|Email This Page
Syslog protocol is a standard to send event notification messages across IP networks to event message collectors - also known as "syslogd", "syslog daemon" or “syslog servers". The term "syslog" is often used for both the actual syslog protocol, as well as the application or library sending syslog messages. Syslog is a simple protocol typically used for computer system management and security auditing. While it has a number of shortcomings, syslog is supported by a wide variety of devices and receivers across multiple platforms and operating systems. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository.
Since each process, application and operating system was written somewhat independently, there is little uniformity to the content of syslog messages. For this reason, no assumption is made upon the formatting or contents of the messages. The protocol is simply designed to transport these event messages. In all cases, there is one device that originates the message. The syslog process on that machine may send the message to a collector. No acknowledgement of the receipt is made. Syslog uses the user datagram protocol (UDP) as its underlying transport layer mechanism. The UDP port that has been assigned to syslog is 514. Often the data is sent in cleartext, however, an SSL wrapper such as Stunnel, sslio or sslwrap can be used to provide for a layer of encryption through SSL/TLS.
One of the fundamental tenets of the syslog protocol and process is its simplicity. No stringent coordination is required between the transmitters and the receivers. Indeed, the transmission of syslog messages may be started on a device without a receiver being configured, or even actually physically present. Conversely, many devices will most likely be able to receive messages without explicit configuration or definitions. This simplicity has greatly aided the acceptance and deployment of syslog.
Protocol Structure - Sample syslog architecture:
Sample syslog architecture
No assumption is made upon the formatting or contents of the syslog messages. The syslog packet size is limited to 1024 bytes and carries the following information:
• Facility – integers indicate the categories of sources that generate the syslog messages. These sources can be the operating system, the process, or an application.
• Severity – single digit integers indicate the severity of the message,
• Hostname - The hostname field consists of the host name (as configured on the host itself) or the IP address. In devices such as routers or firewalls, which use multiple interfaces, syslog uses the IP address of the interface from which the message is transmitted.
• Timestamp: The timestamp is the local time, in MMM DD HH:MM:SS format, of the device when the message was generated.
• Message - This is the text of the syslog message, along with some additional information about the process that generated the message.
Syslog protocol is defined by IETF (www.ietf.org) in RFC 3164.
http://www.javvin.com/protocol/rfc3164.pdf: The BSD Syslog Protocol