What is a Syslog Server?
Syslog is a universal standard for system messages. It was originally implemented by a Unix utility, called syslogd, but now it is used by a wide range of IT equipment, so just about every piece of computing kit that you buy will be able to send syslog messages. You can direct these messages to different log files according to the message severity level. But if you plan to make the most of the information, that data really should be processed or at least read.
Syslog Servers and Clients
The concept of a “Syslog server” really refers to an application that deals with syslog messages rather than the provision of a dedicated computer to receive the messages. So, don’t get misdirected by that “server” word in there.
The server/client model is a little difficult to grasp in Syslog terms, too. Usually, the client contacts the server and the server responds. In syslog, the syslog client is just a program that broadcasts error, warning, and debugging messages. The syslog client doesn’t have any direct contact with a counterpart: it sends out the messages whether or not anyone is listening for them. Syslogd is a daemon. This is a Sylog collector and so is judged to be the server, even though it never responds to the originator of the messages. The daemon may be running locally, or it can also be implemented as a remote syslog server by connecting over the internet.
Although the Syslog standard has been codified by the Internet Engineering Taskforce, there are so many implementations of Syslog that some variation in the syslog data message format exists. With all of the different message types you could be benefiting from, you need to get a tool to sort through them all.
The definition of the Syslog standard is freely available to the public but it is not regarded as an “open source project.” this is because “open source” refers to freely available program code, but Syslog is a standard, rather than a program. However, there are open source Syslog server implementations out there.
- 1 What is a Syslog Server?
- 2 The Best Free Syslog Servers for Linux and Windows
- 3 Sylog servers by operating system
- 3.1 1. SolarWinds Kiwi Syslog Server (FREE DOWNLOAD)
- 3.2 2. Paessler PRTG Network Monitor (FREE TRIAL)
- 3.3 3. Event Log Analyzer
- 3.4 4. WhatsUp Syslog Server
- 3.5 5. Syslog Watcher
- 3.6 6. Fastvue Syslog
- 3.7 7. The Dude
- 3.8 8. Nagios Log Server
- 3.9 9. Icinga 2
- 3.10 10. Visual Syslog Server
- 3.11 11. Syslog-NG
- 3.12 12. Nxlog
- 3.13 13. Logstash
- 3.14 14. Graylog
- 3.15 15. TFTPD32/64
- 4 Choosing a Syslog server
Syslog messages can be regarded as the Linux/Unix equivalent of Windows Event Logs. So, you could refer to them as “syslog events.” They supply important information and will support your system administration tasks through:
- Warnings of equipment failure – which get written to a log file
- Capacity exhaustion monitoring – through pre-set warning levels which you set yourself
- Alerts of unexpected events – abnormal activity may indicate compromised user accounts
- Network intrusion detection – spot unauthorized devices and access to unexpected locations on the internet
The records in your syslog files are written there because the producers of your software and devices judged certain events to be of significance, so it is a mistake to ignore this rich source of system activity and status information. So download a Syslog collector and activate it.
Syslog Port Numbers
Syslog operates over UDP, so expect activity on UDP port 514 of your network devices. This is caused by all of those Syslog event messages circulating around your network. UDP port 514 is used by Syslog clients to send messages and also by Syslog servers to listen for messages. Therefore it is both the source and destination ports on all standard Syslog communications. Don’t close it. Be suspicious of activity on TCP port 514. This is a port known to be used by the ADM worm and it is not used for Syslog.
There are secure Syslog implementations. As secure services need to establish a connection, you cannot use a UDP port for them. The secure version of Syslog is known as Syslog over TLS and it uses TCP port 6514. If you want to operate a remote Syslog server connecting to a network across the internet, you need to go the Syslog over TLS route because unencrypted Syslog events being sent over the internet would seriously undermine your network security.
The Best Free Syslog Servers for Linux and Windows
If you don’t have a budget for tools, or if you don’t think that it is worth spending money just to look at log file messages, then check out our list of free syslog servers. Most review sites will give you a list of the five or 10 best syslog servers, but we have gone the extra mile and found 15 excellent syslog servers that are free to use.
Here’s a list of the 15 best free Syslog servers for Linux and Windows:
- SolarWinds Kiwi Syslog Server (FREE DOWNLOAD)
- Paessler PRTG Network Monitor (FREE TRIAL)
- Event Log Analyzer
- WhatsUp Syslog Server
- Syslog Watcher
- Fastvue Syslog
- The Dude
- Nagios Log Server
- Icinga 2
- Visual Syslog Server
Sylog servers by operating system
|Event Log Analyzer||Yes||Yes||No|
|WhatsUp Syslog Server||No||Yes||No|
|Nagios Log Server||Yes||Yes||No|
|Visual Syslog Server||No||Yes||No|
You can read more about these tools in the following sections.
Kiwi is a syslog server utility from SolarWinds. The package costs $295, but there is a free version. You can use the system for free to monitor Syslog messages from up to five devices. The free package would only be suitable for small networks.
The Simple Network Management Protocol is based on the Syslog methodology, so Kiwi can also gather SNMP messages. A device-originated alert message is called an “SNMP Trap.” The Trap is an exception to regular SNMP procedures in which devices agents only respond with statuses when queried by a manager program. So, Traps are designed to signify high-risk conditions. The tool will write messages to a log file and also show them in the program’s dashboard. Kiwi will collect Syslog messages from many types of equipment, including routers, computers, and firewalls.
The Kiwi system enables you to write event logs by IP address, date or by message source type. You can get alerts on high traffic conditions sent to your email notifications. However, if you get the paid version there are many more conditions that you can elect to be notified about by email. The Kiwi Syslog Server is only available for Windows. It can be installed on Windows Server 2008 R2, Windows Server 2012, Windows 7 SP1, Windows 8.1, and Windows 10.
MORE INFORMATION ON THE OFFICIAL SOLARWINDS SITE:
Paessler PRTG Network Monitor is a very comprehensive network monitoring system. However, you can use PRTG for free if you have a small network. Paessler charges per “sensor.” A sensor is a condition or status on a network. The company counts Syslog as one sensor, and if you monitor 100 sensors or less, the system is free of charge. So, you will have 99 other network conditions that you can monitor before you have to pay.
You can download the PRTG software from the Paessler website and install it on Windows. There isn’t a version for Linux. However, you can opt to access the software as a cloud service, which is system agnostic.
The Syslog function in PRTG is called the Syslog Receiver. This will gather all Syslog data travelling around your network and write them to a database. Once the messages are in the database, the subsequent management of those records depends on the settings that you specify for the system. You can get them written to log files, query them in the PRTG dashboard, and trigger actions under certain conditions. You can download and evaluate the free trial here.
ManageEngine’s Event Log Analyzer operates as a Syslog server and is free for up to five log sources. The monitoring software can be installed on Windows or Linux, but it can monitor events arising on any operating system. The syslog data can originate in any type of network-connected equipment, including switches, routers, and virtual machines.
You don’t have to put much work into setting up the system thanks to its autodiscovery feature. Syslog is a messaging standard implemented by just about all network-connected devices, so the Event Log Analyzer just needs to listen on the network for all Syslog-compliant messages sent out by the equipment connected to it. Each message contains a header that identifies its origin. That enables the Event Log Analyzer to build up a list of all hardware on the network and list alerts and status reports by IP address/origin.
The ManageEngine dashboard includes a lot of functionality that enables you to specify actions to perform on the collected Syslog data. A typical Syslog server requirement is to write all records to event logs. This action is available, but you can also query records in the dashboards and sort and filter messages. Archived logs can be compressed and encrypted. The encryption enables access rights to be imposed on user accounts, so the visibility of the data in Syslog files can be restricted to just a few network users with admin rights.
The Event Log Analyzer can also monitor SNMP messages. ManageEngine produces a comprehensive network monitoring system, called OpManager. A restricted version of this tool is available for free and the Event Log Analyzer integrates very well with that wider network monitoring system.
IPswitch produces a successful network monitoring tool called WhatsUp Gold. They also offer a free Syslog server, which can be used as a standalone utility, or integrated into the WhatsUp Gold package. The WhatsUp Syslog Server is free to use and can be installed on Windows.
This tool covers the basic Syslog server functions of capturing Syslog data and storing them in event logs. Beyond that standard functionality, the package gives you a few more facilities to help you better organize Syslog messages and deal with them. You can forward messages to other applications and save records to different files selectively. The Syslog server includes a console where you can display records and specify how the program deals with each message type.
The Syslog viewer shows you live data as it comes in and you can filter and sort records in order to focus on one source of message type. The volumes of data that the tool can handle means it would be suitable for all sizes of network, even though it is free. The console can handle up to six million messages per hour. You can also import archived records in order to analyze events and get a long-term view on the performance of network equipment.
The management functions of the console allow you to specify templates highlighting specific alert conditions or message source IP address. You can also create custom warnings by specifying combinations of conditions that should be escalated to alert status.
Syslog Watcher from EZ5 Systems is available for installation on Windows. This is a free Syslog server program with a number of extra monitoring features. As just about every device connected to your network sends out Syslog messages, the Syslog server has to work fast if you want it to do more than just collect and write those messages to a file. Syslog Watcher uses a multithreaded architecture, so the collection of new records isn’t held up by the completion of processing.
The control dashboard gives you options on how to process messages. You aren’t limited to storing them in files because you have the option of writing them to a database. Getting your Syslog messages in a database gives you a lot more power to deal with event records because you can sort, filter, group, and count them. It allows you to combine events to generate customer alert conditions. You can get alert messages sent to you by email through the Syslog Watcher.
Syslog Watcher can monitor messages both over UDP and TCP and it can operate with both the IPv4 and the IPv6 address systems.
UPDATE: Syslog Watcher is free for home use. Business users have to pay for the tool. However, EZ5 Systems offers a 30-day money-back guarantee. So, if you want to try it out for free, just use it for a month and then ask for your money back.
Fastvue specializes in system message reporting tools. One of its products is a free Syslog server utility. This software can be installed on Windows Server 2008 R2 and later versions of the Windows Server operating system.
The Syslog system collects incoming messages and writes them to event logs. That takes care of your basic Syslog server function. The dashboard of the Fastvue tool examines all of your archived files and gives you a report on each file’s size. Files are collated by date and each gets partnered by a verification file that stores a SHA-256 hash count. Keeping an eye on this information tells you whether a log file has been interfered with. This is an important function for intrusion detection because hackers will amend log files to hide their presence.
Fastvue Syslog compiles separate log files for each reporting device/IP address, so you end up with directories of files per device address. Each file contains a day’s worth of Syslog data messages originating from the device that the directory shadows.
This Syslog server focuses on creating and monitoring files of Syslog messages rather than making those records available for analysis. If you need a console to analyze records, you will need to import the log files into another application.
The Dude is a very widely used free network analysis tool that includes Syslog server functions. This app can be installed on any Windows version from Windows 2000 on, all flavors of Linux, and MacOS. This tool is produced by MikroTik, a router manufacturer from Latvia.
This system can monitor your network devices and collect Syslog data. It can process SNMP alerts, plus ICMP and DNS traffic. The Dude can monitor TCP traffic as well as UDP. The network monitoring features include autodiscovery and a network topology mapper.
The Syslog functions of The Dude can be accessed from a tab in the interface. The system can operate as a full Syslog server with extra forwarding and filtering capabilities. You can get The Dude to just send all records to a file, or specify rules to divert qualifying messages to other destinations, which might be separate event logs, or the console of the system. You can also drop certain records and get the system to beep, flash, or display a popup message for custom alert conditions.
The Dude performs actions when it detects a given alert condition, including the execution of commands. The Dude can send you an email or make a spoken announcement upon detection of a custom alert condition.
Nagios is based on an open-source project. The ability to download the source code for the system means you can use it for free. However, there are limits on the free version of Nagios. You can only use the system for free up to 500 MB of data throughput per day. The Nagios software can be installed on Windows and Linux.
The log server can gather information on Windows events, Linux syslogs, and network device syslogs. The application consolidates log messages in one central location. You can nominate physical servers to store event logs, distribute storage over a cluster of servers, even duplicate files in different locations to create backups.
The console allows you to view live streams of log messages and access previously stored Syslog data. The interface includes sorting and filtering functions to help you analyze messages. You can specify alert conditions, which may be made up of a combination of statuses or designated as an alert on the frequency of specific message types coming in. The customization capabilities of Nagios even extend to the dashboard. It is possible to populate the dashboard with prioritized features, including message lists. Other elements you can place on the dashboard include data visualization tools, such as graphs, histograms, and charts.
Icinga started off as a fork of Nagios. Since its inception in 2009, this package has diverged from its predecessor. The latest version of the software is called Icinga 2 and it can be installed on Linux. The package comes in two parts. The Core system is the data processor and the latest version of this software is called Icinga 2. The backend can interface with a range of data management applications, including Graphite and InfluxDB. The Icinga team also produces its own front end, called Web 2.0, which is available from the Icinga website in a separate download.
Icinga 2 is a comprehensive network monitoring tool and one of its functions is a logging feature. You can set the logging source to Syslog data. Optionally, the logger can be set to just collect Syslog messages of a specific severity level. It won’t limit message collection to just the nominated severity, but will record all messages with the given severity, plus those with higher severity levels. The progression of message types is “debug,” “notice,” “information,” “warning,” and “critical.” The default level is “warning,” so if you just point the logger to Syslog without specifying a minimum severity level, it will pick up all warning and critical messages.
If you look at the Icinga website for a price, you won’t find one because this network monitoring tool is completely free.
Visual Syslog Server is a small utility that collects Syslog data and displays them in a viewer. The records can also be written to event logs and rotated by date or file size. This application can be installed on Windows and it is available for free. The software can be installed on Windows XP and above and also on Windows Server 2003, 2008, and 2012.
In the dashboard, records are color coded with error messages in red and warnings in yellow. Those colors can be customized. You get real-time views of the messages and you can also load records into the viewer from files.
Although this utility doesn’t have sophisticated graphics or processing options, it is lightweight and fast, so it has a market. The viewer presents records and allows you to filter them and sort them. The interface can be set to play a sound when an alert condition is encountered. You can also set the application to send you an email when it encounters an alert or a warning. If your email system supports encryption, Visual Syslog Server will encrypt the notification emails that it sends to you. This is a handy, free, ready to use tool that gets the job done.
Syslog-NG is an open-source package that is free to use. The software for Syslog-NG can only be installed on Linux. However, the log management system is able to collect Windows event data as well as standard Linux, Unix, and device firmware-generated Syslog messages.
The Syslog-NG system will collect all Syslog (and Windows events) messages from the devices connected to your network, recording the source IP address. The default destination for those records is to event logs. However, you can also forward Syslog messages to other applications or insert them into an SQL database. Syslog-NG is a pure Syslog server in that it just deals with capturing Syslog messages. Syslog-NG reorganizes system messages arriving in different formats so they are stored in the same layout.
Other Syslog servers on this list can analyze data from the messages. Some Syslog servers have attractive dashboards with data visualization features. You don’t get any of that with Syslog-NG. If you want to get more functionality to process your Syslog messages, you will need to add on a data analysis tool.
This review includes Syslog server programs that can be installed on Windows and/or Linux. Nxlog can be installed on either of those operating systems and also on Unix and Android. Whichever operating system you install this system on, it will be able to collect Syslog data from all the others — Unix, Linux, Windows, and Android.
Nxlog is a straightforward message collection system. It can operate over UDP and TCP and it can receive messages protected by TLS encryption. Messages get written to files and can also be stored in databases. In all cases, Nxlog creates a standard record format that unites data from disparate sources. A multithreaded architecture enables this tool to handle hundreds of thousands of messages per second, making it suitable for all sizes of network.
The Nxlog system is open-source and you can use it free of charge. There aren’t any analytical functions in this tool, so if you want to view records or manipulate them in any way, you will need to find a separate front end for analysis. This is a straightforward message collection and logfile creation facility, making it a pure Syslog server.
Logstash is part of a suite of utilities called “Elastic Stack.” This group of tools is produced by a group of developers whose first product is called Elasticsearch. Elasticsearch is a second element in the Elastic Stack, as is Kibana. The division of labor between these three packages is that Logstash collects log messages, Elasticsearch enables you to sort and filter those messages for analysis, and Kibana interprets and displays the data. All of the Elastic Stack programs run on Linux.
Kibana makes a great front-end for any of the other Syslog servers in this list. As the event message collection service for the stack, Logstash operates as a Syslog server. The utility listens on the network for messages sent from a wide range of sources. In order to record specific stream, you need to install a plug-in for that data type. You can just install the Syslog plug-in, or add in other plug-ins to include other data sources.
Logstash also gathers data from cloud services including AWS. It can collect data from applications such as Ganglia, Salesforce, Graphite, Kafka, and Twitter. You can set the collection process to include TCP and UDP messages and it can receive messages encrypted with TLS. Logstash can read messages from a file, from a database, pick up SNMP messages, IRC and RSS feeds, and get messages from mail servers.
Logstash can filter divert, and reformat messages during processing. The program stores records in files or inserts them into databases. The utility is written to integrate with Elasticsearch and can send data directly to that application. Similarly, Logstash can be set to output data to Loggly, Nagios, AWS, Graphite, and Graylog. Other plug-ins will notify you of new log data by email or by Slack message. Logstash is available free of charge.
Graylog is a log management system available for Linux. This is a sophisticated Syslog data analysis tool. However, you can just take advantage of its message collection and storage capabilities to use it as a pure Syslog server. Graylog is free for data volumes of 5 GB or less per day. Owners of small networks won’t have to pay anything to use it. The data analysis functions don’t generate extra data throughput. You don’t get any support with the free version of Graylog. However, a community forum on the Graylog website is filled with tips and tricks from other users.
Graylog sits on top of Virtual Machine software. This underlying system in Linux includes the rsyslog facility. It is actually rsyslog that will perform your Syslog message gathering and storage functions. You can manage rsyslog through the Graylog interface. If you pay for Graylog, you can also gather data through the Sidecar system. This allows you to store event logs on Windows computers.
The front-end for Graylog is browser-based. This will display inputs by type, so you will be able to see your Syslog messages together in one section of the dashboard. You can customize the dashboard, so if you set the system to gather messages from several sources, you don’t have to show the information from other sources on the same page as your Syslog messages. Widgets available for the dashboard include data visualization, such as histograms.
The Dashboard enables you to create your own alert conditions. You specify each alert based on a data stream type. For example, you can pick the Syslog UDP stream and then set up an alert condition on the number of warning messages that come through. System settings enable you to get alerts sent to you as email notifications. Stream handling procedures enable you to parse records, forward them, or store them to file or database.
TFTPD is a small utility for Windows. The package is available as a 32-bit or a 64-bit application. The central element of this software is a TFTP client implementation. That client can be set to receive network messages from DHCP, DNS, and SNTP servers. It is also able to receive Syslog data.
This is a simple open-source utility that displays messages in the dashboard as they arrive. Buttons over the viewer give you the ability to view messages by type and Syslog is one of the message types that can be featured. You see messages as they travel on their way to event logs and the viewer also names the file that Syslog messages should be stored to. This utility doesn’t give you much functionality for data analysis. However, you can also read in records from a file and then you have the ability to sort and filter messages.
TFTPD is able to work with IPv6 addresses as well as IPv4 addresses. TFTPD32 and TFTPD64 are both available for free.
Choosing a Syslog server
As you can see from the description of the tools in our list, you can choose a straightforward Syslog server, or opt for an analytical tool or a network monitoring system that incorporates Syslog server functions.
To qualify as a Syslog server, a tool must be able to collect system messages written according to the Syslog protocol and store them. Syslog forwarding capabilities are very useful, as is the ability to rotate logs — that means creating new files periodically.
Beyond the basic functions of transferring Syslog messages to files, you can look for the capabilities to sort and filter messages. The ability to vary processing according to message types and drop debug messages and information notifications is useful. A programmer might need to see those debug messages, and so the ability to selectively direct message types to a viewer, a log file, or to a database can be very useful.
The evolution of Syslog processing to store records in a database rather than a file offers you great power. It is far easier to index, sort, search, and filter records in a database than it is to manipulate file records. This is because databases include a structured query language that enables you to isolate fields in records and perform selection, grouping, and exclusion functions on data without altering the original stored records.
Another useful advancement in the Syslog servers available today is a system that can collect messages generated by other platforms and protocols, such as the Windows event logger. If you Syslog server can create standardized record formats, that takes you another step further along the route to collecting important information about your system.
Getting alerts created for the conditions reported by Syslog will also give you extra power to focus your energy on important tasks. The ability to create your own alert conditions represents advancement in Syslog processing. Sometimes, the contents of a message might not create concern. However, a sudden surge in the frequency of such messages should become an alert and you can specify such conditions in many of the Syslog servers listed in this review. The ability to combine a count of message types or error conditions is another useful feature that many modern Syslog servers include.
A Syslog server embedded in a network management tool can provide great analysis capabilities. If you already have all the analytical tools you need, then you would be better off focusing on the vanilla Syslog server tools in this review. However, if you have very little budget for system management software and you don’t currently have any analytical tools, then go for a free system management utility that includes a syslog server to keep control of your IT infrastructure.
Managing IT services requires the proper tools. Take a look at the free tools recommended in this review that fit your operating system. Take a little time to play around with each tool so you can discover their features for yourself. Given that all of these tools are free, you have nothing to lose but the time it takes to learn them.