/ Last Updated: June 6, 2019

Syslog and by extension syslog servers are, to put it quite simply, nothing but programs and protocols which aggregate and transfer diagnostic and monitoring data. Their power comes from the wide range of data that can be collected and, furthermore, the ways in which this data can be analyzed and levied for the sake of network maintenance, system monitoring, and dozens of other diagnostic and troubleshooting purposes!

Generally the Syslog protocol is supported by a wide variety of devices and thus it"s easy for devices and applications to fire off log information to the Syslog server, which stores the information for further analysis.

Most notably, Syslog servers are often capable of triggering alerts or sending notifications which enables an admin in the field to receive time-critical information, or to simply gets a heads up of something that may need attention soon – thanks to a built-in severity metric, it"s easier to know when something can wait and when it can"t.

SNMP ties heavily into Syslog server functionality and can be used in tandem to poll all the wonderfully wide variety of information that admins are used to snatching up via SNMP but, when taken a step further via Syslogging server software, they can take that data and do a lot more with it – graphical interfaces which aggregate SNMP data, for example, can massively speed up the assessment of almost any number of critical systems or failure points.

Using these same metrics many Syslog servers can also have automated scripts or events that will trigger and can potentially streamline the process of recovering from, or preventing, downtime or outages.

Some Syslog servers require client-based software to manage but many also offer web-based solutions, which can ease management both remotely or from different systems on a network environment. Most servers are also quite good at data management and will handle some level of archival functionality for saving older logs or records that may not actively be needed at present.

Syslog does have a few drawbacks – it"s not particularly standardized, meaning that sloppy implementation can cause troubles for Syslog servers, and it also lacks any kind of authentication.

In a trusted network environment this isn"t really an issue, but especially nefarious malware or untrusted networks can sow seeds of trouble.

Here"s the Best FREE Syslog Server Software & Tools of 2019:

Below is a list of software that performs these functions and more, as well as the compatible operating systems and, quite importantly, whether it supports some form of alert (alarms, pop-ups, etc.) and/or notifications (email, txt, etc.)

1. Kiwi Syslog Server – FREE VERSION

Kiwi"s Syslog Server boasts ease of installation and setup on top of its other range of desirable features. Reports can be generated both in easy-to-read HTML or in plain text if necessary for parsing with other software.

Log archival and storage are automatic and rigorous with a focus on compatibility in cases where even regulatory needs must be carefully met – even those as stringent as HIPAA. Kiwi utilizes a web-based console for extremely ease of access and swift availability that requires no client installation or configuration.

Kiwi"s software even handles Syslog and SNMP, including from Linux and UNIX hosts, and performs real-time alerting and notification based on this data with a vast, and customizable, range of metrics that can be checked against.

Win XP 32/64, Win 2003 32/64, Windows Vista 32/64, Win7 32/64, Windows 2008 R2 32/64, Windows 8, Windows Server 2012 & 2012 R2; has both alert and notification ability.

2. PRTG (Free Version)

PRTG has some Syslog ability then added via a sensor to the PRTG monitoring suite.

Primarily focuses on SNMP and Syslog protocol data and has a good amount of analysis ability due to the built-in capability PRTG already has for general monitoring and management.

OS Compatibility and alert/notification ability: Any Windows 64-bit environment with Windows Server 2012 R2 specifically recommended; good notification and alerts, but all varies a bit as sensor must be added and configured by hand

3. SNMPSoft Sys-log Watcher

Installed as a dedicated syslog server for all manner of network devices with a native support for a good range of notification options – SNMPSoft"s program also boasts a particular ability to parse and handle non-standard Syslog, something that can cause some other software to falter!

Of particular note, there"s also a Syslog Watcher VendorPack available, which is a huge reference of syslog messages for proprietary equipment that helps in swift troubleshooting by defining non-standard syslog messages automatically.

OS Compatibility and alert/notification ability: Windows XP through Windows 10; robust notifications and solid alerts as well

4. Splunk Light

Not an ideal solution as even the Splunk forum will suggest using several Splunk servers for a proper setup, but still doable! Utilizing Splunk to index and manage log files is more strongly recommended, as syslog data will be lost with each Splunk restart by default.

None the less, it does offer syslog functionality and, with a little work getting several Splunks working together, can be a solid solution.

OS Compatibility and alert/notification ability: Splunk runs on Windows 64-bit versions as well as Linux and Mac OSX, syslog functionality varies; no real alerting or notification functionality for syslog

5. The Dude

The Dude, despite it"s odd name, is an interesting and free option for general network management – it comes with a built-in syslog server which can be enabled with ease as well as provides functionality for remote logging via RouterOS.

Log events can be filtered, sorted to different logs, or discarded based on customizable thresholds.

OS Compatibility and alert/notification ability: Most versions of Windows, recommended Windows 2000 or newer, also runs on Linux or MacOS using Wine/Darwine; email based notification with some on-screen alert or log-based alert options, too

6. TFTPD32

7. Syslog Server (Abandoned)

A fairly simple and barebones Syslog server that also doubles as an analyzer. It can be adjusted to only log and monitor events at certain threshold values and also can trigger email-based notifications, as well as sort the way in which events are displayed.

OS Compatibility and alert/notification ability: Service on Windows server prior to 2008, application functionality on most Windows versions; can trigger e-mail notifications based on thresholds

8. Icinga Open-Source Monitoring

Visual Syslog Server is a very straightforward and light-weight Syslog option that focuses on a real-time approach.

It does have some ability to handle and rotate logs automatically, to avoid bloat, and can also trigger scripts or programs based on thresholds that can be set.

OS Compatibility and alert/notification ability:

• Windows XP,
• Vista,
• as well as Windows Server 2003, 2008, 2012;

It can handle notifications via email and also some alerting and automated triggering of actions!

10. 3cDaemon

Based on the BSD-unix style functionality of syslogd, this particular offering is going to appeal to only a select crowd! None the less, it can handle logging based on priority, filter/restriction messages by IP, has real-time viewing of the log, and even can dump log information to plain ASCII.

OS Compatibility and alert/notification ability: Application level server run on most older Windows, newer OS versions may be iffy at best as the software is quite old; no real alerting or notification functionality

OS Compatibility and alert/notification ability:

11. Datagram

This software focuses on an enterprise level of functionality and is geared towards larger environments – it can gather and store a wide range of Syslog information and store it on a central database with a wide range of filters and alarms available.

OS Compatibility and alert/notification ability:

Windows 2000 and forwards; has alarm functionality but not much for notifications

Conclusion

Syslog tracking via a powerful Syslog server can save any network administrator an obscene amount of time and effort.

Every bit of data, whether SNMP or Syslog, that can be requested, aggregated, and analyzed is another potential piece of a puzzle that can trigger alerts or notifications and quickly bring human attention to the problem as soon as possible, or even fire off predefined scripts or programs to alleviate, or at least slow down, oncoming issues.

The flexibility of these programs are a superb way for admins to leverage monitoring to their advantage with the goal of maximum uptime and stability.

Much of this information can be seen on any one system or device, but even a small network with a few dozen devices would be totally unreasonable to monitor one by one – having it centralized, automated, and closely monitored is invaluable!

James Cox is the Editor at ITT Systems and has a Long History in the IT and Network Engineering Field. He Boasts a long list of Credentials ranging from CompTIA Certifications up to Cisco and VMWare points on his Resume.

Хранить логи устройство может в своей оперативной памяти либо на Fleash и понятно, что много тут не сохранишь, а оперативная память при перезагрузке ещё и затирается.
Особенно это касается аварийных случаев, когда на устройство заглянуть возможности нет или нет времени, и оно в панике ребутается с потерей всех логов.

Альтернативным хорошим способом логирования есть логирование на внешний сервер, который называется Syslog server .
Существует ПО Syslog server от разных производителей, мы же рассмотрим самого известного с версией: Kiwi Syslog Server 9.4.1 .

Установка Kiwi Syslog Server

В установке ничего особо сложного нет - просто запускаем Kiwi_Syslog_Server_9.4.1.Eval.setup.exe , всё делаем стандартно и со всем соглашаемся.
Единственное, нужно запомнить админскую учётку для Web Access.
Установка потребует перезагрузки. Также сразу после установки нужно поставить лицензию.

Проверка/Настройка

Статус сервиса можно проверить здесь:
Administrative tools > Services > Siwi Syslog server
Понятно, что у него должно быть состояние Started .

Статус сервера можно проверить запустив Kiwi Syslog Server Console .
Отсюда можно проверить следующее:

• File > Send test message
• Manage > Show syslogd service state

Настройка устройства cisco

Настройка отображения текущего времени
service timestamps log datetime localtime
!
! Включение логирования
logging on
!
!
! Отключения логов на консоль
logging console critical
logging monitor debugging
!
! Настройка логирования в буфер
logging buffered informational
logging buffered 16386
logging rate-limit 100 except 4
!
! Настройка сообщений на сервер syslog
logging 192.168.1.10
logging trap debugging

Для того чтобы посмотреть что упало в буфер:
router#show logging

Включение отображения monitor logging:
terminal monitor

В результате сообщения должны начать валиться в syslog server:

Web access

Web access позволяет не только получить доступ к логам удалённо, но по сути является основным рабочим инструментом по работе с syslog, и предлагает широкие возможности по фильтрованию сообщений, разделению прав и т.д.

Тут работа интуитивно понятна, и комментировать пожалуй нечего

Kiwi Syslog Server и tftpd32.exe

После установки syslog server может перестать запускаться tftpd32.exe, из-за конфликта портов.
Это связано с тем, что tftpd32.exe по умолчанию также прослушивает и syslog: это можно выключить в его настройках(settings).

Syslog is a universal standard for system messages . It was originally implemented by a Unix utility, called syslogd , but now it is used by a wide range of IT equipment, so just about every piece of computing kit that you buy will be able to send syslog messages. You can direct these messages to different log files according to the message severity level. But if you plan to make the most of the information, that data really should be processed or at least read.

We get into plenty of detail on each of the tools we selected for this list, but if you are just in need of a quick summary, here’s a list of

1. – A paid tool that runs on Windows but is free to use to monitor the logs from up to five devices.
2. – A comprehensive network, server, and application monitor that includes sensors for Syslog management. PRTG is free if you only activate up to 100 sensors, which is more than enough to access the Syslog server monitors.
3. – Cloud-based log analyzer that uploads all of your log data to its servers. This service is for a fee, but there is a free Lite package.
4. Event Log Analyzer – This tool is available from ManageEngine, which produces many other system management utilities. It is free to monitor up to five log sources.
5. WhatsUp Syslog Server – Syslog message storage, parsing, and forwarding and some analysis functions, too from this free tool for Windows.
6. Syslog Watcher – A free Syslog server for Windows that writes Syslog messages to files or a database and includes record sorting and filtering functions.
7. Fastvue Syslog – Free Syslog server for Windows Server 2012 R2 and later. As well as writing messages to log files it will create checksum validation files that are protected by SHA-256 encryption.
8. The Dude – Free network analysis tool with an integrated Syslog server for Windows, Linux, and Mac OS.
9. – Integrated into Nagios XI (paid) and Nagios Core (free) for Windows and Linux. The free version is limited to a data throughput of 500 MB per day.
10. Icinga 2 – Free network monitoring system for Linux with an integrated Syslog server.
11. Visual Syslog Server – Collects Syslog messages and stores them to file as well as displaying them in a dashboard. The program is free and runs on Windows and Windows Server.
12. Syslog-NG – A free Syslog server for Linux that also collects Windows events over a network.
13. NxLog – A free Syslog server for Windows, Linux, Unix, and Android.
14. Logstash – A system message monitoring service for Linux that includes the storage of Syslog messages.
15. Graylog – A log management system for Linux that is free to use with log message data volumes of up to 5 GB per day.
16. TFTPD32 – Lightweight, free system message logger for Windows that includes monitoring for Syslog.

Syslog Servers and Clients

The concept of a “Syslog server ” really refers to an application that deals with syslog messages rather than the provision of a dedicated computer to receive the messages. So, don’t get misdirected by that “server” word in there.

The server/client model is a little difficult to grasp in Syslog terms, too. Usually, the client contacts the server and the server responds. In syslog, the syslog client is just a program that broadcasts error, warning, and debugging messages . The syslog client doesn’t have any direct contact with a counterpart: it sends out the messages whether or not anyone is listening for them. Syslogd is a daemon . This is a Sylog collector and so is judged to be the server, even though it never responds to the originator of the messages. The daemon may be running locally, or it can also be implemented as a remote syslog server by connecting over the internet.

OS: Windows & Windows Server

4. Event Log Analyzer

ManageEngine’s Event Log Analyzer operates as a Syslog server and is free for up to five log sources . The monitoring software can be installed on Windows or Linux , but it can monitor events arising on any operating system. The syslog data can originate in any type of network-connected equipment , including switches, routers, and virtual machines.

You don’t have to put much work into setting up the system thanks to its autodiscovery feature. Syslog is a messaging standard implemented by just about all network-connected devices, so the Event Log Analyzer just needs to listen on the network for all Syslog-compliant messages sent out by the equipment connected to it. Each message contains a header that identifies its origin. That enables the Event Log Analyzer to build up a list of all hardware on the network and list alerts and status reports by IP address/origin.

The ManageEngine dashboard includes a lot of functionality that enables you to specify actions to perform on the collected Syslog data. A typical Syslog server requirement is to write all records to event logs . This action is available, but you can also query records in the dashboards and sort and filter messages. Archived logs can be compressed and encrypted. The encryption enables access rights to be imposed on user accounts , so the visibility of the data in Syslog files can be restricted to just a few network users with admin rights.

The Event Log Analyzer can also monitor SNMP messages . ManageEngine produces a comprehensive network monitoring system, called OpManager . A restricted version of this tool is available for free and the Event Log Analyzer integrates very well with that wider network monitoring system.

IPswitch produces a successful network monitoring tool called WhatsUp Gold. They also offer a free Syslog server, which can be used as a standalone utility, or integrated into the WhatsUp Gold package. The WhatsUp Syslog Server is free to use and can be installed on Windows .

This tool covers the basic Syslog server functions of capturing Syslog data and storing them in event logs. Beyond that standard functionality, the package gives you a few more facilities to help you better organize Syslog messages and deal with them. You can forward messages to other applications and save records to different files selectively. The Syslog server includes a console where you can display records and specify how the program deals with each message type.

The Syslog viewer shows you live data as it comes in and you can filter and sort records in order to focus on one source of message type. The volumes of data that the tool can handle means it would be suitable for all sizes of network , even though it is free. The console can handle up to six million messages per hour. You can also import archived records in order to analyze events and get a long-term view on the performance of network equipment.

The management functions of the console allow you to specify templates highlighting specific alert conditions or message source IP address. You can also create custom warnings by specifying combinations of conditions that should be escalated to alert status.

6. Syslog Watcher

Syslog Watcher from EZ5 Systems is available for installation on Windows . This is a free Syslog server program with a number of extra monitoring features. As just about every device connected to your network sends out Syslog messages, the Syslog server has to work fast if you want it to do more than just collect and write those messages to a file. Syslog Watcher uses a multithreaded architecture , so the collection of new records isn’t held up by the completion of processing.

The control dashboard gives you options on how to process messages. You aren’t limited to storing them in files because you have the option of writing them to a database . Getting your Syslog messages in a database gives you a lot more power to deal with event records because you can sort, filter, group, and count them. It allows you to combine events to generate customer alert conditions. You can get alert messages sent to you by email through the Syslog Watcher.

Syslog Watcher can monitor messages both over UDP and TCP and it can operate with both the IPv4 and the IPv6 address systems.

UPDATE : Syslog Watcher is free for home use. Business users have to pay for the tool . However, EZ5 Systems offers a 30-day money-back guarantee . So, if you want to try it out for free, just use it for a month and then ask for your money back.

7. Fastvue Syslog

Fastvue specializes in system message reporting tools. One of its products is a free Syslog server utility . This software can be installed on Windows Server 2008 R2 and later versions of the Windows Server operating system .

The Syslog system collects incoming messages and writes them to event logs. That takes care of your basic Syslog server function. The dashboard of the Fastvue tool examines all of your archived files and gives you a report on each file’s size. Files are collated by date and each gets partnered by a verification file that stores a SHA-256 hash count. Keeping an eye on this information tells you whether a log file has been interfered with. This is an important function for intrusion detection because hackers will amend log files to hide their presence.

Fastvue Syslog compiles separate log files for each reporting device/IP address, so you end up with directories of files per device address. Each file contains a day’s worth of Syslog data messages originating from the device that the directory shadows.

This Syslog server focuses on creating and monitoring files of Syslog messages rather than making those records available for analysis. If you need a console to analyze records, you will need to import the log files into another application.

8. The Dude

The Dude is a very widely used free network analysis tool that includes Syslog server functions. This app can be installed on any Windows version from Windows 2000 on, all flavors of Linux, and MacOS . This tool is produced by MikroTik, a router manufacturer from Latvia.

This system can monitor your network devices and collect Syslog data. It can process SNMP alerts, plus ICMP and DNS traffic. The Dude can monitor TCP traffic as well as UDP. The network monitoring features include autodiscovery and a network topology mapper.

The Syslog functions of The Dude can be accessed from a tab in the interface. The system can operate as a full Syslog server with extra forwarding and filtering capabilities . You can get The Dude to just send all records to a file, or specify rules to divert qualifying messages to other destinations, which might be separate event logs, or the console of the system. You can also drop certain records and get the system to beep, flash, or display a popup message for custom alert conditions .

The Dude performs actions when it detects a given alert condition, including the execution of commands. The Dude can send you an email or make a spoken announcement upon detection of a custom alert condition.

Nagios is based on an open-source project. The ability to download the source code for the system means you can use it for free . However, there are limits on the free version of Nagios. You can only use the system for free up to 500 MB of data throughput per day. The Nagios software can be installed on Windows and Linux .

The log server can gather information on Windows events, Linux syslogs, and network device syslogs . The application consolidates log messages in one central location. You can nominate physical servers to store event logs, distribute storage over a cluster of servers, even duplicate files in different locations to create backups.

The console allows you to view live streams of log messages and access previously stored Syslog data . The interface includes sorting and filtering functions to help you analyze messages. You can specify alert conditions, which may be made up of a combination of statuses or designated as an alert on the frequency of specific message types coming in. The customization capabilities of Nagios even extend to the dashboard . It is possible to populate the dashboard with prioritized features, including message lists. Other elements you can place on the dashboard include data visualization tools, such as graphs, histograms, and charts.

10. Icinga 2

Icinga started off as a fork of Nagios. Since its inception in 2009, this package has diverged from its predecessor. The latest version of the software is called Icinga 2 and it can be installed on Linux . The package comes in two parts. The Core system is the data processor and the latest version of this software is called Icinga 2. The backend can interface with a range of data management applications , including Graphite and InfluxDB. The Icinga team also produces its own front end, called Web 2.0 , which is available from the Icinga website in a separate download.

Icinga 2 is a comprehensive network monitoring tool and one of its functions is a logging feature. You can set the logging source to Syslog data . Optionally, the logger can be set to just collect Syslog messages of a specific severity level. It won’t limit message collection to just the nominated severity, but will record all messages with the given severity, plus those with higher severity levels. The progression of message types is “debug ,” “notice ,” “information ,” “warning ,” and “critical .” The default level is “warning,” so if you just point the logger to Syslog without specifying a minimum severity level, it will pick up all warning and critical messages.

If you look at the Icinga website for a price, you won’t find one because this network monitoring tool is completely free .

11. Visual Syslog Server

Visual Syslog Server is a small utility that collects Syslog data and displays them in a viewer. The records can also be written to event logs and rotated by date or file size. This application can be installed on Windows and it is available for free . The software can be installed on Windows XP and above and also on Windows Server 2003, 2008, and 2012 .

In the dashboard, records are color coded with error messages in red and warnings in yellow. Those colors can be customized. You get real-time views of the messages and you can also load records into the viewer from files.

Although this utility doesn’t have sophisticated graphics or processing options, it is lightweight and fast, so it has a market. The viewer presents records and allows you to filter them and sort them . The interface can be set to play a sound when an alert condition is encountered. You can also set the application to send you an email when it encounters an alert or a warning . If your email system supports encryption, Visual Syslog Server will encrypt the notification emails that it sends to you. This is a handy, free, ready to use tool that gets the job done.

Syslog-NG is an open-source package that is free to use . The software for Syslog-NG can only be installed on Linux . However, the log management system is able to collect Windows event data as well as standard Linux, Unix, and device firmware-generated Syslog messages.

The Syslog-NG system will collect all Syslog (and Windows events) messages from the devices connected to your network, recording the source IP address. The default destination for those records is to event logs . However, you can also forward Syslog messages to other applications or insert them into an SQL database . Syslog-NG is a pure Syslog server in that it just deals with capturing Syslog messages. Syslog-NG reorganizes system messages arriving in different formats so they are stored in the same layout.

Other Syslog servers on this list can analyze data from the messages. Some Syslog servers have attractive dashboards with data visualization features. You don’t get any of that with Syslog-NG. If you want to get more functionality to process your Syslog messages, you will need to add on a data analysis tool.

13. Nxlog

This review includes Syslog server programs that can be installed on Windows and/or Linux. Nxlog can be installed on either of those operating systems and also on Unix and Android. Whichever operating system you install this system on, it will be able to collect Syslog data from all the others — Unix, Linux, Windows, and Android .

Nxlog is a straightforward message collection system. It can operate over UDP and TCP and it can receive messages protected by TLS encryption. Messages get written to files and can also be stored in databases. In all cases, Nxlog creates a standard record format that unites data from disparate sources. A multithreaded architecture enables this tool to handle hundreds of thousands of messages per second , making it suitable for all sizes of network.

The Nxlog system is open-source and you can use it free of charge . There aren’t any analytical functions in this tool, so if you want to view records or manipulate them in any way, you will need to find a separate front end for analysis. This is a straightforward message collection and logfile creation facility , making it a pure Syslog server.

14. Logstash

Logstash is part of a suite of utilities called “Elastic Stack .” This group of tools is produced by a group of developers whose first product is called Elasticsearch. Elasticsearch is a second element in the Elastic Stack, as is Kibana. The division of labor between these three packages is that Logstash collects log messages, Elasticsearch enables you to sort and filter those messages for analysis, and Kibana interprets and displays the data. All of the Elastic Stack programs run on Linux .

Kibana makes a great front-end for any of the other Syslog servers in this list. As the event message collection service for the stack, Logstash operates as a Syslog server. The utility listens on the network for messages sent from a wide range of sources . In order to record specific stream, you need to install a plug-in for that data type. You can just install the Syslog plug-in, or add in other plug-ins to include other data sources.

Logstash also gathers data from cloud services including AWS. It can collect data from applications such as Ganglia, Salesforce, Graphite, Kafka, and Twitter. You can set the collection process to include TCP and UDP messages and it can receive messages encrypted with TLS. Logstash can read messages from a file, from a database, pick up SNMP messages, IRC and RSS feeds, and get messages from mail servers.

Logstash can filter divert, and reformat messages during processing. The program stores records in files or inserts them into databases. The utility is written to integrate with Elasticsearch and can send data directly to that application. Similarly, Logstash can be set to output data to Loggly, Nagios, AWS, Graphite, and Graylog. Other plug-ins will notify you of new log data by email or by Slack message. Logstash is available free of charge .

15. Graylog

Graylog is a log management system available for Linux . This is a sophisticated Syslog data analysis tool. However, you can just take advantage of its message collection and storage capabilities to use it as a pure Syslog server. Graylog is free for data volumes of 5 GB or less per day. Owners of small networks won’t have to pay anything to use it. The data analysis functions don’t generate extra data throughput. You don’t get any support with the free version of Graylog. However, a community forum on the Graylog website is filled with tips and tricks from other users.

Graylog sits on top of Virtual Machine software. This underlying system in Linux includes the rsyslog facility . It is actually rsyslog that will perform your Syslog message gathering and storage functions. You can manage rsyslog through the Graylog interface. If you pay for Graylog, you can also gather data through the Sidecar system. This allows you to store event logs on Windows computers.

The front-end for Graylog is browser-based . This will display inputs by type, so you will be able to see your Syslog messages together in one section of the dashboard. You can customize the dashboard, so if you set the system to gather messages from several sources, you don’t have to show the information from other sources on the same page as your Syslog messages. Widgets available for the dashboard include data visualization, such as histograms .

The Dashboard enables you to create your own alert conditions. You specify each alert based on a data stream type. For example, you can pick the Syslog UDP stream and then set up an alert condition on the number of warning messages that come through . System settings enable you to get alerts sent to you as email notifications. Stream handling procedures enable you to parse records, forward them, or store them to file or database.

16. TFTPD32/64

TFTPD is a small utility for Windows . The package is available as a 32-bit or a 64-bit application. The central element of this software is a TFTP client implementation. That client can be set to receive network messages from DHCP, DNS, and SNTP servers. It is also able to receive Syslog data.

This is a simple open-source utility that displays messages in the dashboard as they arrive. Buttons over the viewer give you the ability to view messages by type and Syslog is one of the message types that can be featured . You see messages as they travel on their way to event logs and the viewer also names the file that Syslog messages should be stored to. This utility doesn’t give you much functionality for data analysis. However, you can also read in records from a file and then you have the ability to sort and filter messages.

TFTPD is able to work with IPv6 addresses as well as IPv4 addresses. TFTPD32 and TFTPD64 are both available for free .

Syslog servers by operating system

Syslog server	Linux	Windows	Other
Kiwi	No	Yes	No
Paessler PRTG	No	Yes	Yes
Loggly	Yes	Yes	Yes
Event Log Analyzer	Yes	Yes	No
WhatsUp Syslog Server	No	Yes	No
Syslog Watcher	No	Yes	No
Fastvue Syslog	No	Yes	No
The Dude	Yes	Yes	Yes
	Yes	Yes	No
Icinga 2	Yes	No	No
Visual Syslog Server	No	Yes	No
Syslog-NG	Yes	No	No
Nxlog	Yes	Yes	Yes
Logstash	Yes	No	No
Graylog	Yes	No	No
TFTPD32	No	Yes	No

Choosing a Syslog server

As you can see from the description of the tools in our list, you can choose a straightforward Syslog server, or opt for an analytical tool or a network monitoring system that incorporates Syslog server functions.

To qualify as a Syslog server, a tool must be able to collect system messages written according to the Syslog protocol and store them . Syslog forwarding capabilities are very useful, as is the ability to rotate logs — that means creating new files periodically.

Beyond the basic functions of transferring Syslog messages to files, you can look for the capabilities to sort and filter messages . The ability to vary processing according to message types and drop debug messages and information notifications is useful. A programmer might need to see those debug messages, and so the ability to selectively direct message types to a viewer , a log file , or to a database can be very useful.

The evolution of Syslog processing to store records in a database rather than a file offers you great power. It is far easier to index, sort, search, and filter records in a database than it is to manipulate file records. This is because databases include a structured query language that enables you to isolate fields in records and perform selection, grouping, and exclusion functions on data without altering the original stored records.

Another useful advancement in the Syslog servers available today is a system that can collect messages generated by other platforms and protocols , such as the Windows event logger. If you Syslog server can create standardized record formats , that takes you another step further along the route to collecting important information about your system.

Getting alerts created for the conditions reported by Syslog will also give you extra power to focus your energy on important tasks. The ability to create your own alert conditions represents advancement in Syslog processing . Sometimes, the contents of a message might not create concern. However, a sudden surge in the frequency of such messages should become an alert and you can specify such conditions in many of the Syslog servers listed in this review. The ability to combine a count of message types or error conditions is another useful feature that many modern Syslog servers include.

A Syslog server embedded in a network management tool can provide great analysis capabilities. If you already have all the analytical tools you need, then you would be better off focusing on the vanilla Syslog server tools in this review. However, if you have very little budget for system management software and you don’t currently have any analytical tools , then go for a free system management utility that includes a syslog server to keep control of your IT infrastructure.

Managing IT services requires the proper tools. Take a look at the free tools recommended in this review that fit your operating system. Take a little time to play around with each tool so you can discover their features for yourself. Given that all of these tools are free, you have nothing to lose but the time it takes to learn them.

What’s in this article?

How to watch the British Golf Open on Kodi – Royal Portrush July 17, 2019 / by William Elcock How to Watch AEW – Fight for the Fallen Live Free on Kodi July 12, 2019 / by William Elcock

Psychz - Nikhil

Votes: 0 Posted On: Jul 25, 2017 04:44:07

Syslog is an accepted standard used to send event messages to a logging server, called a Syslog server. The Syslog can be used to collect a variety of events. Some companies provide free as well as paid versions of Syslog servers. Here are some of the free versions of Syslog servers that you can get in the market.

Kiwi Syslog Server – FREE VERSION

Developed by Solarwinds, The Kiwi Syslog server is a tool used to filter log messages, alert you about log messages and also store them. It can gather both Syslog events and messages for Windows as well as Linux and Unix operating systems. It is very easy for the devices to send the log information to the Syslog server as it supports a wide range of devices. It can manage Syslog messages and SNMP traps centrally respond to Syslog messages automatically. You also get an email summary on a daily basis which you can archive for further analysis and record.

You can setup different rules and filters to create your own setup. By using different filters you can segregate the messages on the basis of Priority, IP address, Hostname, Message Text, Time of Day, Flags/Counters, Input Source.

The free version allows the collection of Syslog events and monitoring of 5 devices.

Please click on the following link to download the free version of Kiwi Syslog Server.

Paessler PRTG Syslog Server

Paessler PRTG offers you a free Syslog server. PRTG Syslog server provides you with a variety of sensors. Through the Syslog receiver, you can receive and analyze messages. It checks the content of the Syslog messages and analyses the content thoroughly. You can also set an alarm by putting filters like severity. Other important sensors provided by PRTG Syslog server are the Syslog sensor and the SNMP Trap Receiver. The SNMP Trap receiver is capable of receiving more than 10K messages per second. With the ability to connect to the device directly, these sensors work more efficiently and provide you with optimum efficiency in capturing the messages.

The Paessler PRTG Syslog Server is available in free as well as paid version. The free version allows you to use up to 100 sensors. You can visit the website to view all the free and paid sensor list. Click on the link below to visit the website.

Syslog Watcher

A Windows-based Syslog server, Syslog server is a dedicated Syslog server solution which excels in collecting Syslog messages and displaying the alerts in case of any network discrepancies. The Syslog Watcher works exceptionally even in the event of high network traffic. It has the capability of capturing millions of messages without any hitch in performance.

One of the most attracting features of Syslog Watcher is the user-friendly GUI. The main options are right on top of the window in the form of buttons. All the Syslog events can be viewed beneath it. From starting or stopping the server to retrieving the logs of the events by putting a filter to the Syslog messages, all the features are right in front of you.

Please visit the website to signup for Syslog Watcher by clicking on the link below.

Splunk Light

Used for automating Syslog event collection, Splunk Light is designed for small IT environments. It is available in versions of Splunk Lite and Splunk Enterprise. Splunk Lite is available for free which can be upgraded to Splunk Enterprise.

Splunk Lite offers features such as real-time monitoring and notification of events via email. Splunk Lite provides a centralized environment. You can collect data from various devices and store them it collectively in a centralized database.

Please visit the following page to sign up for Splunk Lite.

При возникновении определённых событий в сети сетевые устройства, используя доверенные механизмы, уведомляют администратора с помощью подробных системных сообщений. Эти сообщения могут быть некритическими или существенно важными. В распоряжении сетевых администраторов - различные варианты хранения, интерпретации и отображения этих сообщений, а также способы отправки уведомлений о сообщениях, которые могут оказать наибольшее влияние на сетевую инфраструктуру.

Самый распространенный способ получения системных сообщений, предоставляемый сетевыми устройствами, - это использование протокола под названием syslog.

Термин syslog используется для описания стандарта. Он также используется для описания протокола, разработанного для этого стандарта. Протокол syslog был разработан для систем UNIX ещё в 80-е гг. прошлого века, но был впервые документирован сообществом IETF под названием RFC 3164 только в 2001 г. Syslog использует порт UDP 514 для отправки сообщений с уведомлением о событиях по сетям IP на средства сбора сообщений о событиях, как показано на рисунке.

Syslog поддерживают многие сетевые устройства, включая маршрутизаторы, коммутаторы, серверы приложений, межсетевые экраны и др. Протокол syslog позволяет сетевым устройствам отправлять системные сообщения по сети на серверы syslog. Для этой цели можно развернуть специальную выделенную (out-of-band, OOB) сеть.

Существуют различные пакеты ПО сервера Syslog для Windows и UNIX. Многие из них бесплатны.

Служба журналирования syslog предоставляет три основные возможности:

• сбор информации в журнал для мониторинга и отладки;

• выбор типа информации, сбор которой будет осуществляться;

• определение получателей собранных сообщений syslog.

На сетевых устройствах Cisco протокол syslog начинает с отправки системных сообщений и вывода процесса debug в локальный процесс ведения журналов соответствующего устройства. Каким образом процесс ведения журналов управляет этими сообщениями и выводом, зависит от настроек устройства. Например, сообщения syslog могут отправляться по сети на внешний сервер syslog. Эти сообщения можно прочитать без необходимости доступа к самому устройству. Сообщения журнала и выходные данные, хранящиеся на внешнем сервере, могут включаться в различные отчеты для упрощения их прочтения.

Кроме того, сообщения syslog могут отправляться во внутренний буфер. Сообщения, отправленные во внутренний буфер, можно просматривать только через интерфейс командной строки устройства.

Наконец, сетевой администратор может указать, какие типы системных сообщений будут отправляться в различные места назначения. Например, можно настроить устройство, чтобы все системные сообщения отправлялись на внешний сервер syslog. Однако сообщения уровня debug будут пересылаться во внутренний буфер и будут доступны только администратору через интерфейс командной строки.

Как показано на рисунке, в число популярных назначений для сообщений syslog входят следующие:

• буфер ведения журналов (ОЗУ в маршрутизаторе или коммутаторе);
• линия консоли;
• линия терминала;
• сервер syslog.

Можно удалённо наблюдать за системными сообщениями путём просмотра журналов на сервере Syslog или путём доступа к устройству по протоколам Telnet, SSH или через порт консоли.

Устройства Cisco создают сообщения syslog при определённых сетевых событиях. Во всех сообщениях syslog указывается уровень важности (severity level) и объект (facility).

Чем меньше назначаемое число, тем более важным является оповещение syslog. В настройках уровня важности сообщений можно установить, куда отправлять сообщения каждого типа (например на консоль или в другие места назначения). Полный перечень уровней syslog представлен на рисунке 1.

Каждый уровень syslog имеет собственный смысл:

• Уровень предупреждения (warning) - уровень критического состояния (emergency) - это сообщения о сбоях программного обеспечения или оборудования; эти типы сообщений говорят о том, что затронута работа устройства. Назначаемый уровень syslog зависит от серьёзности проблемы.

• Уровень отладки (debugging) - сообщения этого уровня содержат выходные данные, полученные в результате выполнения различных команд debug .

• Уровень уведомления (notification) - сообщения уровня уведомления носят исключительно справочный характер, работоспособность устройств не затрагивается. На уровне предупреждения отображаются сообщения об изменении состояния интерфейса на активное или неактивное или о перезапуске системы.

Помимо указания уровня важности в сообщениях syslog также содержатся сведения об объекте. Объекты syslog (syslog facilities) - это идентификаторы сервисов, которые определяют и классифицируют данные о состоянии системы для отчетов об ошибках и событиях. Доступные варианты объектов ведения журнала зависят от конкретного сетевого устройства. Например, коммутаторы Cisco серии 2960, в которых используется Cisco IOS версии 15.0(2), и маршрутизаторы Cisco 1941, в которых используется Cisco IOS версии 15.2(4), поддерживают 24 варианта объектов, которые группируются в 12 типов объектов.

Ниже приведены некоторые из общепринятых объектов сообщений syslog, которые регистрируются на маршрутизаторах Cisco IOS:

• Протокол OSPF

• Операционная система SYS

• Протокол IPSec

• IP интерфейса (IF)

По умолчанию формат сообщений syslog в ПО Cisco IOS выглядит следующим образом:

seq no: timestamp: %facility-severity-MNEMONIC: description

Пример выходных данных об изменении состояния канала EtherChannel коммутатора Cisco на активное будет выглядеть следующим образом:

00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up

В этом примере объектом является LINK, назначен уровень серьёзности 3, в качестве КРАТКОГО КОДА выступает UPDOWN.

Наиболее распространенными сообщениями являются сообщения об изменении состояния каналов на активное и неактивное, а также сообщения, создаваемые устройством при выходе из режима настройки. Если настроено журналирование в списках контроля доступа, устройство создаёт сообщения syslog, если пакеты соответствуют заданным условиям.

Сообщения журнала могут сопровождаться метками времени. Также может назначаться адрес источника сообщений syslog. Это повышает эффективность отладки и управления в режиме реального времени.

Если введена команда режима глобальной конфигурации service timestamps log uptime , для регистрируемых событий отображается время, прошедшее с момента последней загрузки коммутатора. В более полезной версии этой команды применяется ключевое слово datetime вместо ключевого слова uptime ; в этом случае для каждого зарегистрированного события будут отображаться дата и время.

При использовании ключевого словаdatetime необходимо настроить часы сетевого устройства. Часы можно настроить одним из двух способов:

• Вручную с помощью командыclock set

• Автоматически с помощью протокола NTP

Протокол NTP позволяет синхронизировать настройки времени сетевых устройств с сервером NTP.

Чтобы разрешить синхронизацию программных часов с сервером времени NTP, используйте команду ntp server ip-address в режиме глобальной конфигурации. Пример настройки показан на рисунке. Маршрутизатор R1 настроен как клиент NTP, маршрутизатор R2 выступает в качестве доверенного сервера NTP. Сетевое устройство можно настроить в качестве сервера NTP (что позволяет другим устройствам синхронизироваться с его временем) или в качестве клиента NTP.

В оставшейся части главы предполагается, что часы настроены и что на всех устройствах настроена команда service timestamps log datetime .

Настройка Syslog

Для просмотра сообщений syslog на рабочей станции в сети должен быть установлен сервер syslog. Существуют различные бесплатные и условно-бесплатные версии syslog, а также платные корпоративные версии. На рисунке 1 ознакомительная версия службы Kiwi Syslog отображается на компьютере с ОС Windows 7.

Сервер syslog предоставляет довольно удобный в использовании интерфейс для просмотра выходных данных syslog. Сервер анализирует выходные данные и помещает сообщения в предопределённые столбцы для упрощения их интерпретации. Если для сетевого устройства, которое является источником сообщений syslog, настроены временные метки, в качестве даты и времени каждого сообщения будут отображаться выходные данные сервера Syslog, как показано на рисунке 2.

Сетевые администраторы могут легко ориентироваться в больших объемах данных, собранных на сервере Syslog. Одним из преимуществ просмотра сообщений системного журнала на сервере Syslog является возможность детализированного поиска данных. Кроме того, сетевой администратор может быстро удалить менее важные сообщения Syslog из базы данных.

По умолчанию маршрутизаторы и коммутаторы Cisco отправляют на консоль сообщения журнала для всех уровней важности. На некоторых версиях IOS по умолчанию устройство также сохраняет сообщения журнала в буфер. Для включения этих двух параметров используйте командыlogging console и logging buffered в режиме глобальной настройки соответственно.

Команда show logging отображает параметры по умолчанию службы ведения журнала, настроенные на маршрутизаторе Cisco, как показано на рисунке. Первые строки списка выходных данных содержат информацию о процессе ведения журналов. В конце списка выходных данных приведены сообщения журнала.

В первой выделенной строке указано, что данные журнала этого маршрутизатора отправляются на консоль и включают сообщения уровня отладки. Фактически это означает, что все сообщения уровня отладки, а также любые сообщения более низкого уровня (например сообщения уровня уведомления) отправляются на консоль. В выходных данных также отмечено, что было зарегистрировано 32 таких сообщения.

Во второй выделенной строке указано, что журнал этого маршрутизатора сохраняется во внутреннем буфере. Поскольку для этого маршрутизатора включено сохранение журнала во внутренний буфер, команда show logging также выводит сообщения из этого буфера. В конце выходных данных можно просмотреть некоторые зарегистрированные системные сообщения.

Настройка маршрутизатора для отправки системных сообщений на сервер syslog, где они могут храниться, фильтроваться и анализироваться, выполняется в три шага:

Шаг 1. Настройте имя узла назначения или IP-адрес сервера Syslog в режиме глобальной конфигурации:

R1(config)# logging 192.168.1.3

Шаг 2. Укажите, какие сообщения следует отправлять на сервер syslog с помощью команды logging trap level в режиме глобальной конфигурации. Например, чтобы отправлять только сообщения уровня 4 и ниже (0-4), используйте одну из следующих двух эквивалентных команд:

R1(config)# logging trap 4

R1(config)# logging trap warning

Шаг 3. При необходимости настройте интерфейс источника с помощью команды logging source-interface interface-type interface number в режиме глобальной конфигурации. Таким образом, можно настроить, чтобы пакеты syslog содержали адрес IPv4 или IPv6 конкретного интерфейса независимо от того, какой интерфейс используется для отправки пакета с маршрутизатора. Например, чтобы настроить в качестве интерфейса источника g0/0, используйте следующую команду:

R1(config)# logging source-interface g0/0

На рисунке 1 маршрутизатор R1 настроен для отправки сообщений журнала уровня 4 и ниже на сервер syslog по адресу 192.168.1.3. В качестве интерфейса источника настроен интерфейс G0/0. Интерфейс loopback создан, затем переведён в неактивное состояние, затем снова в активное. Эти действия отражены в выводе консоли.

Сервер syslog Tftpd32, изображённый на рисунке 2, настроен на компьютере с ОС Windows 7 с IP-адресом 192.168.1.3. Как можно видеть, на сервере Syslog отображаются только сообщения с уровнем важности 4 или меньше (более значимые). Сообщения с уровнем важности 5 или выше (менее значимые) отображаются в выходных данных консоли маршрутизатора, но не появляются в выходных данных сервера syslog, поскольку команда logging trap отбирает сообщения syslog, отправляемые на сервер syslog, по критерию важности.

Для просмотра любых зарегистрированных сообщений используйте команду show logging . Для буфера ведения журналов высокой ёмкости полезно использовать функцию конвейера (| ) с командой show logging . Конвейер позволяет администратору более конкретно определить сообщения, которые следует отображать.

Например, команда show logging | include changed state to up , показанная на рисунке 1, обеспечивает отображение только уведомлений об интерфейсе, сообщающих об изменении состояния интерфейса на «активен».

Команда show logging | begin June 12 22:35 , также показанная на рисунке 1, отображает содержимое буфера ведения журналов, начиная с 12-го июня.

Используйте средство проверки синтаксиса на рисунке 2 для настройки и проверки syslog на маршрутизаторе R1.