Syslog Server Configuration - Complete Guide

1. What is a Syslog Server?

Definition: A Syslog server is a centralized logging solution that receives, stores, and manages log messages sent by network devices and systems using the Syslog protocol.

Why Use It?

  • ✅ Centralized logging – Aggregate all logs in one location.
  • ✅ Real-time monitoring – Detect problems as they occur.
  • ✅ Compliance – Store logs for auditing and legal requirements.
  • ✅ Filtering & Alerts – Focus only on important events.

2. Syslog Protocol Basics

  • Transport: UDP 514 (default), TCP 514 (for reliability)
  • Message Format: <PRI>Timestamp Hostname Facility.Severity: Message
<134>Dec 15 10:30:45 Router1 %SYS-3-CRITICAL: Temperature threshold exceeded

3. Installing a Syslog Server

Linux (rsyslog)

sudo apt install rsyslog
sudo systemctl enable rsyslog

Windows

  • Kiwi Syslog Server (Free or Paid)
  • SolarWinds Syslog Server (Enterprise-grade)

macOS

brew install rsyslog

4. Configuring Syslog Server

A. Enable UDP/TCP Listening (Linux)

Edit /etc/rsyslog.conf: 
# Enable UDP
module(load="imudp")
input(type="imudp" port="514")

# Enable TCP (optional)
module(load="imtcp")
input(type="imtcp" port="514")
Restart rsyslog: 
sudo systemctl restart rsyslog

B. Define Log Storage & Retention

# Store logs per host in /var/log/remote/
$template RemoteLogs,"/var/log/remote/%HOSTNAME%.log"
*.* ?RemoteLogs
Set up log rotation: 
sudo nano /etc/logrotate.d/rsyslog

C. Filter Logs by Severity

# Only store critical logs (levels 0–2)
if $syslogseverity <= 2 then /var/log/critical.log

5. Configuring Network Devices

Cisco Router/Switch:

Router(config)# logging host 192.168.1.100
Router(config)# logging trap warnings
Router(config)# logging source-interface Gig0/0

Linux Client:

sudo nano /etc/rsyslog.conf
*.* @192.168.1.100:514

Windows:

Use Event Viewer → Subscriptions to forward events.

6. Verifying Syslog Communication

On Syslog Server:

tail -f /var/log/remote/Router1.log

On Cisco Device:

show logging | include sending

Test from Linux Client:

logger -p local3.err "Test message from Linux"

7. Securing Syslog

Firewall Rules:

sudo ufw allow from 192.168.1.0/24 to any port 514 proto udp

Enable TLS (TCP Only):

# In /etc/rsyslog.conf
module(load="gtls")
input(type="imtcp" port="6514" StreamDriver.Name="gtls")

8. Centralized Log Management Tools

ToolPurpose
GraylogOpen-source log analysis and dashboards
SplunkPaid enterprise SIEM & analytics
ELK StackElasticsearch + Logstash + Kibana

Graylog Example Flow: Syslog input → Apply rules → Trigger alerts

9. Time Sync (NTP)

Correct timestamps are essential in log correlation.

Linux:

sudo apt install chrony
sudo systemctl enable chrony

Cisco:

Router(config)# ntp server pool.ntp.org

10. Monitoring & Alerts

Linux Email Alert:

grep -i "CRITICAL" /var/log/remote/Router1.log | mail -s "ALERT" admin@example.com

Enterprise Tools:

  • SolarWinds: Alerts on messages like %LINK-3-UPDOWN
  • PRTG: Monitors syslog for threshold triggers (e.g., high CPU)

11. Troubleshooting

IssueSolution
No logs receivedCheck firewall, UDP 514, device config
Wrong timestampsSync time with NTP
Logs truncatedUse TCP or increase buffer size

Packet Capture:

sudo tcpdump -i eth0 udp port 514 -vv

12. Summary

  • Install rsyslog/Kiwi/Graylog depending on OS
  • Configure listening ports and log storage
  • Forward logs from routers/switches/servers
  • Apply severity-based filters
  • Secure the setup with firewalls and encryption
  • Use alerts and dashboards for critical events

Syslog Server Configuration Quiz

1. What is the primary purpose of a Syslog server?

Correct answer is D. A Syslog server collects, stores, and analyzes logs from network devices and applications for monitoring and troubleshooting.

2. Which transport protocol and port is the default for Syslog messages?

Correct answer is A. Syslog commonly uses UDP port 514 for fast, though unreliable, message delivery.

3. Which command on Cisco devices configures the Syslog server IP?

Correct answer is B. The "logging host" command specifies the IP address of the remote Syslog server.

4. What is a common method to secure Syslog traffic when using TCP?

Correct answer is D. TLS encryption can secure Syslog traffic over TCP, protecting log confidentiality and integrity.

5. Where are logs typically stored on a Linux Syslog server configured for remote logging?

Correct answer is C. Remote logs are often stored in a directory named /var/log/remote with individual files per device hostname.

6. What is an effective way to ensure accurate timestamps in Syslog messages?

Correct answer is A. NTP ensures synchronized time between devices and servers for correct log timestamps.

7. Which of the following is a popular open-source centralized log management tool?

Correct answer is B. Graylog is an open-source tool for log collection and analysis.

8. How can you verify that a Cisco device is forwarding logs to a Syslog server?

Correct answer is C. This command filters the log output to confirm logs are being sent to the Syslog server.

9. What firewall rule should be allowed to enable Syslog UDP traffic from LAN devices?

Correct answer is D. Syslog commonly uses UDP port 514 for forwarding logs.

10. Which Linux command can be used to manually send a test Syslog message?

Correct answer is A. The "logger" command sends messages to the syslog system from the command line.

← Back to Home