Some classics never go out of style, like a good pair of boat shoes or cowboy boots, depending on where you live. In the logging world, syslog is this classic. For more than 30 years, the syslog protocol has been a standard for logging. When we talk to users about what type of logs they collect and how they send them to SolarWinds® Papertrail™, syslog always comes up.
“Our application logs and server system logs are sent to Papertrail. We use various libraries for sending logs and alerts from applications. Servers are all sending logs via rsyslog.” Tyler, Word Press Developer
Advantages of Syslog
Here are some of the reasons why Papertrail users continue to rely on this classic.
Broad Compatibility
Syslog works with a wide variety of both network devices as well as application. Everything from printers and routers to platforms such as Unix/Linux, BSD Unix, and macOS supports syslog.
Built-In Transport
From the beginning, syslog has offered the ability to route log messages over a network connection. This means you’re not limited to logging messages to a local file—you can direct syslog messages to a logging server. For Papertrail users, syslog is a highly versatile logging protocol capable of directing logs from a multitude of different devices and applications to Papertrail.
Layered Architecture
The layered architecture in the syslog protocol separates the transport, application, and content layers. This design allows you to choose your preferred transport protocol independently from application or content constraints.
Standard Message Format
The syslog message format provides a structured framework with enough flexibility to support vendor-specific extensions while maintaining broad compatibility. In a syslog message, you’ll find three elements:
- Header: version, time stamp, host name, priority, application, process, and message ID
- Structured data: data blocks in a specific format
- Message: content encoded in Unicode Transformation Format (UTF-8) and a tag identifying the process that triggered the message
Beyond the requirement for a source tag and UTF-8 encoding, messages can be configured for a variety of needs. Check out this article for best practices creating syslog messages.
Drawbacks of Syslog
Papertrail users also mentioned some of the shortcomings of syslog and how they overcome them.
One-Way Communication
One of the major drawbacks is its pure simplex protocol, which means there’s no acknowledgement for message delivery. When you couple the one-way communication offered by the simplex protocol with UDP, there’s a potential for lost data. You can minimize the risk of losing data by switching to TCP. Unlike UDP, TCP can recognize when a link is congested and can slow the sending rate.
Potential Security Weaknesses
There’s no built-in authentication on syslog messages, especially when used with UDP. As a result, it’s possible for one machine to impersonate another machine and send bogus log events. This means it’s also susceptible to replay attacks. Fortunately, you can address this concern by switching to TCP. Another big security advantage of using TCP is the ability to use TLS encryption. For more information on TLS, check out the documentation.
Papertrail Users Love Syslog
A large part of what makes Papertrail a perfect log management choice for syslog events is the built-in separation between the application or device generating the message and the system storing the message. When you combine this flexible design with syslog’s broad compatibility and the easy setup and intuitive search capabilities of Papertrail, you end up with a simple yet powerful logging solution.
Papertrail users comment frequently on how fast and easy it is to configure remote syslog to send logs to Papertrail. All they need to do is add the Papertrail instance and port number to the end of a config file.
The most frequent question we hear when users are configuring syslog is where they can find the Papertrail instance and port information. There are two ways you can view the instance and port details. You can either go to the Dashboard view and select Add Systems or select the Quick Start option under the Support menu and select Add Systems. Both options will display the instance and port information needed for configuring remote syslog.
The instance and port information are displayed in the yellow bar at the top of the Add Systems screen.
Manual Setup
You can manually configure remote syslog by editing the syslog daemon configuration file and adding the Papertrail instance and port number. Here are the basic configuration steps, but there are even more details in the documentation.
Rsyslog
Edit /etc/rsyslog.conf. by adding this to the end of the file:
*.* @loghostname.papertrailapp.com:XXXXXWhere loghostname is the prefix of your Papertrail instance and XXXXX is the port number.
Syslogd
Edit /etc/syslog.conf. by adding this to the end of the file:
*.* @loghostname.papertrailapp.com:XXXXXWhere loghostname is the prefix of your Papertrail instance and XXXXX is the port number.
Syslog-ng
Edit either /etc/syslog-ng.conf or /etc/syslog-ng/syslog-ng.conf.
Create a logging destination for Papertrail by adding this block to the configuration file:
destination d_papertrail {
udp("logsN.papertrailapp.com" port(XXXXX));
};
Where loghostname is the prefix of your Papertrail instance and XXXXX is the port number.
Next, find lines starting with source and paste configuration entries pointing your sources at the new Papertrail destination.
log { source(s_startctllog); destination(d_papertrail); };
log { source(s_startctludp); destination(d_papertrail); };
log { source(s_startctltcp); destination(d_papertrail); };
Automation Options
Papertrail offers several automated configuration options in the Quick Start menu under Support. You just need to select the type of log files and the source, and it provides a customized configuration file and step-by-step instructions.
If you happen to be working in Linux, you can also automate the setup of the remote_syslog2 logging daemon with Chef, Puppet, and Salt. Links to the cookbooks, modules, and formulas are below:
Summing It Up
Syslog is a protocol applications and devices use to send event data to a central location. With broad compatibility and great flexibility in both the message structure and transportation options, syslog remains a popular choice among Papertrail users. Setting up syslog with Papertrail is quick and easy, and it can be done manually, with a customized script provided by the Quick Start menu or through automation tools such as Check, Puppet, and Salt.
If you haven’t used Papertrail with syslog messages give it a try and let us know what you think.