Support
 
Support Get Quote
 
 
 
 
 
Email Download Link

Protocols used for syslog collection - TCP, UDP, RELP

Last updated on:

In this page

Syslogs are the logs generated from Linux/Unix devices and other network devices like switches, routers and firewalls The syslogs can be centralized by aggregating them to a server called the syslog server, syslog daemon or syslogd. Transmission of syslogs from the devices to the syslog daemons happens with the help of TCP, UDP and RELP protocols.

User Datagram Protocol (UDP)

UDP is a connectionless and unreliable protocol. So, the syslog messages sent to the syslog daemon do not return any receipt acknowledgment. By default, the syslog transmission over UDP protocol happens through port 514. However, the user can always change this port number.

Generally it is not recommended to transmit using UDP, as syslog packets may not be properly received at the syslog server, and vital information could be lost.

You have to configure a server to act as a syslog daemon by enabling it to listen on UDP port 514.

  • Open etc/syslog.conf file in your terminal.
  • Identify the below statements and uncomment them.
    • $ModLoad imudp
    • $UDPServerRun 514
  • Restart the machine and check if the changes are applied

Transmission Control Protocol (TCP)

TCP is a connection-oriented and reliable transmission protocol that can use the same port 514 to send syslog messages to syslog daemons. TCP is used by default for data transmission in syslog collecting tools like rsyslog and syslog-ng. The syslogd sends an acknowledgement for every syslog message received. This ensures all the sysog messages are stored in a single repository.

You can configure a server to act as a syslog daemon and enable it to listen on TCP port 514 using the below commands.

  1. Open etc/syslog.conf file in your terminal.
  2. Identify the below statements and uncomment them.
    • $ModLoad imudp
    • $UDPServerRun 514
  3. Restart the machine and check if the changes are applied

Reliable Event Logging Protocol (RELP)

RELP, originally developed for rsyslog-rsyslog communication, is a networking protocol which helps in reliable transmission of event messages to the destinations. RELP uses TCP for transmission of syslogs. However, it provides the additional functionality of identifying the messages that are properly received at the syslog daemon using a backchannel. Backchannels can view the syslog messages that are sent from devices and simultaneously listen to them at the receiver end.

If there is a sudden connection termination during syslog transmission, RELP solves the ambiguity of whether the message that was in transmission was received at the syslog server or not. It conveys a message back to the sender about the syslogs processed by the syslog server.

Monitoring syslogs

Syslogs contain vital information about events taking place in your network. Transmitting the syslogs securely to a centralized location and analyzing them makes it easier to troubleshoot critical events. Though it is possible to manually analyze the syslogs using grep and other commands, it is a time-consuming and tiring process. An automated log management solution such as EventLog Analyzer can collect, parse and analyze syslogs from devices across the network.

EventLog Analyzer can also correlate these syslogs with the rest of the network logs and identify security incidents and threats in real-time. The solution offers predefined reports and alert profiles that help you with security auditing and compliance management. Check out more about EventLog Analyzer here.

Ensure secure and compliant log collection with EventLog Analyzer’s robust support for all major syslog protocols.

Download 30-day, free trial Get demo

EventLog Analyzer Trusted By

Los Alamos National Bank Michigan State University
Panasonic Comcast
Oklahoma State University IBM
Accenture Bank of America
Infosys
Ernst Young

Customer Speaks

  • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
    Benjamin Shumaker
    Vice President of IT / ISO
    Credit Union of Denver
  • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
    Joseph Graziano, MCSE CCA VCP
    Senior Network Engineer
    Citadel
  • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
    Joseph E. Veretto
    Operations Review Specialist
    Office of Information System
    Florida Department of Transportation
  • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
    Jim Lloyd
    Information Systems Manager
    First Mountain Bank
TestimonialsCase Studies

Awards and Recognitions

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
A Single Pane of Glass for Comprehensive Log Management
Log ManagementLog AnalysisIT ComplianceSIEMQuick LinksRelated Products

A Single Pane of Glass for Comprehensive Threat Management

Free Trial Get Quote
Email Download Link