The Syslog message format is one of the oldest standards in IT, dating back to the 1980s. It was originally implemented in a Unix-based program called Syslog-ng. The format used by that package was adopted by other software to ensure compatibility. Eventually, the layout of Syslog messages and the codes that go into some of its fields were specified in an RFC by the Internet Engineering Taskforce (IETF).
By complying with the Syslog message format, software producers can be sure that their customers will find utilities created by others to gather, sort, view, and store those messages.
Here is our list of the six best Syslog and Log viewers:
- Loggly (FREE TRIAL) A cloud-based system that receives and consolidates log messages from different formats, shows arriving log messages and offers a viewer for data analysis. Access the 30-day free trial.
- Kiwi Syslog Server (FREE TRIAL) A Syslog log manager with live message views, data analysis functions, and file management. This package installs on Windows and Windows Server. Start a 14-day free trial.
- Datadog Log Management A cloud-based log manager consolidates Syslog messages with other log types, such as Windows Events. In addition, the Log Explorer includes data analysis features that can be used for a range of applications, including security monitoring.
- Fastvue Syslog A free Syslog server includes a live tail message display and a file viewer for older records. It runs on Windows.
- ELK Stack A free suite of tools for log collection, analysis, and display that can collect Syslog messages and consolidate them with other log message formats. It runs on Linux.
- Graylog A log management system that is free for low throughput volume and includes merging Syslog records with Windows Events. It runs on a VM.
You can read more about each of the options in the following sections.
Running a Syslog server
To benefit from the information imparted by Syslog messages, you need a collector and a client to gather and upload them to a Syslog server.
Syslog messages can be pertinent to security events and so processing these messages quickly and making them available at a central Syslog server immediately is very important. Additionally, SIEM systems rely on log messages for their source data, and the sooner you can get those messages to your SIEM software for threat hunting, the sooner a threat can be identified and blocked.
The log server has several tasks to perform, which one software package might be able to implement all of them. Some programs serve just one of those duties.
The work that a Syslog server will perform includes:
- Receiving Syslog messages
- Displaying arriving messages in a console – called “live tail”
- Converting messages into a neutral format along with messages created through other standards – this is called “consolidation”
- Creating a log directory structure
- Creating a log file and writing messages into it as they arrive
- Closing the log file and starting another – this is called logfile rotation
- Reading log files into a viewer for analysis
These are the basic tasks of a log manager. A log server that is part of a security monitoring service will include pre-written searches that scan through new records taking in a set of messages on a continuously moving frame, such as the last five minutes. Some log management systems write log messages in a database instead of storing files.
The best Syslog and log viewers
When getting a good viewer for Syslog messages, it is good to find a system that can handle all formats of log messages. Generally, viewers just load in records, and so the ability to show log messages that are written to different standards all in the same screen relies on the skills of a log consolidator, which will need to pre-process all messages before the viewer accesses them.
What should you look for in a Syslog and log viewer?
We reviewed the market for Syslog and log viewing packages and analyzed tools based on the following criteria:
- An integrated consolidator or an associated utility
- Options to sort, filter, and group records
- The ability to highlight related Syslog messages
- A way to link together records for further investigation
- The option to reformat and export records
- A free tool or a system with a free trial so you don’t get tricked into paying for a good tool
- Value for money from a reliable and fast tool that can quickly read and sort through Syslog records.
We have identified both free and paid tools that provide excellent Syslof viewing services with these selection criteria in mind.
The Six Best Syslog and Log Viewers
Loggly is a cloud-based log server, consolidator, and analyzer. It can process Syslog messages as well as logs from other sources. Integrations create the compatibility of the server. You activate an add-on for each log format that you want your Loggly implementation to process.
- Server for Syslog
- Log consolidator
- Log viewer with analytical tools
- Manages filing and archiving
Loggly is a competent log file manager. Those files are stored on the Loggly server, and the storage space is included in the package price. The retention period for those files depends on the plan that you choose. While a log file is on the Loggly server, it can be selected and read into the data viewer included in the Loggly console.
- Manages the installation of a data collector
- Can collect logs from on-site systems and cloud platforms
- Offers analytical tools in its log viewer
- Integrations with project management and collaboration tools
- You need to work out what to do with your log files after the retention period ends
There are four plans available for Loggly, and the first of these, called Lite, is free. That free plan will process 200 MB of data per day. The three paid plans have higher data throughput allowances, up to 100 GB per data with the Pro edition.
Try Loggly with a fully functional 30-day free trial.
Kiwi Syslog Server is an on-premises solution that enables you to manage your log files in-house. This tool will collect band consolidate Syslog messages and those of Windows Events. The server can also process SNMP Trap messages, emergency warnings sent out by network devices.
You can specify conditions that raise concern and that will trigger an alert – examples of such conditions are if a device breaks down or if log message delivery frequency increases by a certain percent.
- Syslog and Windows Events
- Log consolidator
- Log viewer
The Kiwi system’s console is Web-based, although you host it on your server. The dashboard includes a log message viewer that also provides analytical tools. When used to just display log messages, the viewer color-codes records, which is a treatment that you can customize. Messages are shown live in the dashboard as they arrive, and it is also possible to read log files into the data viewer for analysis.
- Processes and stores log messages
- Shows Syslog and Windows Events messages live as they arrive
- Allows log files to be loaded into the viewer for analysis
- You need to provide a server to host the package
Kiwi Syslog Server runs on Windows or Windows Server, but it can collect Syslog messages from Linux and Unix hosts across the network. It will also collect messages from network devices. You can assess the system with a 14-day free trial.
Datadog Log Management is a cloud-based package, which means that it can receive log messages from anywhere, and the console is available through any standard Web browser. The Datadog system can receive all types of log messages, and there are guides in the Datadog documentation system that explain how to install a Syslog collector. The service can collect log messages from 170 different systems.
The Log Manager receives Syslog and other log messages, consolidates them into a standard format, and stores them. Each message is shown live in the console as it arrives. The consolidator will reference the source of each message, and you can also specify your custom tags.
- Live log message statistics
- Log consolidator
- Log Explorer
- Record tagging
- Analytical tools
Datadog Log Manager stores log messages to file. You can specify your storage location or rent space on the Datadog server. The Log Manager can also compress files for archiving, and you can get them revived on demand. Stored files can be read into the Log Explorer for analysis.
- Merges log messages in different formats
- Can receive Syslog messages
- Includes a data viewer with analytical tools
- Stores log messages to file and manages to archive
- Displays live statistics on arriving log messages
- Storage space isn’t included for free
Datadog Log Management can perform and ’consolidate log messages from many different systems and file them and give you a way to view records. The console presents ongoing statistics about log message activities and shows live tail messages as they arrive. First, read messages into the Log Explorer from files to analyze your system’s activity. Then, create your own saved searches and automatically apply them to coming log messages.
The Log Management service can be enhanced by subscribing to the Application Performance Monitoring service. This produces distributed tracing logs for microservices, and feeding those through to the Log Management module lets you see how the performance of those functions is dependent on system resources and other events on the network.
There are two elements to the Datadog Log Management service. The first is the actual processing system, which is charged per GB or processed data. The other service is the storage space, which you don’t have to take from Datadog. The price for this service depends on the length of time that you want to store log files. You can get a 14-day free trial of both services.
4. Fastvue Syslog
Fastvue Syslog is an excellent deal because it is entirely free to use. The package has an attractive interface, and it will collect Syslog messages from the network. This is a standalone package that can file all of your Syslog messages. It can also forward records to bother Syslog processing and analysis tools.
- Collects Syslog messages
- Files logs
- Optionally forwards records
The package formulates statistics on log message throughput. As well as filing Syslog messages, the Fastvue system generates an SHA-256 hash so that you can check for tampering. In addition, the system can automatically apply compression to archive files after a period that you specify.
- Automatic collection and filing of Syslog messages
- Customizable archiving
- Logfile viewer
- No consolidation or analysis utilities
The log viewer in the Fastvue system only shows records from a specific file – it doesn’t include any analytical tools. This package also can’t ingest log records from other systems, such as Windows Events. However, as it is a free tool, it is worth considering and buys you time searching for something better. This software installs on Windows.
5. ELK Stack
ELK Stack, also known as Elastic Stack, is a free suite of tools that collect and manage logs. This system runs on Linux and will easily manage your Syslog messages. The element that gathers log messages, consolidates them, and files them is Logstash. This is the “L” of “ELK”.
- Collects and files Syslog messages
- Log consolidator
- Data search tool
The “E” of “ELK” is the Elasticsearch system. This powerful data analysis system is integrated into many other log analysis and security monitoring tools. You can write Elasticsearch queries and then run them automatically to create your data analysis system.
- A log management system that is free to use
- A hosted version including storage is available for a fee
- Data analysis automation
- Requires technical skills to put together
The “K” of “ELK” is Kibana, a frontend for the whole system. You have to set up the interface yourself because Kibana can display any data source, not just Syslog messages. Once everything is organized, you will have Logstash collecting Syslog messages and creating log files, Elasticsearch creating analysis and data presentation functions, and Kibana displaying all of your Syslog data.
There are many plans for the cloud-hosted service of Elastic Stack, with prices starting at $16 per month. An advantage of getting the paid service is getting an edition that includes pre-written screens for log management, so you need fewer technical skills to benefit from the service. In addition, you can get a 14-day free trial to assess the paid system.
Graylog has been around since 2009. Originally an open-source project, Graylog is now available in a paid version and the free system, which is now called Graylog Open. The longevity of this system means that it is well-known, stable, and has a large user community. Unfortunately, if you opt for Graylog Open, you don’t get professional support, but you can join the user forums and find advice.
- Well-established and stable
- Log server and consolidator
- Logfile management
Graylog can collect Syslog messages, and it can also get Windows Events. The service will consolidate the records that arrive from these two different systems and also collect logs from third-party applications. The system will file and forward messages, and so it could just be used as a Syslog server. The dashboard for the system is attractive and flexible. However, it doesn’t come out of the box, all setup and ready to run. You have to set it up by creating screens from templates or by selecting widgets and associating them with data sources.
- Collects and consolidate Syslog and Windows Events
- Log forwarding option
- Customizable dashboard with a data viewer
- Requires technical skills to set up
Graylog runs on a hypervisor. The Graylog Open edition can be installed directly on Linux. There is one other free version of Graylog, the Small Business Edition. However, that plan is limited to processing 5 GB of data per day. The two paid plans are Graylog Enterprise, an on-premises package, and Graylog Cloud. If you don’t have time to download and try either of the two paid editions, you can get a 30-minute demo of either of the paid services.