Skip to main content

CompTIA A+

Syslog

10 min read

Syslog is a standard protocol for collecting and transmitting log messages across a network. Originally developed for Unix systems in the 1980s, syslog has become the universal logging standard supported by virtually all operating systems, network devices, and applications. Routers, switches, firewalls, servers, and workstations can all send log data to a central syslog server for storage, analysis, and alerting.

Centralized logging through syslog gives administrators a single location to monitor events across the entire infrastructure, making troubleshooting faster and security monitoring more effective.

How Syslog Works

Syslog follows a simple client-server model. Devices generate log messages and send them to a syslog server (also called a syslog collector or syslog daemon). The server receives, stores, and organizes these messages for review.

Syslog Ports

Traditional syslog uses UDP port 514, which is unencrypted and provides no delivery confirmation. For reliable delivery with confirmation, TCP port 514 can be used instead. Secure environments should use TCP port 6514, which provides syslog over TLS encryption.

UDP port 514 is the default and most common, though it provides no guarantee of message delivery. Critical environments often use TCP or TLS-encrypted syslog for reliability and security.

Message Format

A syslog message contains three parts. The Priority (PRI) combines facility and severity into a single value. The Header contains the timestamp and hostname or IP address of the sending device. The Message contains the actual log content describing the event.

Example syslog message:

<34>Oct 11 22:14:15 server01 sshd[12345]: Failed password for admin from 192.168.1.100

Facility and Severity

Syslog categorizes messages using two classification systems that help administrators filter and prioritize log data.

Facilities

Facilities identify the source or type of program generating the message. Code 0 represents kernel messages (kern). Code 1 is for user-level messages. Code 2 handles the mail system. Code 3 covers system daemons. Code 4 is for security and authentication messages (auth). Code 5 represents syslog internal messages. Code 6 handles the printing system (lpr). Code 9 covers scheduled tasks (cron). Code 10 is for private authentication messages (authpriv). Codes 16 through 23 are designated as local0 through local7 for custom or local use.

Local facilities (local0 through local7) allow organizations to categorize custom applications or specific device types.

Severity Levels

Severity indicates the importance of a message. Lower numbers represent more critical events.

Level 0 is Emergency, meaning the system is unusable. Level 1 is Alert, indicating immediate action is required. Level 2 is Critical for critical conditions. Level 3 is Error for error conditions. Level 4 is Warning for warning conditions. Level 5 is Notice for normal but significant events. Level 6 is Informational for general information. Level 7 is Debug for detailed debugging data.

Memory aid: "Every Awesome Cisco Engineer Will Need Ice-cream Daily" helps remember the severity order from 0 to 7.

When configuring logging, specifying a severity level typically includes all levels of equal or greater importance. Setting level 4 (Warning) captures warnings, errors, critical events, alerts, and emergencies.

Syslog Servers and Collectors

A syslog server receives and stores messages from across the network. Options range from simple built-in services to enterprise platforms.

Common Syslog Servers

rsyslog is the default syslog daemon on most Linux distributions. It supports UDP, TCP, and TLS with filtering and database output.

syslog-ng is an advanced syslog server with powerful filtering, parsing, and routing capabilities.

Windows Event Collector provides centralized logging for Windows environments.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account