A Introduction to Syslog

Written by Ed Bailey

September 12, 2022

Syslog is an event logging standard that lets almost any device or application send data about status, events, diagnostics, and more. It’s commonly used by network and storage devices to ship observability data to analytics platforms and SIEMs in order to support and secure the enterprise.

Syslog is an excellent lightweight protocol to get telemetry from small scale devices. But like most enterprise softwares, it does have its shortcomings — managing syslog can be inefficient and tough to scale. But before you can solve those issues, you’ll need to know more about syslog and how it works.

What is Syslog, Anyway?

Syslog, which stands for system logging protocol, has been in use since 1980 and has become the standard for logging on many Unix-like systems. It can use User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) for event delivery over the network.

So, What are UDP and TCP?

UDP is a stateless and session-less communication protocol widely used on the Internet, particularly for time-sensitive transfers. It’s lightweight and allows the transmission of large amounts of data, giving syslog its open-ended nature — one of its most recognized and helpful features. This open-ended nature allows syslog to convey a large amount of time-sensitive information or details without being constrained. That said, the downside is that UDP data can easily be lost or dropped in the event of network outages or issues.

This is why many rely on TCP/IP, since it’s built for reliability even in the face of network outages. Another potential benefit is that all the data is received in exactly the order that it’s sent. What’s the downside? Speed. TCP is comparatively slow, partially due to its error-checking mechanisms.

To consider how and why syslog would be useful, think of a logistics business. Let’s say a trucking company has sensors installed in every vehicle and all the drivers have an iOS app for tracking purposes. If every pallet on all of the trucks making their way around the country is equipped with a sensor, the amount of time sensitive data to track starts to add up very quickly. With this staggering amount of data, you need lightweight protocols to track it all, and that’s exactly what syslog does for you.

With Cribl Stream, you can employ syslog in conjunction with a logging server called a syslog server. A syslog server supports UDP/TCP for delivery, which logs information from syslog clients to a centralized location where it can be searched, managed, and archived.

Why Does Syslog Matter?

Syslog’s positive reputation in the tech industry is due to its versatility across various devices and use cases. Here are some of the most popular ones:

Firewall Monitoring to Support Operations and Security

Firewalls generate the most events of any use case on this list — some companies log millions of events per second that pass through their firewalls. The value you get from this data depends on how well you can separate the signal from the noise, understand the state, understand who is coming through the perimeter or what data is going out through the perimeter, and consume this data without dropping it.

Monitoring Network Devices

All of your network and Internet of Things (IOT) network and IOT devices generate vast amounts of data to support a number of use cases. IOT use cases can include everything from fancy, sophisticated building control systems to mundane home appliances like televisions and audiovisual equipment — everything generates some form of data.

Let’s consider web based video cameras , for example. They’re incredibly open to attacks and have little security, so you have to be able to monitor them by consuming their telemetry data through syslog into your SIEM. When these devices get compromised, you’ll definitely want to know what the hacker is up to, how they accessed the devices, the firmware version, and whether or not they are even operational.
Open Systems Logging to Support Operations and Security
If you work in the open systems world, every one of your servers has a built-in syslog client that sends data to your SIEM. Whatever path you choose, syslog is the most common method for getting operations and and security data off that system and into your security framework.

Monitoring Storage Devices

Storage devices are a massive data source, especially with the growing number of security requirements being put in place. For example, having to log storage authentication events to your SIEM can generate massive data volumes. If you haven’t worked with them before, you wouldn’t believe how much data an Isilon device generates. Almost every company uses it for file services, and Isilon is constantly emitting who is accessing storage, which blocks they are accessing, etc. Storage monitoring with syslog provides a major security use case due to the amount of helpful information it admits.

Sending Alerts

Another useful application of syslog is alerting. When configuring syslog alerts, you may select from a number of choices and severity levels, such as emergency, critical, warning, error, and so on. Additionally, alerts include detailed points such as host specifics, time period, and log/message data. Syslog alerting can be beneficial in a situation where you need to be notified about events like server startup, clean server shutdowns, sudden server shutdowns, configuration reloads and failures, runtime configuration impact, resource impact, and other events. All of these alerts can aid in determining whether or not the servers are operational. Syslog also aids in the detection of broken connections. Server notifications are always important, especially when you’re responsible for hundreds of servers.

Are You Getting Value From The Data You Collect?

As an industry, we spend so much time collecting data that we forget about how to make the data meaningful. Saving time on data collection allows you to devote more time to making the data useful, but you have to ensure, at the outset, that the data is in a usable state to convert it into a commercial asset. This is where an observability pipeline makes an enormous difference. How? By turning data into usable telemetry to make your analytics platform and SIEM more effective.

And now that you know all about syslog, it’s time to learn how to scale syslog with Cribl Stream. In part 2 of this series, we’ll look at the challenges of scaling syslog.

The fastest way to get started with Cribl Stream and Cribl Edge is to try the Free Cloud Sandboxes.

Additional Reading

Questions about our technology? We’d love to chat with you.