syslog

In computing, syslog is a standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label.

Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems.

History

Syslog was developed in the 1980s by Eric Allman as part of the Sendmail project. It was readily adapted by other applications and has since become the standard logging solution on Unix-like systems. A variety of implementations also exist on other operating systems and it is commonly found in network devices, such as routers.

Syslog originally functioned as a de facto standard, without any authoritative published specification, and many implementations existed, some of which were incompatible. The Internet Engineering Task Force documented the status quo in RFC 3164. It was standardized by RFC 5424.[1]

Various companies have attempted to claim patents for syslog implementations.[2][3] This had little effect on the use and standardization of the protocol.

Syslog message components

The information provided by the originator of a syslog message includes the facility code and the severity level. The syslog software adds information to the information header before passing the entry to the syslog receiver. Such components include an originator process ID, a timestamp, and the hostname or IP address of the device.

Facility

A facility code is used to specify the type of program that is logging the message. Messages with different facilities may be handled differently.[4] The list of facilities available[5] is defined by RFC 3164:

Facility code Keyword Description
0 kern kernel messages
1 user user-level messages
2 mail mail system
3 daemon system daemons
4 auth security/authorization messages
5 syslog messages generated internally by syslogd
6 lpr line printer subsystem
7 news network news subsystem
8 uucp UUCP subsystem
9 clock daemon
10 authpriv security/authorization messages
11 ftp FTP daemon
12 - NTP subsystem
13 - log audit
14 - log alert
15 cron scheduling daemon
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)

The mapping between facility code and keyword is not uniform between operating systems and different syslog implementations.[6]

Severity level

Value Severity Keyword Description Examples
0 Emergency emerg System is unusable This level should not be used by applications.
1 Alert alert Should be corrected immediately Loss of the primary ISP connection.
2 Critical crit Critical conditions A failure in the system's primary application.
3 Error err Error conditions An application has exceeded its file storage limit and attempts to write are failing.
4 Warning warning May indicate that an error will occur if action is not taken. A non-root file system has only 2GB remaining.
5 Notice notice Events that are unusual, but not error conditions.
6 Informational info Normal operational messages that require no action. An application has started, paused or ended successfully.
7 Debug debug Information useful to developers for debugging the application.

The meaning of severity levels other than emergency and debugging are relative to the application. For example, if the purpose of the system is to process transactions to update customer account balance information, an error in the final step should be assigned the alert level. However, an error occurring in an attempt to display the zip code of the customer may be assigned an error or even a warning level.

The server process which handles the message (syslogd) usually includes all lower levels. That is, if messages are separated by individual severity, a warning entry will be included in notice, info and debug processing.

Message

The message component has these fields: TAG, which should be the name of the program or process that generated the message, and CONTENT which contains the details of the message. The content field should be encoded in a UTF-8 character set and octet values in the traditional ASCII control character range should be avoided.

Logger

The destination of messages may be directed to various destinations, tuned by facility and severity, including console, files, remote syslog servers, or relays.

Most implementations provide a command line utility, often called logger, as well as a link library, to send messages to the log. Some implementations include reporting programs for filtering and displaying of syslog messages.

Limitations

Since each process, application and operating system, was written independently, there is little uniformity to the content of the log message. For this reason, no assumption is made about its formatting or contents.

The protocol is Simplex communication with no means to acknowledge the delivery to the originator.

Network protocol

When operating over a network, syslog implements a client-server application structure where the server listens on a well-known or registered port for protocol requests from clients. Historically the most common Transport Layer protocol for network logging has been User Datagram Protocol (UDP), with the server listening on port 514. As UDP lacks congestion control mechanisms, support for Transport Layer Security is required to implement and also recommended for general use[7] on Transmission Control Protocol port 6514.[8]

Outlook

Various groups are working on draft standards detailing the use of syslog for more than just network and security event logging, such as its proposed application within the health care environment.

Regulations, such as the Sarbanes-Oxley Act, PCI DSS, HIPAA, and many others, are requiring organizations to implement comprehensive security measures, which often include collecting and analyzing logs from many different sources. Syslog has proven to be an effective format to consolidate logs, as there are many open-source and proprietary tools for reporting and analysis. Converters exist from Windows Event Log as well as other log formats to syslog.

An emerging area of managed security services is the collection and analysis of syslog records for organizations. Managed Security Service Providers attempt to apply analytics techniques and artificial intelligence algorithms to detect patterns and alert customers to problems.

Internet standard documents

The Syslog protocol is defined by Request for Comments (RFC) documents published by the Internet Engineering Task Force (Internet standards). The following is a list of RFCs that define the Syslog protocol:[9]

See also

References

External links

This article is issued from Wikipedia - version of the Thursday, March 31, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.