→ Удобный мониторинг Syslog сообщений c сетевых железок в Zabbix. Принцип работы Syslog

Удобный мониторинг Syslog сообщений c сетевых железок в Zabbix. Принцип работы Syslog

Хранить логи устройство может в своей оперативной памяти либо на Fleash и понятно, что много тут не сохранишь, а оперативная память при перезагрузке ещё и затирается.
Особенно это касается аварийных случаев, когда на устройство заглянуть возможности нет или нет времени, и оно в панике ребутается с потерей всех логов.

Альтернативным хорошим способом логирования есть логирование на внешний сервер, который называется Syslog server .
Существует ПО Syslog server от разных производителей, мы же рассмотрим самого известного с версией: Kiwi Syslog Server 9.4.1 .

Установка Kiwi Syslog Server

В установке ничего особо сложного нет - просто запускаем Kiwi_Syslog_Server_9.4.1.Eval.setup.exe , всё делаем стандартно и со всем соглашаемся.
Единственное, нужно запомнить админскую учётку для Web Access.
Установка потребует перезагрузки. Также сразу после установки нужно поставить лицензию.

Проверка/Настройка

Статус сервиса можно проверить здесь:
Administrative tools > Services > Siwi Syslog server
Понятно, что у него должно быть состояние Started .

Статус сервера можно проверить запустив Kiwi Syslog Server Console .
Отсюда можно проверить следующее:

  • File > Send test message
  • Manage > Show syslogd service state

Настройка устройства cisco

Настройка отображения текущего времени
service timestamps log datetime localtime
!
! Включение логирования
logging on
!
!
! Отключения логов на консоль
logging console critical
logging monitor debugging
!
! Настройка логирования в буфер
logging buffered informational
logging buffered 16386
logging rate-limit 100 except 4
!
! Настройка сообщений на сервер syslog
logging 192.168.1.10
logging trap debugging

Для того чтобы посмотреть что упало в буфер:
router#show logging

Включение отображения monitor logging:
terminal monitor

В результате сообщения должны начать валиться в syslog server:

Web access

Web access позволяет не только получить доступ к логам удалённо, но по сути является основным рабочим инструментом по работе с syslog, и предлагает широкие возможности по фильтрованию сообщений, разделению прав и т.д.


Тут работа интуитивно понятна, и комментировать пожалуй нечего

Kiwi Syslog Server и tftpd32.exe

После установки syslog server может перестать запускаться tftpd32.exe, из-за конфликта портов.
Это связано с тем, что tftpd32.exe по умолчанию также прослушивает и syslog: это можно выключить в его настройках(settings).

Думаю, что в жизни каждого сисадмина бывают моменты, когда в его любимой сети начинают происходить необъяснимые вещи. Особенно неприятно, если это происходит с некоторой периодичностью и установить причину каждый раз не удается. Конечно, можно сослаться на магнитные бури, погоду на Марсе и т.д. (нужное подчеркнуть), но все мы с вами прекрасно понимаем, что космос здесь не причем.

Мы не будем себя утруждать перебором всех возможных вариантов, лучше подумаем о том, как можно предупредить, отследить и быстро установить причину возникновения того или иного сбоя. Все сетевые железки (и не только), которые хотя бы частично наделены мозгами, в процессе своей работы генерируют логи происходящих событий. Чаще всего эти логи записываются локально в память железки и уважвющий себя сисадмин их никогда не читает. А зря 🙂 Ибо там и кроется вся истина происходящих событий.

Конечно, если твоя сеть состоит из одного коммутатора или роутера, то отслеживать логи будет не трудно и городить огород здесь не стоит. Другое дело, когда сеть состоит из большого количества разнородных устройств. Что предложите? Тратить по полдня на анализ логов в нашем случае не вариант.

Как ты уже догодался, нам нужно каким-то образом отслеживать все происходящие события централизованно. Возникает вопрос как и чем это делать? Мониторинг сети? Одно такое решение под названием PRTG Network Monitoring мы недавно рассматривали. Однако, не все и не всегда можно отследить с помощью PRTG.
Умные дяди давным давно придумали специальный стандарт для передачи логов - Syslog. Кто особо заинтересовался подробостями этого протокола - велкам в википедию , а остальным мы в краце расскажем что к чему и как это настроить в любимой сети.
Весь принцип работы сводится к тому, что программа syslog, установленная на какой-нибудь сервер, принимает входящие сообщения от сетевых железок. Принятые сообщения записываются в один файл или БД, чтобы ты всегда смог посмотреть какие события и на каком оборудовании происходили в заданый промежуток времени.

Программ syslog-серверов существует великое множество под все платформы. Правда под Виндоус большинство нормальных решений продается за деньги, а бесплатные редакции обладают только базовыми функциями: запись только в текстовый файл, просмотр с некоторыми ограничениями, продолжительность хранения логов меньше и т.д.

Хороший вариант - установить linux, там syslog в базовом варианте уже встроен изначально, останется только подшаманить с настройкой хранения событий в БД и веб-мордой для удобного просмотра. Но что делать, если нет времени плясать с бубном или нет достаточных знаний в *nix системах? Оказывается, даже из такой ситуации есть выход! Называется он SyslogAppliance . На сайте разработчиков можно скачать уже готовую к применению виртуальную машину vmware с настроенным syslog сервером.Я обнаружил только два ньюанса при развертывании виртуальной машины SyslogAppliance. А именно: виртуалка настроена на получение автоматического IP по DHCP, часовой пояс выставлен хрен знает какой. Если у вас есть DHCP-сервер, то впринципе можно привязать там MAC-адрес syslog сервера и больше не забивать голову всякой ерундой. Но имхо для сервера это не кашерно. Лучше выставить настройки IP-адресации вручную. Делается это следующим образом. Логинимся в syslog сервер по консоли, затем с помощью редактора vim открываем файл сетевых настроек. Команда будет выглядеть так:
vim /etc/network/interfaces

Здесь нам надо заменить строку:
iface eth0 inet auto
и все что под ней на:
iface eth0 inet static
address твой_IP_адрес
netmask маска_подсети
gateway шлюз_по_умолчанию

Для перехода в режим редактирования сначала нажимаем i, затем правим всё как указано выше, затем жмем Esc. Для выода с сохранением нажимаем Shift+z два раза.
Далее нужно вписать DNS. Для этого набираем
vim /etc/resolv.conf
указываем адрес нашего DNS-сервера. Сохраняемся, выходим. Перезагружаемся командой reboot . Если у syslog сервера есть доступ в интернет, то можно выполнить пару команд обновления системы. Сначала набираем apt-get update , затем apt-get upgrade .

Последнее что нужно сделать, это поменять часовой пояс и выставить правильную дату и время. Первое делается командой
dpkg-reconfigure tzdata
а второе командой
date -set=»мм/дд/гггг чч:мм:сс»
После этих манипуляций можно перезагрузить syslog сервер и попробовать зайти на web-интерфейс по адресу http://ip-адрес-сервера/logs
Нас попросят ввести логин/пароль, затем будет показана текущая ситуация по собранным событиям:

Все события разбиваются по источнику, типу сообщения (notice, warning, error, alarm и т.п.), описание, в котором указано что именно произошло. Мы можем отфильтровать таблицу по интересующим нас критериям, для этого просто кликните мышью по нужной надписи. Если надо видеть какие сообщения валятся на syslog сервер в режиме реального времени, то в правой части экрана над шапкой таблицы есть ниспадающий список с вариантами автообновления страницы с разными интервалами времени. Ко всему прочему можно поизучать статистические данные, которые здесь представлены в виде диаграмм. Есть несколько типов графиков.

Для решения Вашей проблемы специалисты технической поддержки AXIA могут запросить детальный журнал активности системы. Для этого необходимо использовать Syslog сервер и настроить соответствующим образом оборудование. Ниже будет описано как это сделать. Изменяйте настройки только, если это необходимо для решения проблемы, в противном случае Syslog настройки должны быть оставлены в значениях по умолчанию.

Специалистами Telos был создан простой, не требующий установки Syslog Server. Программа является приложением.NET для Windows 7, но возможен запуск на WinXP при условии наличия установленного клиента.NET v3.5 или более поздней версии. Клиент.NET может быть загружен и установлен бесплатно с веб-сайта Microsoft

После этого необходимо выбрать уровень событий, подлежащих регистрации в отчетах из списка Syslog severity level filter

  • Emergency : регистрирует события, связанные с полной неработоспособностью системы.
  • Alert : регистрирует события, требующие немедленного внимания для сохранения работоспособности.
  • Critical : регистрирует события о критических системных ошибках.
  • Warning : регистрирует события, которые могут привести к нестабильности системы.
  • Notice : система работает нормально, но в отчетах регистрируются сообщения о необычных событиях.
  • Informational : регистрируются все информационные сообщения. Эта информация включает все рутинные события.
  • Debug : регистрируются вся системная деятельность

Аналогичным образом настраивается и другое оборудование AXIA. Для консолей в пункте меню Log Setup , для Engine в меню Diagnostics .

После совершения изменений в настройках щелкните кнопку Apply для их сохранения:

Теперь осталось только нажать кнопку START для начала работы сервера:

Все готово для регистрации системной активности.

События, регистрирующие процесс перезагрузки AXIA Analog xNode на уровне Debug выглядят так:

Для поиска необходимых записей можно осуществлять фильтрацию сообщений:

  • по уровню - выбрать необходимые с помощью списка слева
  • по контексту - ввести текст для поиска и нажать кнопку Filter

Для сохранения сообщений в файл необходимо настроить его параметры в меню Options на вкладке LOG :

По указанному пути будет создан файл с названием вида SysLog_ГГГГ-MM-DD.log (ГГГГ-MM-DD - текущая дата), в котором будет сохраняться полученная в течении дня информация:

17:45:28.877: Nov 30 01:30:00 Node-100-2 login: root login on `ttyp0" 17:45:36.525: Nov 30 01:30:08 Node-100-2 syslogd: System log daemon exiting. 17:45:56.891: Nov 30 00:00:09 Node-100-2 lwrd: eth0 flags 0x1003 (link down) 17:45:56.895: Nov 30 00:00:09 Node-100-2 lwrd: eth1 flags 0x1003 (link down) 17:45:56.899: Nov 30 00:00:10 Node-100-2 lwrd: eth0 flags 0x11043 (link up) 17:45:57.325: Nov 30 00:00:11 Node-100-2 lwrd: Registered: SRC 1@Node-100-2._rtsp._tcp.local. 17:45:57.328: Nov 30 00:00:11 Node-100-2 lwrd: Registered: sip:[email protected] SRC 1@Node-100-2._sipuri._udp.local. 17:45:58.437: Nov 30 00:00:12 Node-100-2 lwrd: connected @13 127.0.0.1:57611 17:45:58.440: Nov 30 00:00:12 Node-100-2 gpior: gpior-lwrd connected 17:45:58.444: Nov 30 00:00:12 Node-100-2 gpior: iface change 172.22.15.6 17:45:58.447: Nov 30 00:00:12 Node-100-2 gpior: gpiomc ANY:2060 joined 239.192.255.4 on 172.22.15.6 17:46:01.328: Nov 30 00:00:15 Node-100-2 lwrd: config save 88ms 17:46:02.556: Nov 30 00:00:16 Node-100-2 lwrd: connected @16 127.0.0.1:57612 17:46:03.627: Nov 30 00:00:17 Node-100-2 xsyncd: lwsync up on 172.22.15.6 17:46:04.656: Nov 30 00:00:18 Node-100-2 xsyncd: lwsync master time out 17:46:05.656: Nov 30 00:00:19 Node-100-2 xsyncd: master: AC030F06 .6 p3 00:50:C2:79:16:B3 we are

Кроме вышеописанного syslog server существует множество других аналогичных программ для регистрации сообщений о системной активности. Они могут обладать разными возможностями, интерфейсами и стоимостью.
Как вариант программы с расширенными настройками можно рассмотреть бесплатное ПО (архив с дистрибутивом v1.6.3 2015-11-20)

Эта программа уже требует инсталляции, но позволяет настраивать параметры log файла, просматривать log файлы с диска, формировать извещения и выполнять действия в зависимости от содержания лога, работать по протоколам UDP и TCP, поддерживает кодировку UTF8.

/ Last Updated: June 6, 2019

Syslog and by extension syslog servers are, to put it quite simply, nothing but programs and protocols which aggregate and transfer diagnostic and monitoring data. Their power comes from the wide range of data that can be collected and, furthermore, the ways in which this data can be analyzed and levied for the sake of network maintenance, system monitoring, and dozens of other diagnostic and troubleshooting purposes!

Generally the Syslog protocol is supported by a wide variety of devices and thus it"s easy for devices and applications to fire off log information to the Syslog server, which stores the information for further analysis.

Most notably, Syslog servers are often capable of triggering alerts or sending notifications which enables an admin in the field to receive time-critical information, or to simply gets a heads up of something that may need attention soon – thanks to a built-in severity metric, it"s easier to know when something can wait and when it can"t.

SNMP ties heavily into Syslog server functionality and can be used in tandem to poll all the wonderfully wide variety of information that admins are used to snatching up via SNMP but, when taken a step further via Syslogging server software, they can take that data and do a lot more with it – graphical interfaces which aggregate SNMP data, for example, can massively speed up the assessment of almost any number of critical systems or failure points.

Using these same metrics many Syslog servers can also have automated scripts or events that will trigger and can potentially streamline the process of recovering from, or preventing, downtime or outages.

Some Syslog servers require client-based software to manage but many also offer web-based solutions, which can ease management both remotely or from different systems on a network environment. Most servers are also quite good at data management and will handle some level of archival functionality for saving older logs or records that may not actively be needed at present.

Syslog does have a few drawbacks – it"s not particularly standardized, meaning that sloppy implementation can cause troubles for Syslog servers, and it also lacks any kind of authentication.

In a trusted network environment this isn"t really an issue, but especially nefarious malware or untrusted networks can sow seeds of trouble.

Here"s the Best FREE Syslog Server Software & Tools of 2019:

Below is a list of software that performs these functions and more, as well as the compatible operating systems and, quite importantly, whether it supports some form of alert (alarms, pop-ups, etc.) and/or notifications (email, txt, etc.)

1. Kiwi Syslog Server – FREE VERSION

Kiwi"s Syslog Server boasts ease of installation and setup on top of its other range of desirable features. Reports can be generated both in easy-to-read HTML or in plain text if necessary for parsing with other software.

Log archival and storage are automatic and rigorous with a focus on compatibility in cases where even regulatory needs must be carefully met – even those as stringent as HIPAA. Kiwi utilizes a web-based console for extremely ease of access and swift availability that requires no client installation or configuration.

Kiwi"s software even handles Syslog and SNMP, including from Linux and UNIX hosts, and performs real-time alerting and notification based on this data with a vast, and customizable, range of metrics that can be checked against.

Win XP 32/64, Win 2003 32/64, Windows Vista 32/64, Win7 32/64, Windows 2008 R2 32/64, Windows 8, Windows Server 2012 & 2012 R2; has both alert and notification ability.

2. PRTG (Free Version)

PRTG has some Syslog ability then added via a sensor to the PRTG monitoring suite.

Primarily focuses on SNMP and Syslog protocol data and has a good amount of analysis ability due to the built-in capability PRTG already has for general monitoring and management.

OS Compatibility and alert/notification ability: Any Windows 64-bit environment with Windows Server 2012 R2 specifically recommended; good notification and alerts, but all varies a bit as sensor must be added and configured by hand

3. SNMPSoft Sys-log Watcher

Installed as a dedicated syslog server for all manner of network devices with a native support for a good range of notification options – SNMPSoft"s program also boasts a particular ability to parse and handle non-standard Syslog, something that can cause some other software to falter!

Of particular note, there"s also a Syslog Watcher VendorPack available, which is a huge reference of syslog messages for proprietary equipment that helps in swift troubleshooting by defining non-standard syslog messages automatically.

OS Compatibility and alert/notification ability: Windows XP through Windows 10; robust notifications and solid alerts as well

4. Splunk Light

Not an ideal solution as even the Splunk forum will suggest using several Splunk servers for a proper setup, but still doable! Utilizing Splunk to index and manage log files is more strongly recommended, as syslog data will be lost with each Splunk restart by default.

None the less, it does offer syslog functionality and, with a little work getting several Splunks working together, can be a solid solution.

OS Compatibility and alert/notification ability: Splunk runs on Windows 64-bit versions as well as Linux and Mac OSX, syslog functionality varies; no real alerting or notification functionality for syslog

5. The Dude

The Dude, despite it"s odd name, is an interesting and free option for general network management – it comes with a built-in syslog server which can be enabled with ease as well as provides functionality for remote logging via RouterOS.

Log events can be filtered, sorted to different logs, or discarded based on customizable thresholds.

OS Compatibility and alert/notification ability: Most versions of Windows, recommended Windows 2000 or newer, also runs on Linux or MacOS using Wine/Darwine; email based notification with some on-screen alert or log-based alert options, too

6. TFTPD32

7. Syslog Server (Abandoned)

A fairly simple and barebones Syslog server that also doubles as an analyzer. It can be adjusted to only log and monitor events at certain threshold values and also can trigger email-based notifications, as well as sort the way in which events are displayed.

OS Compatibility and alert/notification ability: Service on Windows server prior to 2008, application functionality on most Windows versions; can trigger e-mail notifications based on thresholds

8. Icinga Open-Source Monitoring

Visual Syslog Server is a very straightforward and light-weight Syslog option that focuses on a real-time approach.

It does have some ability to handle and rotate logs automatically, to avoid bloat, and can also trigger scripts or programs based on thresholds that can be set.

OS Compatibility and alert/notification ability:

  • Windows XP,
  • Vista,
  • as well as Windows Server 2003, 2008, 2012;

It can handle notifications via email and also some alerting and automated triggering of actions!

10. 3cDaemon

Based on the BSD-unix style functionality of syslogd, this particular offering is going to appeal to only a select crowd! None the less, it can handle logging based on priority, filter/restriction messages by IP, has real-time viewing of the log, and even can dump log information to plain ASCII.

OS Compatibility and alert/notification ability: Application level server run on most older Windows, newer OS versions may be iffy at best as the software is quite old; no real alerting or notification functionality

OS Compatibility and alert/notification ability:

11. Datagram

This software focuses on an enterprise level of functionality and is geared towards larger environments – it can gather and store a wide range of Syslog information and store it on a central database with a wide range of filters and alarms available.

OS Compatibility and alert/notification ability:

Windows 2000 and forwards; has alarm functionality but not much for notifications

Conclusion

Syslog tracking via a powerful Syslog server can save any network administrator an obscene amount of time and effort.

Every bit of data, whether SNMP or Syslog, that can be requested, aggregated, and analyzed is another potential piece of a puzzle that can trigger alerts or notifications and quickly bring human attention to the problem as soon as possible, or even fire off predefined scripts or programs to alleviate, or at least slow down, oncoming issues.

The flexibility of these programs are a superb way for admins to leverage monitoring to their advantage with the goal of maximum uptime and stability.

Much of this information can be seen on any one system or device, but even a small network with a few dozen devices would be totally unreasonable to monitor one by one – having it centralized, automated, and closely monitored is invaluable!

James Cox is the Editor at ITT Systems and has a Long History in the IT and Network Engineering Field. He Boasts a long list of Credentials ranging from CompTIA Certifications up to Cisco and VMWare points on his Resume.

Syslog is a universal standard for system messages . It was originally implemented by a Unix utility, called syslogd , but now it is used by a wide range of IT equipment, so just about every piece of computing kit that you buy will be able to send syslog messages. You can direct these messages to different log files according to the message severity level. But if you plan to make the most of the information, that data really should be processed or at least read.

We get into plenty of detail on each of the tools we selected for this list, but if you are just in need of a quick summary, here’s a list of

  1. – A paid tool that runs on Windows but is free to use to monitor the logs from up to five devices.
  2. – A comprehensive network, server, and application monitor that includes sensors for Syslog management. PRTG is free if you only activate up to 100 sensors, which is more than enough to access the Syslog server monitors.
  3. – Cloud-based log analyzer that uploads all of your log data to its servers. This service is for a fee, but there is a free Lite package.
  4. Event Log Analyzer – This tool is available from ManageEngine, which produces many other system management utilities. It is free to monitor up to five log sources.
  5. WhatsUp Syslog Server – Syslog message storage, parsing, and forwarding and some analysis functions, too from this free tool for Windows.
  6. Syslog Watcher – A free Syslog server for Windows that writes Syslog messages to files or a database and includes record sorting and filtering functions.
  7. Fastvue Syslog – Free Syslog server for Windows Server 2012 R2 and later. As well as writing messages to log files it will create checksum validation files that are protected by SHA-256 encryption.
  8. The Dude – Free network analysis tool with an integrated Syslog server for Windows, Linux, and Mac OS.
  9. – Integrated into Nagios XI (paid) and Nagios Core (free) for Windows and Linux. The free version is limited to a data throughput of 500 MB per day.
  10. Icinga 2 – Free network monitoring system for Linux with an integrated Syslog server.
  11. Visual Syslog Server – Collects Syslog messages and stores them to file as well as displaying them in a dashboard. The program is free and runs on Windows and Windows Server.
  12. Syslog-NG – A free Syslog server for Linux that also collects Windows events over a network.
  13. NxLog – A free Syslog server for Windows, Linux, Unix, and Android.
  14. Logstash – A system message monitoring service for Linux that includes the storage of Syslog messages.
  15. Graylog – A log management system for Linux that is free to use with log message data volumes of up to 5 GB per day.
  16. TFTPD32 – Lightweight, free system message logger for Windows that includes monitoring for Syslog.

Syslog Servers and Clients

The concept of a “Syslog server ” really refers to an application that deals with syslog messages rather than the provision of a dedicated computer to receive the messages. So, don’t get misdirected by that “server” word in there.

The server/client model is a little difficult to grasp in Syslog terms, too. Usually, the client contacts the server and the server responds. In syslog, the syslog client is just a program that broadcasts error, warning, and debugging messages . The syslog client doesn’t have any direct contact with a counterpart: it sends out the messages whether or not anyone is listening for them. Syslogd is a daemon . This is a Sylog collector and so is judged to be the server, even though it never responds to the originator of the messages. The daemon may be running locally, or it can also be implemented as a remote syslog server by connecting over the internet.

OS: Windows & Windows Server

4. Event Log Analyzer

ManageEngine’s Event Log Analyzer operates as a Syslog server and is free for up to five log sources . The monitoring software can be installed on Windows or Linux , but it can monitor events arising on any operating system. The syslog data can originate in any type of network-connected equipment , including switches, routers, and virtual machines.

You don’t have to put much work into setting up the system thanks to its autodiscovery feature. Syslog is a messaging standard implemented by just about all network-connected devices, so the Event Log Analyzer just needs to listen on the network for all Syslog-compliant messages sent out by the equipment connected to it. Each message contains a header that identifies its origin. That enables the Event Log Analyzer to build up a list of all hardware on the network and list alerts and status reports by IP address/origin.

The ManageEngine dashboard includes a lot of functionality that enables you to specify actions to perform on the collected Syslog data. A typical Syslog server requirement is to write all records to event logs . This action is available, but you can also query records in the dashboards and sort and filter messages. Archived logs can be compressed and encrypted. The encryption enables access rights to be imposed on user accounts , so the visibility of the data in Syslog files can be restricted to just a few network users with admin rights.

The Event Log Analyzer can also monitor SNMP messages . ManageEngine produces a comprehensive network monitoring system, called OpManager . A restricted version of this tool is available for free and the Event Log Analyzer integrates very well with that wider network monitoring system.

IPswitch produces a successful network monitoring tool called WhatsUp Gold. They also offer a free Syslog server, which can be used as a standalone utility, or integrated into the WhatsUp Gold package. The WhatsUp Syslog Server is free to use and can be installed on Windows .

This tool covers the basic Syslog server functions of capturing Syslog data and storing them in event logs. Beyond that standard functionality, the package gives you a few more facilities to help you better organize Syslog messages and deal with them. You can forward messages to other applications and save records to different files selectively. The Syslog server includes a console where you can display records and specify how the program deals with each message type.

The Syslog viewer shows you live data as it comes in and you can filter and sort records in order to focus on one source of message type. The volumes of data that the tool can handle means it would be suitable for all sizes of network , even though it is free. The console can handle up to six million messages per hour. You can also import archived records in order to analyze events and get a long-term view on the performance of network equipment.

The management functions of the console allow you to specify templates highlighting specific alert conditions or message source IP address. You can also create custom warnings by specifying combinations of conditions that should be escalated to alert status.

6. Syslog Watcher

Syslog Watcher from EZ5 Systems is available for installation on Windows . This is a free Syslog server program with a number of extra monitoring features. As just about every device connected to your network sends out Syslog messages, the Syslog server has to work fast if you want it to do more than just collect and write those messages to a file. Syslog Watcher uses a multithreaded architecture , so the collection of new records isn’t held up by the completion of processing.

The control dashboard gives you options on how to process messages. You aren’t limited to storing them in files because you have the option of writing them to a database . Getting your Syslog messages in a database gives you a lot more power to deal with event records because you can sort, filter, group, and count them. It allows you to combine events to generate customer alert conditions. You can get alert messages sent to you by email through the Syslog Watcher.

Syslog Watcher can monitor messages both over UDP and TCP and it can operate with both the IPv4 and the IPv6 address systems.

UPDATE : Syslog Watcher is free for home use. Business users have to pay for the tool . However, EZ5 Systems offers a 30-day money-back guarantee . So, if you want to try it out for free, just use it for a month and then ask for your money back.

7. Fastvue Syslog

Fastvue specializes in system message reporting tools. One of its products is a free Syslog server utility . This software can be installed on Windows Server 2008 R2 and later versions of the Windows Server operating system .

The Syslog system collects incoming messages and writes them to event logs. That takes care of your basic Syslog server function. The dashboard of the Fastvue tool examines all of your archived files and gives you a report on each file’s size. Files are collated by date and each gets partnered by a verification file that stores a SHA-256 hash count. Keeping an eye on this information tells you whether a log file has been interfered with. This is an important function for intrusion detection because hackers will amend log files to hide their presence.

Fastvue Syslog compiles separate log files for each reporting device/IP address, so you end up with directories of files per device address. Each file contains a day’s worth of Syslog data messages originating from the device that the directory shadows.

This Syslog server focuses on creating and monitoring files of Syslog messages rather than making those records available for analysis. If you need a console to analyze records, you will need to import the log files into another application.

8. The Dude

The Dude is a very widely used free network analysis tool that includes Syslog server functions. This app can be installed on any Windows version from Windows 2000 on, all flavors of Linux, and MacOS . This tool is produced by MikroTik, a router manufacturer from Latvia.

This system can monitor your network devices and collect Syslog data. It can process SNMP alerts, plus ICMP and DNS traffic. The Dude can monitor TCP traffic as well as UDP. The network monitoring features include autodiscovery and a network topology mapper.

The Syslog functions of The Dude can be accessed from a tab in the interface. The system can operate as a full Syslog server with extra forwarding and filtering capabilities . You can get The Dude to just send all records to a file, or specify rules to divert qualifying messages to other destinations, which might be separate event logs, or the console of the system. You can also drop certain records and get the system to beep, flash, or display a popup message for custom alert conditions .

The Dude performs actions when it detects a given alert condition, including the execution of commands. The Dude can send you an email or make a spoken announcement upon detection of a custom alert condition.

Nagios is based on an open-source project. The ability to download the source code for the system means you can use it for free . However, there are limits on the free version of Nagios. You can only use the system for free up to 500 MB of data throughput per day. The Nagios software can be installed on Windows and Linux .

The log server can gather information on Windows events, Linux syslogs, and network device syslogs . The application consolidates log messages in one central location. You can nominate physical servers to store event logs, distribute storage over a cluster of servers, even duplicate files in different locations to create backups.

The console allows you to view live streams of log messages and access previously stored Syslog data . The interface includes sorting and filtering functions to help you analyze messages. You can specify alert conditions, which may be made up of a combination of statuses or designated as an alert on the frequency of specific message types coming in. The customization capabilities of Nagios even extend to the dashboard . It is possible to populate the dashboard with prioritized features, including message lists. Other elements you can place on the dashboard include data visualization tools, such as graphs, histograms, and charts.

10. Icinga 2

Icinga started off as a fork of Nagios. Since its inception in 2009, this package has diverged from its predecessor. The latest version of the software is called Icinga 2 and it can be installed on Linux . The package comes in two parts. The Core system is the data processor and the latest version of this software is called Icinga 2. The backend can interface with a range of data management applications , including Graphite and InfluxDB. The Icinga team also produces its own front end, called Web 2.0 , which is available from the Icinga website in a separate download.

Icinga 2 is a comprehensive network monitoring tool and one of its functions is a logging feature. You can set the logging source to Syslog data . Optionally, the logger can be set to just collect Syslog messages of a specific severity level. It won’t limit message collection to just the nominated severity, but will record all messages with the given severity, plus those with higher severity levels. The progression of message types is “debug ,” “notice ,” “information ,” “warning ,” and “critical .” The default level is “warning,” so if you just point the logger to Syslog without specifying a minimum severity level, it will pick up all warning and critical messages.

If you look at the Icinga website for a price, you won’t find one because this network monitoring tool is completely free .

11. Visual Syslog Server

Visual Syslog Server is a small utility that collects Syslog data and displays them in a viewer. The records can also be written to event logs and rotated by date or file size. This application can be installed on Windows and it is available for free . The software can be installed on Windows XP and above and also on Windows Server 2003, 2008, and 2012 .

In the dashboard, records are color coded with error messages in red and warnings in yellow. Those colors can be customized. You get real-time views of the messages and you can also load records into the viewer from files.

Although this utility doesn’t have sophisticated graphics or processing options, it is lightweight and fast, so it has a market. The viewer presents records and allows you to filter them and sort them . The interface can be set to play a sound when an alert condition is encountered. You can also set the application to send you an email when it encounters an alert or a warning . If your email system supports encryption, Visual Syslog Server will encrypt the notification emails that it sends to you. This is a handy, free, ready to use tool that gets the job done.

Syslog-NG is an open-source package that is free to use . The software for Syslog-NG can only be installed on Linux . However, the log management system is able to collect Windows event data as well as standard Linux, Unix, and device firmware-generated Syslog messages.

The Syslog-NG system will collect all Syslog (and Windows events) messages from the devices connected to your network, recording the source IP address. The default destination for those records is to event logs . However, you can also forward Syslog messages to other applications or insert them into an SQL database . Syslog-NG is a pure Syslog server in that it just deals with capturing Syslog messages. Syslog-NG reorganizes system messages arriving in different formats so they are stored in the same layout.

Other Syslog servers on this list can analyze data from the messages. Some Syslog servers have attractive dashboards with data visualization features. You don’t get any of that with Syslog-NG. If you want to get more functionality to process your Syslog messages, you will need to add on a data analysis tool.

13. Nxlog

This review includes Syslog server programs that can be installed on Windows and/or Linux. Nxlog can be installed on either of those operating systems and also on Unix and Android. Whichever operating system you install this system on, it will be able to collect Syslog data from all the others — Unix, Linux, Windows, and Android .

Nxlog is a straightforward message collection system. It can operate over UDP and TCP and it can receive messages protected by TLS encryption. Messages get written to files and can also be stored in databases. In all cases, Nxlog creates a standard record format that unites data from disparate sources. A multithreaded architecture enables this tool to handle hundreds of thousands of messages per second , making it suitable for all sizes of network.

The Nxlog system is open-source and you can use it free of charge . There aren’t any analytical functions in this tool, so if you want to view records or manipulate them in any way, you will need to find a separate front end for analysis. This is a straightforward message collection and logfile creation facility , making it a pure Syslog server.

14. Logstash

Logstash is part of a suite of utilities called “Elastic Stack .” This group of tools is produced by a group of developers whose first product is called Elasticsearch. Elasticsearch is a second element in the Elastic Stack, as is Kibana. The division of labor between these three packages is that Logstash collects log messages, Elasticsearch enables you to sort and filter those messages for analysis, and Kibana interprets and displays the data. All of the Elastic Stack programs run on Linux .

Kibana makes a great front-end for any of the other Syslog servers in this list. As the event message collection service for the stack, Logstash operates as a Syslog server. The utility listens on the network for messages sent from a wide range of sources . In order to record specific stream, you need to install a plug-in for that data type. You can just install the Syslog plug-in, or add in other plug-ins to include other data sources.

Logstash also gathers data from cloud services including AWS. It can collect data from applications such as Ganglia, Salesforce, Graphite, Kafka, and Twitter. You can set the collection process to include TCP and UDP messages and it can receive messages encrypted with TLS. Logstash can read messages from a file, from a database, pick up SNMP messages, IRC and RSS feeds, and get messages from mail servers.

Logstash can filter divert, and reformat messages during processing. The program stores records in files or inserts them into databases. The utility is written to integrate with Elasticsearch and can send data directly to that application. Similarly, Logstash can be set to output data to Loggly, Nagios, AWS, Graphite, and Graylog. Other plug-ins will notify you of new log data by email or by Slack message. Logstash is available free of charge .

15. Graylog

Graylog is a log management system available for Linux . This is a sophisticated Syslog data analysis tool. However, you can just take advantage of its message collection and storage capabilities to use it as a pure Syslog server. Graylog is free for data volumes of 5 GB or less per day. Owners of small networks won’t have to pay anything to use it. The data analysis functions don’t generate extra data throughput. You don’t get any support with the free version of Graylog. However, a community forum on the Graylog website is filled with tips and tricks from other users.

Graylog sits on top of Virtual Machine software. This underlying system in Linux includes the rsyslog facility . It is actually rsyslog that will perform your Syslog message gathering and storage functions. You can manage rsyslog through the Graylog interface. If you pay for Graylog, you can also gather data through the Sidecar system. This allows you to store event logs on Windows computers.

The front-end for Graylog is browser-based . This will display inputs by type, so you will be able to see your Syslog messages together in one section of the dashboard. You can customize the dashboard, so if you set the system to gather messages from several sources, you don’t have to show the information from other sources on the same page as your Syslog messages. Widgets available for the dashboard include data visualization, such as histograms .

The Dashboard enables you to create your own alert conditions. You specify each alert based on a data stream type. For example, you can pick the Syslog UDP stream and then set up an alert condition on the number of warning messages that come through . System settings enable you to get alerts sent to you as email notifications. Stream handling procedures enable you to parse records, forward them, or store them to file or database.

16. TFTPD32/64

TFTPD is a small utility for Windows . The package is available as a 32-bit or a 64-bit application. The central element of this software is a TFTP client implementation. That client can be set to receive network messages from DHCP, DNS, and SNTP servers. It is also able to receive Syslog data.

This is a simple open-source utility that displays messages in the dashboard as they arrive. Buttons over the viewer give you the ability to view messages by type and Syslog is one of the message types that can be featured . You see messages as they travel on their way to event logs and the viewer also names the file that Syslog messages should be stored to. This utility doesn’t give you much functionality for data analysis. However, you can also read in records from a file and then you have the ability to sort and filter messages.

TFTPD is able to work with IPv6 addresses as well as IPv4 addresses. TFTPD32 and TFTPD64 are both available for free .

Syslog servers by operating system

Syslog server Linux Windows Other
Kiwi No Yes No
Paessler PRTG No Yes Yes
Loggly Yes Yes Yes
Event Log Analyzer Yes Yes No
WhatsUp Syslog Server No Yes No
Syslog Watcher No Yes No
Fastvue Syslog No Yes No
The Dude Yes Yes Yes
Yes Yes No
Icinga 2 Yes No No
Visual Syslog Server No Yes No
Syslog-NG Yes No No
Nxlog Yes Yes Yes
Logstash Yes No No
Graylog Yes No No
TFTPD32 No Yes No

Choosing a Syslog server

As you can see from the description of the tools in our list, you can choose a straightforward Syslog server, or opt for an analytical tool or a network monitoring system that incorporates Syslog server functions.

To qualify as a Syslog server, a tool must be able to collect system messages written according to the Syslog protocol and store them . Syslog forwarding capabilities are very useful, as is the ability to rotate logs — that means creating new files periodically.

Beyond the basic functions of transferring Syslog messages to files, you can look for the capabilities to sort and filter messages . The ability to vary processing according to message types and drop debug messages and information notifications is useful. A programmer might need to see those debug messages, and so the ability to selectively direct message types to a viewer , a log file , or to a database can be very useful.

The evolution of Syslog processing to store records in a database rather than a file offers you great power. It is far easier to index, sort, search, and filter records in a database than it is to manipulate file records. This is because databases include a structured query language that enables you to isolate fields in records and perform selection, grouping, and exclusion functions on data without altering the original stored records.

Another useful advancement in the Syslog servers available today is a system that can collect messages generated by other platforms and protocols , such as the Windows event logger. If you Syslog server can create standardized record formats , that takes you another step further along the route to collecting important information about your system.

Getting alerts created for the conditions reported by Syslog will also give you extra power to focus your energy on important tasks. The ability to create your own alert conditions represents advancement in Syslog processing . Sometimes, the contents of a message might not create concern. However, a sudden surge in the frequency of such messages should become an alert and you can specify such conditions in many of the Syslog servers listed in this review. The ability to combine a count of message types or error conditions is another useful feature that many modern Syslog servers include.

A Syslog server embedded in a network management tool can provide great analysis capabilities. If you already have all the analytical tools you need, then you would be better off focusing on the vanilla Syslog server tools in this review. However, if you have very little budget for system management software and you don’t currently have any analytical tools , then go for a free system management utility that includes a syslog server to keep control of your IT infrastructure.

Managing IT services requires the proper tools. Take a look at the free tools recommended in this review that fit your operating system. Take a little time to play around with each tool so you can discover their features for yourself. Given that all of these tools are free, you have nothing to lose but the time it takes to learn them.

What’s in this article?

How to watch the British Golf Open on Kodi – Royal Portrush July 17, 2019 / by William Elcock How to Watch AEW – Fight for the Fallen Live Free on Kodi July 12, 2019 / by William Elcock

 

 

Это интересно: