What are Syslogs and Syslog server?
In this article, we will learn about what are Syslogs & Syslog server, and when to use them?
Syslog is a logging protocol typically used by all modern networking devices to send network-related logs to a common space typically known as a Syslog Server.
The question might arise why do we need a separate server for Syslogs, is because, in a small network, it is possible to manage Syslog or logs from a few devices, but in a medium to a large network, the Syslog server is essential as it would overhead to the main processing server, and also help in getting crucial information say in case the main server fails.
Generally, Syslog messages are sent over UDP port 514, as we do not need a confirmation of the logs sent to the server, you can read more about UDP protocol here.
Now, we will learn about how does a Syslog look like and understand its structure.
As seen in the above figure, a typical Syslog contains 5 main parts:
1. Timestamp/Sequence number
2. Facility
3. Severity
4. Mnemonic
5. Description
We will learn about them in detail.
1. Timestamp: The timestamp represents the time at which the log was generated in the format (Jan 01 01:02:123,45).
2. Facility: The process (named in UNIX format) that has generated that Syslog. In the Figure below, you can see all the available facilities.
Interesting Fact: The facilities are in UNIX because the concept was first introduced in the 1980’s courtesy of Eric Allman who developed the Sendmail protocol which is the base of Syslog. At that time mostly UNIX systems were in use, hence the facilities are in UNIX based terminology.
3. Severity: Generally, the server should not be sent each type of log message, and for that severity is considered. In the Figure below, severity 0 represents the most critical or the most urgent while severity 7 is tells that it is a mere debug message.
4. Mnemonic: This is a device given message that generally describes the event, such as “UP-DOWN” which would tell us the device’s state has been changed to up. It also helps in uniquely identifying an event.
5. Description: This is the additional information provided in the Syslog such as the interface, protocol, network addresses, or port numbers etc.
Another important point is that Syslog messages cannot exceed 1 KB or 1024 bytes.
How are Syslogs used in the industry today?
Today, generally any medium/large company especially IT/networking companies have multiple networking devices which are very crucial for their daily operations. Over the years, these devices receive multiple software updates, hardware upgrades and configuration changes are applied several times. These changes many times result in errors, or in the worst scenario network shutdowns.
Therefore, the concept of logs are applied, or in the case of networking devices Syslogs. The Syslogs help the network administrator or a network engineer to identify the problems in the network, and with the help of Syslogs, he/she can pinpoint the root cause of the problem by seeing at what time, after which change and at what device the error occurred on.
Syslogs generators are typically inbuilt in the products, just need to be configured and sent to a Syslog server which brings us to the drawbacks of Syslogs.
Drawbacks of Syslogs 👎
- The first and foremost is consistency. There has never been a standard set for them, hence there are multiple ways that developers write these logs.
- Syslogs by default do not have any security measures and are sent in plaintext. If not handled securely, it can have security lapses and the information might make the organization susceptible to cyber attacks.
- The way Syslogs are transferred is using UDP protocol, which is a connection-less protocol, therefore, there is no reliability that all the log messages reach the server.