Log Collectors and Syslog
- an event on a device is logged to the console or a file
- accessing each device is impractical on large network
- a log collector receives event messages forwarded from devices to a single storage location
- can run status and alerting dashboards
- a secure log server is called a bastion host
Syslog
Syslog is an application protocol and event logging format enabling different appliances and software applications to transmit logs or event records to a central server.
- facilitates log collection
- de facto standard for logging events from distributed systems
- works on Cisco and UNIX/Linux
- listens on UDP port 514
- is a protocol and an open format for event data
- syslog message comprises:
- PRI code
- calculated from the facility and a severity level
- Facility
- is a 24-bit code that describes where the message came from using a number between 0-23
- Severity
- is an importance value from 0-7
- header
- contains timestamp and host name
- message
- contains a tag showing the source process plus content
- format of content is application dependent
- can be space or comma delimited, name/value pairs, or JSON
- PRI code
- syslog message comprises:
Syslog Severity Levels
| Code | Level | Interpretation |
|---|---|---|
| 0 | Emergency | The system is unusable (kernel panic). |
| 1 | Alert | A fault requiring immediate remediation has occurred. |
| 2 | Critical | A fault that will require immediate remediation is likely to develop. |
| 3 | Error | A nonurgent fault has developed. |
| 4 | Warning | A nonurgent fault is likely to develop. |
| 5 | Notice | A state that could potentially lead to an error condition has developed. |
| 6 | Informational | A normal but reportable event has occurred. |
| 7 | Debug | Verbose status conditions used during development and testing |