Network Log Collection: Getting to Know the Syslog Protocol

When you have dozens or hundreds of servers running, monitoring each one separately becomes impossible. The solution is centralized log collection using the Syslog protocol. In this article, we'll take a detailed look at how it works and how to configure it.

What is Syslog?

Syslog is a standard protocol for transmitting system-level log messages over a network. It allows collecting logs from various devices and systems on a single central server. This is especially important for:

  • Corporate networks
  • Distributed systems
  • Cloud infrastructures
  • Security monitoring

History of Syslog

The Syslog protocol was developed in the 1980s by Eric Allman for BSD Unix. Since then, it has become the de facto standard for transmitting log messages in IP networks. In 2009, RFC 5424 was adopted, which defines the modern version of the protocol.

Syslog Architecture

A Syslog system consists of three main components:

  1. Syslog client (originator) — device or application that generates messages
  2. Syslog server (collector) — message recipient
  3. Network — transmission channel (usually UDP or TCP)

Syslog Message Format

Each Syslog message consists of three parts:

PRI (Priority)

Contains information about message priority: <PRI> PRI is calculated using the formula: facility * 8 + severity, where: - facility — message source (0-23) - severity — message importance (0-7)

HEADER

Contains: - TIMESTAMP — event time - HOSTNAME — sender hostname - APP-NAME — application name - PROCID — process ID - MSGID — message ID

MSG

Contains: - STRUCTURED-DATA — structured parameters - MESSAGE — message text

Example of a complete message: <34>1 2026-03-03T15:00:00.123Z myserver app 12345 ID47 [exampleSD@32473 iut="3" event="start"] Starting up...

Severity Levels

Syslog defines 8 severity levels:

  • 0 — Emergency (emergency situation)
  • 1 — Alert (requires immediate intervention)
  • 2 — Critical (critical error)
  • 3 — Error (error)
  • 4 — Warning (warning)
  • 5 — Notice (normal but significant event)
  • 6 — Informational (informational message)
  • 7 — Debug (debug message)

Facility Codes

Facility defines the source of the message:

  • 0 — kernel messages
  • 1 — user-level messages
  • 2 — mail system
  • 3 — system daemons
  • 4 — security/authorization messages
  • 5 — messages generated internally by syslogd
  • 6 — line printer subsystem
  • 7 — network news subsystem
  • 8 — UUCP subsystem
  • 9 — clock daemon
  • 10 — security/authorization messages
  • 11 — FTP daemon
  • 12 — NTP subsystem
  • 13 — log audit
  • 14 — log alert
  • 15 — clock daemon
  • 16-23 — local use facilities

Configuring Syslog Server

In Linux

rsyslog

Rsyslog is an enhanced version of the classic syslog. Install it:

```bash

Ubuntu/Debian

sudo apt-get install rsyslog

CentOS/RHEL

sudo yum install rsyslog ```

Enable network message reception by editing /etc/rsyslog.conf:

```

Enable UDP module

module(load="imudp") input(type="imudp" port="514")

Enable TCP module

module(load="imtcp") input(type="imtcp" port="514") ```

Create a separate file for network messages: ```

All network messages to separate file

. @remote-server-ip:514 ```

Restart the service: bash sudo systemctl restart rsyslog

syslog-ng

Alternative option:

bash sudo apt-get install syslog-ng

Configuration file /etc/syslog-ng/syslog-ng.conf:

``` source s_network { udp(port(514)); tcp(port(514)); };

destination d_remote_logs { file("/var/log/remote/${FULLHOST}/messages.log"); };

log { source(s_network); destination(d_remote_logs); }; ```

In Windows

Windows doesn't support Syslog out of the box, but there are several solutions:

NXLog Community Edition

  1. Download and install NXLog
  2. Configure configuration file /conf/nxlog.conf:

``` Module im_udp Host 0.0.0.0 Port 514 Protocol udp ParseFormat syslog

Module om_file File "/var/log/syslog.log"

Path in_syslog => out_file ```

Kiwi Syslog Server

Popular commercial solution with GUI.

Configuring Clients

Linux Clients

To send messages to a remote server, add a line to /etc/rsyslog.conf:

```

Send all messages to remote server

. @@remote-server-ip:514 ```

For specific message types: ```

Errors only

*.err @@remote-server-ip:514

Kernel messages only

kern.* @@remote-server-ip:514 ```

Configuring Applications

Many applications can send logs via Syslog. Example for Apache:

```

In Apache configuration file

LogLevel warn ErrorLog "| /usr/bin/logger -t httpd -p local6.error" ```

Windows Clients

To send logs from Windows machines, you can use:

  1. NXLog — sending events from Event Log
  2. SolarWinds Free Syslog Sender
  3. Custom PowerShell scripts

Syslog Security

Traditional Syslog uses UDP without encryption, which creates risks:

  • Message interception
  • Source spoofing
  • Data integrity violation

To address these issues:

  • Use TCP instead of UDP
  • Implement TLS encryption (RFC 5425)
  • Apply source authentication
  • Use VPN for log transmission

Practical Recommendations

Choosing the Right Solution

  1. For small networks: rsyslog or syslog-ng
  2. For enterprise environments: Splunk, ELK Stack, Graylog
  3. For cloud: cloud log management solutions

Performance Monitoring

  • Monitor volume of transmitted data
  • Monitor network interface load
  • Check log server performance

High Availability Architecture

  • Configure multiple log servers
  • Use load balancing
  • Implement log backup

Conclusion

Syslog is a powerful tool for centralized log collection. By properly configuring this system, you can effectively monitor and analyze events in your infrastructure. Don't forget about security and scalability when planning your log system architecture.