What is Syslog?

Supported by InfluxData

lines background

Syslog protocol standard defined

Short for system log monitoring, Syslog is a protocol standard that describes exactly how log messages should be both formatted and transmitted to create the most efficient workflows possible. The devices and applications that we use on a daily basis can send us invaluable data about not only their current status, but also about certain events that have occurred and even the results of diagnostics that have been performed, all of which will then be transmitted to a centralized server.

This server, called the Syslog server, is where a listener process gathers that data to be sent out over UDP or TCP depending on the situation.

The major benefit here is that Syslog allows for a certain degree of separation between the software that generates the log messages in question, the system that stores them and the additional software needed to actually report on and analyze that insight. Each message sent via Syslog is labeled with a facility code, which essentially breaks down how the message was generated. It is then assigned a severity level, all so that the people monitoring these devices can make the best and most informed decisions possible moving forward.

Syslog network monitoring overview

One of the major benefits of Syslog is that, because it's been around for decades, it is supported by most major operating systems including:

  • MacOS, Linux, Unix and others
  • Microsoft Windows (although you'll need to use one of a number of third-party tools)

That compatibility also extends in the other direction, as Syslog is also compatible with nearly any major network device you might be working with. This includes but is certainly not limited to servers, firewalls, routers and more. Anything that generates its own logs about events and statuses will probably do so using Syslog, which makes keeping track of and acting on all this information as easy as possible.

Note that Syslog messages also contain additional information like IP addresses, timestamps, the actual log message and more — all alongside those built-in severity levels ranging from "emergency" to "debugging." All of this provides critical insight for network monitoring and alerting, allowing professionals to act on certain types of events as quickly as possible.

When is Syslog used?

Engineers commonly use Syslog for both systems management and security auditing. It can also be an invaluable way to simply collect general information, analyze that data and debug messages in real time. Syslog is used whenever someone needs to consolidate all of the logging data from different types of systems into a centralized repository for easier analysis.

How Syslog works

Overall, Syslog provides a way for all network devices that you may be working with to send messages and log events. To enable this, all Syslog messages have a standard format that all applications and devices can use. Any Syslog message that you receive will have a header, followed by structured data, followed by the message itself:

  • The header part of the message includes relevant information like the version, a timestamp, the name of the host, the priority, the process ID, the message ID and more.
  • The structured data, as the name implies, is made up of data blocks in a very specific format.
  • The log message tells you more about the event that has taken place.

How is Syslog transported?

It's also important to understand that Syslog has three distinct layers that make up the standard definition. Syslog content is all relevant information in the event message itself. The Syslog application is the layer that generates, sends, interprets and ultimately stores the message in question. Finally, there is the Syslog transport — which is exactly what it sounds like, being responsible for transmitting the message to that centralized repository called a Syslog server.

Those servers may be a physical server, a standalone virtual machine or a software-based repository — it really does come down to the user. Regardless of the methods they choose, all Syslog servers have two main components:

  • The listener, which allows the server to receive the important messages being collected by the Syslog data.
  • The database, which is critical for larger networks in particular, as it lets officials store Syslog data for easy reference in the future.

Best practices for configuring Syslog

By far, the most important best-practice for configuring Syslog involves choices that you're making in terms of the Syslog server itself.

Any Syslog server worth your time should allow you to collect AND view messages, all from a single location. If it doesn't, you're giving up a lot of the benefits you're supposed to be getting from a Syslog implementation in the first place. Note that this includes not only all Syslog messages, but you should also have the ability to log in from any device with an active Internet connection through a secure portal as well.

Another critical concept that you'll want to embrace when configuring Syslog monitoring comes down to automation. With the sheer volume of information that the average network generates, making sense of it all and uncovering the insight hidden inside can quickly become an uphill battle. Automation will allow you to configure alerts to automatically notify you of problems via Syslog as soon as possible after they happen, all so that you don't have to go looking for them. You can even use automation to set up responses to certain types of events — like running scripts or forwarding messages — if you prefer.

Finally, you should get comfortable with configuring Syslog to view information as reports based on your unique objectives. You can schedule reports to run at specific times that are then delivered straight to your email inbox.

Syslog network monitoring with Telegraf

InfluxDB supports Syslog network monitoring via the Telegraf Syslog Input Plugin, which allows Telegraf to ingest logs using the Syslog protocol. Telegraf converts the Syslog messages to line protocol to be written to InfluxDB, from which data can be queried in real-time for alerts and visualized using InfluxDB, Grafana, or other visualization tools.

Keep in mind that Telegraf itself is the collection module of the InfluxDB time series platform, and one of the major use cases for adopting it involves network monitoring — making it the perfect match for your Syslog deployment. With the Telegraf Syslog Input Plugin, you finally have a single source that can run on all your hosts, collect data about your systems and applications and report on all that information from a sleek, easy-to-use (and easy-to-understand) dashboard. It can even run totally remotely if you so choose, collecting data via endpoints that are exposed by your applications while they're in use.

Scroll to Top