What is Syslog in Networking?

By /

Listen to this Post

Syslog (short for System Logging Protocol) is a standard protocol used for message logging in network devices and systems. It allows network devices such as routers, switches, firewalls, and servers to send log messages to a centralized logging server (called a Syslog server).

Why is Syslog Used?

  • Monitor and analyze events across a network.
  • Track security-related incidents (e.g., login attempts, firewall rule changes).
  • Troubleshoot network issues and failures.
  • Generate reports for auditing and compliance.

How Syslog Works:

  1. A network device detects an event (e.g., interface down).

2. It generates a Syslog message with:

  • Severity level (e.g., warning, critical)
  • Timestamp
  • Source IP/device
  • Description of the event
  1. The message is sent to the Syslog server (over UDP port 514 by default).
  2. The Syslog server stores, analyzes, or forwards the logs.

Common Syslog Use Cases:

  • Security Information and Event Management (SIEM)
  • Network performance monitoring
  • Intrusion detection systems
  • Compliance with standards like ISO 27001, PCI-DSS

Syslog Severity Levels (0-7):

  • 0 Emergency – System is unusable
  • 1 Alert – Immediate action needed
  • 2 Critical – Critical condition
  • 3 Error – Error condition
  • 4 Warning – Warning condition
  • 5 Notice – Normal but significant
  • 6 Informational – Informational messages
  • 7 Debug – Debug-level messages

You Should Know:

  1. Setting Up a Syslog Server on Linux (rsyslog)
    Install rsyslog 
sudo apt update && sudo apt install rsyslog -y

Enable and start rsyslog 
sudo systemctl enable rsyslog 
sudo systemctl start rsyslog

Configure rsyslog to listen on UDP 514 
echo -e "\$ModLoad imudp\n\$UDPServerRun 514" | sudo tee -a /etc/rsyslog.conf

Restart rsyslog 
sudo systemctl restart rsyslog
    1. Forwarding Logs to a Remote Syslog Server

On a Linux client:

 Edit rsyslog.conf 
sudo nano /etc/rsyslog.conf

Add the following line (replace with your Syslog server IP) 
. @192.168.1.100:514

Restart rsyslog 
sudo systemctl restart rsyslog

3. Filtering Syslog Messages by Severity

To log only critical (2) and higher messages:

 Add to /etc/rsyslog.conf 
:msg, contains, "CRITICAL" /var/log/critical.log 
& stop

4. Windows Event Forwarding to Syslog

Use NXLog or EventLog-to-Syslog tools. Example NXLog config:

<Input eventlog> 
Module im_msvistalog 
</Input>

<Output syslog> 
Module om_udp 
Host 192.168.1.100 
Port 514 
</Output>

5. Testing Syslog with logger Command

logger -p local0.crit "This is a critical test message"

6. Log Rotation for Syslog (logrotate)

 Edit logrotate config 
sudo nano /etc/logrotate.d/rsyslog

Add rotation rules 
/var/log/syslog { 
rotate 7 
daily 
compress 
missingok 
notifempty 
delaycompress 
sharedscripts 
postrotate 
/usr/lib/rsyslog/rsyslog-rotate 
endscript 
}

What Undercode Say

Syslog is essential for real-time monitoring, security auditing, and troubleshooting in IT infrastructure. By centralizing logs, organizations can detect anomalies faster, comply with regulations, and optimize network performance.

Additional Useful Commands:

  • View Syslog in Real-Time:
    tail -f /var/log/syslog
  • Filter Logs by Process:
    grep "sshd" /var/log/syslog
  • Change Syslog Default Port (TCP for reliability):
    echo -e "\$ModLoad imtcp\n\$InputTCPServerRun 10514" | sudo tee -a /etc/rsyslog.conf
  • Encrypt Syslog with TLS (secure logging):
    sudo apt install rsyslog-gnutls

Expected Output:

A fully configured centralized logging system with severity-based filtering, secure transport, and automated log rotation for compliance and efficient debugging.

References:

Reported By: Ahmed Bawkar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: