Syslog

Once a program was written for sending internetwork e-mails. That program changed the way how events get logged today. The program is still better known as Sendmail program. Sendmail is capable of supporting many kinds of mail-transfers and delivery methods but the most preferred is Simple Mail Transfer Protocol (SMTP). Eric Allman the writer of first Advanced Research Project Agency Network (ARPANET) Delivermail program wrote Sendmail as derivative to Delivermail for UNIX platform. But while writing this program h#-Link-Snipped-#e decided to make this program capable of sending log messages to remote system rather than keeping on the system on which the program is installed, the message that Sendmail used to send used to get stored in maillog file in remote system. To perform this task he created a new protocol known as Syslog Protocol. His idea of storing log messages on remote server got so much appreciation that now it is used as standard remote logging protocol.

Today Syslog protocol is known as a protocol which allows an application, system or a device to send event logs to event collecting servers known as Syslog Servers or Syslog Daemons. In short we can say any application or device can be configured to send its event logs to Syslog Daemon by generating a Syslog Message. Since the protocol is developed for UNIX and first used on Berkely Software Distribution (BSD UNIX) platform it is also known as BSD Syslog and sometimes Free BSD Syslog since BSD UNIX is free now. Syslog uses UDP packet to transfer message and only applications that can generate Syslog message can be received by Syslog Server via port number 514. Please note that you can not configure Syslog Server to ask specific application or system to transfer event logs but on other hand you have to configure application or device to send event logs to server. This should be clear now that a Syslog Server hardly bothers who is sending messages and hence can receive messages from anyone.

#-Link-Snipped-#A Syslog packet can never be larger than 1024 bytes and consist of only three fields Priority (PRI), Header and Message (MSG). PRI field is made up of 8 bits in which first 3 bits represent Severity Code and remaining represents Facility Code. Recommended codes are defined but application may use its own code. Header section defines Timestamp which stores date and time at which the message was generated and Host-Name or IP address of device. The MSG part contains details about event logs usually stored in TAG and CONTENT field, where TAG stores name of program, process or device and CONTENT stores event log.

Criticism:
Since the protocol uses UDP packets it is unreliable that means if any Syslog packet diminishes while transfer process can never be recovered ultimately losing some important data. Next thing is you can not configure Syslog Server to accept specific kind of data so anyone can send data to Syslog server. Also every application may generate self severity codes and facility code thus leaving protocol susceptible to non-uniform log messages.

Replies

You are reading an archived discussion.

Related Posts

If you take up engineering project what would be your main goal? Before all the answers like quality, deliverance, cost, etc., I’m sure the project managers out there will give...
CrazyEngineers has already become a part of every life of thousands of engineers across the world. Many CEans spend most of their time daily on CE, reading various discussions, contributing...
As a kid I liked to play with balloons and I used to wonder how balloons grow big when one pumps air into them. Over the years I inflated many...
Windows Vista, the only operating system by Microsoft that caught too much criticism in market as no other software by Microsoft had ever met. When asked why, someone says it...
From a long time I am hearing boom buzz about a new hacking technique known as “Evil Maid” or “Cleaning Maid”. The attack is performed against Full Disk Encryption (FDE)...