date and time it occurred, the device that generated the message, and a description of the event. The message is then transmitted to the syslog server using either the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP).

Once the syslog server receives the message, it parses it and stores the data in a database for analysis. Administrators can then use specialized software to search, sort, and analyze the data to troubleshoot problems, identify trends, and improve system performance.

Why is Syslog Essential?

Syslog is essential for modern IT operations for several reasons:

  1. Centralized Logging: Syslog provides a centralized location for logging events across all devices in an IT infrastructure. This makes it easier for administrators to monitor and manage system events and troubleshoot problems quickly.
  2. Improved Security: Syslog helps to improve system security by providing a centralized location for storing security-related events. By analyzing syslog data, administrators can detect security incidents and take action to prevent future breaches.
  3. Compliance: Many regulatory requirements, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA), require organizations to log and monitor events. Syslog provides a centralized location for storing and analyzing logs, helping organizations meet these compliance requirements.
  4. Performance Monitoring: Syslog can be used to monitor system performance and identify issues before they become critical. By analyzing syslog data, administrators can identify trends, track resource usage, and optimize system performance.

Why Syslog and not just SNMP?

Valid question. As there are a lot of network management tools that use Simple Network Management Protocol (SNMP). SNMP has a polling component that queries devices to get Object Identifier (OID) information and feed it back into a centralized tool, usually for performance-based metrics.  SNMP can also send TRAPS which are defined alert thresholds within the OID values.  All good stuff, but did you know that Cisco’s IOS has only 90 defined SNMP TRAPs but more than 35,000 possible syslog messages?

When there is a problem, the first place most good engineers and admins go to is the logs.  This is because there is more, and better, information there and usually something that will tell you what has happened, who did what, or why you’re having a problem.  Some examples of data that you can get from syslog on networking devices includes things like:

  • Port Duplex Mismatch
  • BGP, OSPF, MPLS or any other routing protocol status
  • Authentication
  • Connectivity and link data
  • and thousands more

One of the primary reasons some organizations don't use logging as their the "front of the line" management tool (but should!) is due to the sheer number of messages being processed.  Until recently, there was just too much log data to effectively use them, and the processing requirements necessary to search across terabytes of log data was not very accommodating.

The Syslog Protocol

Syslog was originally developed in the 80’s by Eric Allman as part of the Sendmail project and is now standardized within the syslog working group of the IETF Syslog messages (RFC 3164) can be sent via UDP (514) and/or TCP. The data is typically sent in clear text (but there are ways to encrypt) Syslog has a sender and a receiver.  The syslog sender sends a small (less than 1KB) text message to the syslog receiver. The receiver is commonly called “syslogd”, “syslog daemon” or “syslog server” The format of the syslog message should contain five distinct fields with the following information:

  • Facility
  • Severity
  • Hostname
  • Timestamp
  • Message

Syslog Message Facility

Syslog messages are broadly categorized on the basis of the sources that generated them such as OS, process or application and are represented as integers ranging from 0-23, Cisco devices use the local facility ranges 16-23 (local0 – local7)

Syslog Message Severity

The log source (such as a router) which generates the syslog message also specifies the severity of the message using single-digit integers 0–7.  Most networking devices will use log levels 0-6 with level 7 used for console troubleshooting. The codes are generally defined as:

Syslog Severities
Syslog Message Severities

Syslog Message Hostname

The hostname field consists of the host name (as configured on the host itself) or the IP address. In devices such as routers or firewalls, which use multiple interfaces, syslog uses the IP address of the interface from which the message is transmitted (unless otherwise configured using the logging source command). Some people get confused by host name and hostname. Hostname is typically associated with a DNS lookup. If the syslog message contains a host name, it may be (and often is) different than the actual DNS hostname of the device

Syslog Message Timestamp

The local time, in MMM DD HH:MM:SS format, of the device when the message was generated

Note: * and . characters preceding a Cisco syslog message are indicators of a problem with NTP. The * means that time is not authoritative: the software clock is not in sync or has never been set and . means that time is authoritative, but NTP is not synchronized: the software clock was in sync, but has since lost contact with all configured NTP servers

Syslog Message Text

This is the text of the syslog message, along with some additional information about the process that generated it. Some vendors will also include convenient Mnemonics in the message to make parsing easier. Messages generated by Cisco IOS devices begin with a percent sign (%) and use the following format: FACILITY-SEVERITY-MNEMONIC: Message-text. This Cisco mnemonic is a device-specific code that uniquely identifies the message such as up, down, changed, config, etc. The Facility in Cisco Mnemonics are not the same as the IETF definition of facility (such as local7). Cisco Facility Mnemonics are a free-form method of identifying the source message type such as SYS, IP, LDP, L2, MEM, FILESYS, DOT11, LINEPROTO, etc. (the list is very large)

Conclusion

Syslog is a critical component of modern IT operations. It provides a centralized location for storing and analyzing event logs from network devices, making it easier for administrators to monitor and manage system events, improve security, meet compliance requirements, and optimize system performance. By implementing syslog in your IT infrastructure, you can improve visibility into your network, enhance security, and improve system performance.

Posted 
March 8, 2023
 in 
LogZilla University
 category

More from the

LogZilla University

 category

View All