An Overview of Syslog and Syslog Server
Syslog is a protocol for sending and receiving notification messages from network devices which are capable of sending Syslog messages. Generally, these messages are sent in a certain format to a Syslog server which gives the option to store the messages and retrieve selective messages. The message includes information like the host ip address, time stamp, event message, facility, severity etc. While facility indicates the application sending out the Syslog message, there are different levels of severity assigned to each message starting from 0 to 7 (System Unstable, critical, Informational, Debug etc).
Syslog is required for monitoring the network devices and systems, which send out notification messages in case if there is a problem in its functioning or to send notification messages if certain pre-notified events happen or to monitor for suspicious activity through the change log/event log of the network devices like Firewalls. Almost all devices like network switches, routers, wireless controllers, IDS systems etc. send such messages in Syslog format.
Message Logging and Database Integration in Syslog Server:
A Syslog server offers a centralized log/event management for the messages received from different network devices. This makes it easier for a large enterprise by enabling them to monitor/trace the health of all the network devices from a single application and also create common filters/ alarms for monitoring and notification purposes.
The log messages stored in the Syslog servers are generally very small and about 5 million messages can be stored for 1 Gb of hard disk space. The capacity of most of the modern servers are enough to write thousand or more entries per second in to the database of the Syslog server. It is also recommended to use faster hard disks like SCSI and RAID solutions for better performance especially during higher load.
Some of the Syslog servers support ODBC format compatible databases. Some vendors support MySQL and some others support MS SQL or Access. The log messages are kept in a data base format defined/ supported by the vendor.
Filtering rules in a Syslog Server:
Since a Syslog server receives/stores a large amount of Log messages sent by various network devices, it is important to have a good and quick retrieval mechanism to extract only the relevant messages based on certain parameters (like device name, event criticality etc.). To enable this, the Syslog servers use Filtering rules.
A filter enables the administrator to see certain types of entries or avoid seeing certain types of entries (Called a Negative filter). So, a rule could be set up to show all the log messages from the firewall alone which are critical, for example. There could be specific filters to show certain types of entries, there could be generic filters to indicate the type of application generating the message logs etc. There could also be certain filters, which are a combination few other filters.
Alarms:
Defining alarms provide immediate feedback for important events like application failures, hardware errors, lost contact, mis-configuration etc). So, based on a previously set criterion or filtering rule, alarms can be generated and the IT support team could be notified via email, SMS, pop-up messages, http alarms, SNMP alarms etc. This process is automated so that when there is a sudden failure of any of the network devices or if a certain important event has occurred in any of the network devices, the IT support team is automatically and immediately notified. The Syslog server enables to do this.
Limitations of Syslog server:
¤ Message limit of 1k.
¤ Message format not often standardized and only some are in human readable format.
¤ The RFC’s proposed for Syslog has not been uniformly adopted.
¤ Since it is UDP based, there maybe some reliability issues.
¤ Protocol is not very secure and prone to replay attacks etc. Sender address can also be faked.
¤ If there is a large burst of network traffic, there might be some packet loss.
excITingIP.com
You can stay up to date on the various computer networking technologies by subscribing to this blog with your email address in the sidebar box that says ‘Get email updates when new articles are published’
hi,
how these alarms can be be generated?? any software??