Support
 
Support Get Quote
 
 
 
 
 
Email Download Link

Syslog forwarding: 10 best practices to forward logs securely

Last updated on:
 

In this page

What is syslog forwarding?

Syslog forwarding is the mechanism of transmitting log messages from system software, applications, and network devices from the source machine to a centralized syslog server or log collector. It uses the syslog protocol to standardize the messages generated by various sources, allowing efficient parsing and normalization at the server level to monitor the activities on the source machines.

Significance of syslog forwarding

Syslog forwarding is considered a crucial process in security monitoring for the following reasons:

Log security and integrity

In the event of a local system compromise, audit logs are the primary sources of threat detection, leading attackers to often tamper with these logs to evade detection. By forwarding these critical logs to a separate server, the logs are preserved in their original formats, ensuring their integrity for future forensic analysis.

Reliable data storage and backup

Log forwarding allows critical audit logs to be stored in a secure dedicated server over a period of time to ensure compliance. It also facilitates reliable backup storage, preventing data loss in case of a host system failure, which is crucial for centralized security monitoring and troubleshooting.

System performance optimization

Forwarding logs reduces the overhead on the local system's CPU and disk, enabling efficient log management and storage optimization. This reduces the strain on the local system, thus improving its performance and operational efficiency.

What is a log forwarder?

A log forwarder, often called a logging agent or syslog daemon, is a specialized software component responsible for the entire log forwarding process on the source device. Its primary function is to act as an intermediary, transferring log data from the source machine to a centralized log management system.

ManageEngine EventLog Analyzer is a comprehensive SIEM tool that comes with built-in syslog monitoring capabilities. It acts as a reliable log forwarder for securely transmitting critical syslog from various sources to a destination server or third-party tool for security monitoring.

Explore now

How does a syslog forwarder work?

A log forwarder typically runs as a lightweight service or agent on the host system, which might be a server, a workstation, or a network device, and performs the following functions:

Log collection

The forwarder's primary role is to aggregate log data from various sources. It handles various log formats, including unstructured plaintext and structured formats like JSON.

  • Log reception: The forwarder is configured to monitor specific log files (e.g., /var/log/messages or access.log), read events from operating system channels (like the Windows Event Log or Linux journald), or receive logs directly from applications via an API.
  • Log listening: The forwarder constantly tails these sources in real time. As soon as a new log entry is written, the forwarder captures it, preventing gaps in the data stream.

Log processing

After collection, the forwarder performs essential processing tasks based on its configuration.

  • Filtering: It applies rules to determine which logs should be forwarded. For example, it might be configured to drop low-priority debug messages and only forward high-priority alerts and errors to the server, optimizing the bandwidth of the server.
  • Parsing: It parses unstructured logs and transforms them into a standardized, structured format like JSON or a CEF message. This streamlines data formats, making it easier for the central receiver to index and analyze the data.
  • Enrichment: The forwarder may enrich the log data by adding metadata such as the host's IP address, the hostname, or a custom application tag for enhanced security analytics.

Log transmission

This is the final step, where the forwarder ensures that the logs reach the central collector without any compromise.

  • Buffering and resiliency: To prevent data loss during network outages or when the central server is temporarily unavailable, the forwarder uses an internal buffer in the memory or on disk. Once connectivity is restored, it automatically resumes forwarding the buffered logs, preventing data loss in transit.
  • Protocol selection: It encapsulates the log message using the configured network protocol, such as UDP, TCP, or TLS, and securely sends it to the destination IP address and port.
  • Security: If configured for secure transmission over TLS, the forwarder handles the encryption and authentication process to protect sensitive log data while it is transferred over the network.

Types of syslog forwarders

Syslog forwarders are classified primarily by their function within a logging environment as follows:

1. Syslog agents

These agents or devices originate and aggregate syslog messages from their own local source (e.g., operating system, application, or network device) and send them directly to a central syslog collector. They typically offer minimal filtering or processing before transmission.

Traditional logging daemons like syslogd or systemd-journald on a Linux host often act as syslog agents.

2. Dedicated relays

Relays are software components or machines that act as intermediaries or log brokers. They continuously receive logs from multiple sources, and then process and forward them to final destinations. They can filter, process, and reformat logs and allow for load balancing by sending the same logs to multiple destinations for redundancy or log analysis.

Advanced syslog daemons like rsyslog or syslog-ng are specifically configured for relaying.

3. Syslog servers

These are specialized applications or syslog monitoring tools that receive logs in various formats, such as standard syslog or CEF, for standardized processing. Their primary role is to parse, normalize, and filter the collected data for effective ingestion into a specific log analysis tool or a third-party SIEM solution.

Dedicated log management solutions that include collection, processing, and forwarding capabilities, such as ManageEngine EventLog Analyzer, not only act as syslog servers but also forwarders.

As a comprehensive syslog forwarder and server, EventLog Analyzer acts as a reliable intermediary that secures, processes, and ensures every critical log reaches its destination. It’s the proactive bridge that guarantees no event is lost between your devices and your central SIEM or analysis platform.

Find out more

Syslog forwarding best practices

Here are 10 best practices for streamlined and seamless syslog forwarding.

1. Standardize the syslog format

Always configure your log sources and forwarders to use the modern RFC 5424 standard or a structured format like JSON. This format provides consistent structure, shows high-precision timestamps, and ensures reliable parsing.

2. Use suitable protocols depending on the data type

To guarantee log delivery and protect sensitive data, always use TCP instead of UDP. Furthermore, implement TLS/SSL encryption for all log traffic, especially across untrusted networks, to ensure integrity and confidentiality. However, UDP can be used for high-volume, non-critical data that requires faster speeds, and similarly, RELP can be employed for highly assured delivery.

3. Implement buffering and queuing at the source

Configure syslog agents such as rsyslog or syslog-ng with a disk-assisted or in-memory queue. This is crucial for seamless operation if the central collector is down or unreachable. It ensures the logs are safely buffered locally and automatically forwarded when the connection is restored, preventing data loss.

4. Filter and prioritize logs at the source

Implement filtering at the source agent or the first relay to discard low-value, high-volume messages (e.g., debug or trace logs) that are not needed for security or operational analysis. This reduces network load and ingestion costs.

5. Deploy syslog relays

In large or distributed environments, utilize intermediate syslog relays which aggregate logs and then reliably forward it to the central collector. This reduces the number of connections the central collector must manage, facilitating scalability.

6. Ensure accurate time synchronization

All log sources, relays, and collectors must use the Network Time Protocol (NTP) to synchronize their clocks. Without consistent timestamps, log correlation during an incident becomes impossible,so it's crucial to synchronize the timezones.

7. Configure redundancy and failover

Configure all agents and relays to forward logs to a primary and at least one secondary central collector that acts as a backup. Implementing this failover mechanism ensures continuous log collection even when the main collector experiences an outage.

8. Monitor syslog flow and collector health

Actively monitor the health and performance of both the central collector (CPU, disk I/O, and ingestion rate) and the forwarding agents (queue size and last successful transmission). Set up alerts for sudden drops in log volume or backlog growth to proactively identify broken forwarders.

9. Dedicate separate network and storage resources

Dedicate specific network interfaces for log traffic to isolate high-volume data from critical application traffic. On the central collector, utilize fast storage SSDs and ensure that the disk is capable of handling the high volume of incoming logs, and set it apart from the disks used for long-term storage or querying.

10. Maintain a consistent host identity

Log processing tools rely on an accurate hostname or IP address to verify the sender. Ensure that the forwarding path is configured to preserve the original sender device's identity and not the relay's identity. This guarantees accurate logging and reporting at the central destination.

What's next?

Explore ManageEngine EventLog Analyzer, the all-in-one SIEM tool with built-in syslog server and forwarder capabilities.

DownloadGet a product tour

Frequently asked questions

UDP is a connectionless protocol and offers no guaranteed log delivery. If a log packet is dropped due to network congestion, the log is completely lost. Whereas, TCP is a connection-oriented and reliable protocol that ensures all log messages are successfully delivered to the collector, with retransmission if needed.

By default, the standard syslog protocol uses UDP or TCP and does not use encryption. Log messages are sent in plaintext across the network. However, to encrypt forwarded logs and ensure secure transmission, syslog-over-TLS can be implemented using modern daemons like syslog-ng or rsyslog.

Common reasons for forwarding failures include:

  • Firewall blocking: The device's local firewall or a network firewall is blocking traffic on the syslog port.
  • Incorrect IP or port: The client device is configured to send logs to the wrong IP address or port of the central collector.
  • Collector not listening: The syslog collection software on the server is not running or is not configured to listen on the expected port.

EventLog Analyzer Trusted By

Los Alamos National Bank Michigan State University
Panasonic Comcast
Oklahoma State University IBM
Accenture Bank of America
Infosys
Ernst Young

Customer Speaks

  • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
    Benjamin Shumaker
    Vice President of IT / ISO
    Credit Union of Denver
  • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
    Joseph Graziano, MCSE CCA VCP
    Senior Network Engineer
    Citadel
  • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
    Joseph E. Veretto
    Operations Review Specialist
    Office of Information System
    Florida Department of Transportation
  • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
    Jim Lloyd
    Information Systems Manager
    First Mountain Bank
TestimonialsCase Studies

Awards and Recognitions

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
A Single Pane of Glass for Comprehensive Log Management
Log ManagementLog AnalysisIT ComplianceSIEMQuick LinksRelated Products

A Single Pane of Glass for Comprehensive Threat Management

Free Trial Get Quote
Email Download Link