Syslog is a standardized way of producing log information. This is really popular in Linux computers or UNIX computers, while Windows does a similar thing with the Event Log. Pretty much all routers, switches, firewalls, wireless controllers, and all sorts of other devices out there can produce syslog data. As your network grows you’ll find yourself managing a lot of different kind of devices. Each device has a different type of information that it’s collecting in its logs. All of these log types are different, but there are some things that are very similar.
Syslog is RFC 3164 standard, and since it’s standardized almost every device that you plug into a network these days can support a syslog functionality. The content that’s being sent from the devices is not standardized. The content that might come from a firewall will look very different than the content that might come from a server. Those types of systems have their own definition of the logs they’re sending in. Usually you’ll configure your syslog consolidation tool to understand and interpret the data properly whether it’s coming from a firewall, Windows server, Linux server or whether.
Syslog uses UDP 514 for messages transport. This means that the receiving a message is not guaranteed, but since there’s a lot of syslog data that gets sent and received, if you were to use TCP for everything, it would just be a ton of overhead. So, keep in mind that a message could get lost and you would not get a warning about it.
Within syslog there are eight severity levels, and the idea is that you can flag different entries in your syslog based on how important they are. Depending on the system you’re using it may use numbers, specific words or they may make up their own words, so it kind of depends. In general, levels start from level 0 (zero) and they are:
- 0 – Emergency
- 1 – Alert
- 2 – Critical
- 3 – Error
- 4 – Warning
- 5 – Notice
- 6 – Informational
- 7 – Debug
This is the kind of syslog data you can retrieve and collect in a central location, a collecting server. When you start with setup, start simple. Don’t send syslog from every system with every level to one server. This way you’re not going to be able to determine what you care about. You’re probably going to want to know level 4 to 0, or or even maybe level 3 to 0. Everything below you’re probably not going to care because this might lead to huge amount of data to process. So, pick and choose carefully.
The key is to find a way to centralize all of these logs into a single database, or a single consolidated view. This gives you a number of benefits, one of which is a centralized data store for all of your logs. If you ever need to gather or access any information, or to run any queries on your log, you know you’ve got it all in one place and it’s archived and backed up.
Another capability is that everything can be correlated together, meaning, you can view an entry in an authentication log that correlates to a flow of traffic through a firewall, which also correlates to somebody logging in and using an application on a server. Another nice capability is now that all of this information is in one place now, you can create log reports, like long term trends or similar. You can start to see changes throughout your network, things that you would never be able to see unless you had all of that data in one place.
This syslog consolidation server is going to need a lot of disk space since you’ll be picking out all of the different devices on the network. The more disk space that you’ll have the longer you’ll be able to go back in time and see exactly what was going on a month ago, three months ago, six months ago or perhaps even longer. Generally this server will have a lot of memory and CPU power, because you’re usually connecting to this to run reports, to query log information to get information as quickly as possible. Queries will go much faster if you have a lot of memory and a lot of CPU that you can dedicate to the queries and management of that log.
Syslog consolidation tools are more than just a gathering point. They generally have some advanced software associated with them that allows you to produce reports, to create graphs, to easily query the data, generate alerts like send out emails saying something went down, or similar.