Syslog is a highly useful reporting format that many network devices and applications employ. The status and events messages produced by Syslog together form a rich source of information that will enable you to head off device failure, while also assisting you in detecting intruder activity.
There are many tasks that you can perform better with the information that Syslog supplies. However, if you don’t have a Syslog server operating on your network, you are letting all of those useful sources of information circulate on your network undetected.
Today, we’ll cover the best Syslog servers on the market for Windows and Linux-based systems. Read on!
Understanding Syslog File Management
The main task of Syslog servers is to trap Syslog data and write it to file. You don’t want those files to be endless, so it is advisable to categorize messages and store them in indexable files with meaningful names.
For example, it is common practice to start a new log file each day, and put the date of the messages in the name of the file. Some system administrators choose to file messages according to their source. In these cases, you’ll create a directory structure, with a folder for each of the standard sources that you categorize the messages by, and then use the date as the file names–accumulating a chronological library of files for each category.
When choosing a Syslog server, the ability to manage the files in which Syslog messages are stored stands out as a tremendous benefit. Going a step further, you could even look for a Syslog server that includes data analysis functions.
Some servers can also issue alerts when the frequency of certain types of Syslog messages suddenly increases. For example, reports on failed logins that suddenly increase might indicate that a brute force attack on a user account is underway by a hacker trying to gain access to the network. This event would be of particular importance, and you’d want to be made aware of it as soon as possible.
Best Syslog Servers for Windows
Syslog is a standard that is independent of operating system. Even if your Syslog server is on a Windows device, you’ll be able to pick up Syslog data originating from a server or network device running a completely different OS. Here is a list of Syslog servers that will run on Windows and Windows Server environments.
The Kiwi Syslog Server installs on Windows and Windows Server, and it is free to use for monitoring up to five devices. This package collects messages following the Simple Network Management Protocol (SNMP) as well as Syslog data. The server will write messages to files and also display them in the viewer of the utility’s interface. Additionally, the server program will alert you if traffic volumes of specific types or sources of messages rise above a threshold.
You get the option of choosing the conditions that cause the server to open up a new file. These include the source device type and the date of the message. Kiwi Syslog Server will manage the storage of files in directories with meaningful names, which makes it easier to search through the archive for messages. You can load files into the viewer of the server in order to examine historic data.
2. Paessler PRTG Syslog
PRTG is a comprehensive infrastructure monitoring system. The data gathering element of the package is made up of sensors. You don’t have to turn on all of the sensors; instead you just can tailor the monitor to just focus on one of its areas of expertise. The PRTG system includes a Syslog sensor, which is complemented by pre-written reports, displays, and data processing procedure.
Paessler offers PRTG for free to those who use up to 100 sensors, so you can effectively install PRTG and use it as a free Syslog server. Once you have the Syslog server running, you will also have the option of starting up some of the other sensors and getting data on other parts of your IT system.
3. WhatsUp Gold Syslog Server
WhatsUp Gold is a network monitoring system and its producers, Ipswitch, also offer a free Syslog server. The server will display Syslog messages in its interface and also write records to files. WhatsUp will also organize these files into a directory structure to make finding data sets easy.
You can specify the division of data between files according to warning level, source, and data. It is possible to filter and sort data in the viewer, and that can be live data or records read in from a file. The WhatsUp Gold Syslog Server is able to process up to 6 million Syslog messages per hour, so it can cater for large networks even though it is free. This tool installs on Windows and Windows Server.
4. Syslog Watcher
Syslog Watcher is another free Syslog server that runs on Windows. This service operates a multi-threaded architecture that enables it to process many Syslog records simultaneously. This is a useful feature if you have a large network with a high rate of Syslog messages circulating on the network.
Those messages get displayed in a viewer in real time, and are also stored in files which can be inserted into a database. The opportunity to save all records in a database is a great advantage, primarily because it gives you a long perspective on the traffic of your network across a longer period than the daily message list of log files.
You can read records into the viewer from the database or from a file. The viewer is even able to sort, filter and group messages in order to help you analyze the events that they report on. Syslog Watcher is available to be installed on the Windows environment.
5. Fastvue Syslog
The free Fastvue Syslog runs on the Windows Server environment. This utility not only creates Syslog files, but it guards them too. Each log file that Fastvue monitors has a related hash file (calculated with a 256-bit SHA algorithm) that is a checksum for the contents of that file. The server monitors the size of each of your log files, and even reports when those sizes change. These two measures are important security features because hackers operating advanced persistent threat intrusion will alter log files to cover their tracks.
The server stores Syslog messages in files ordered by date, with and option to partition data by device type. Files are stored in directories named for the source device, with each file name bearing the date of the messages that it contains. Finally, within Fastvue’s interface, you can view, sort, and even filter all archived messages loaded in from these files for easy analysis.
6. Visual Syslog Server
Visual Syslog Server is a free open source utility that runs on Windows and Windows Server. This is an uncomplicated utility that collects all of the Syslog messages on your network and displays them in a viewer. The viewer color codes messages by severity type — error messages are red and warnings are yellow. You can even alter the color scheme and it is also possible to filter, sort, and aggregate records in the viewer. Finally, the server also stores those Syslog messages in files.
You can set the utility to sound a noise when it encounters an error message and you can also get it to send you notification for each warning and error. Those notifications can even be sent by email, which can be encrypted if your email system can handle encryption.
TFTPD32 is a very basic, enthusiast-created Syslog server that runs on 32-bit Windows systems. There is a companion facility called TFTPD64, which is written for 64-bit systems. This utility doesn’t have a very sophisticated interface, but it is widely used. This is due to the fact that its lack of bells and whistles makes it very lightweight.
The tool is really a TFTP server. TFTP is the Trivial File Transfer Protocol, which is a very insecure protocol that shouldn’t be used over the Internet. However, it is a standard method for transferring small system files over a private network. The interface can be switched to become a DHCP server to manage IP address distribution and it can also be set to act as a Syslog server. Finally, TFTPD32 will store your Syslog messages to file.
Although the facility can be a TFTP server, a TFTP client, a DHCP server, and a Syslog server, the same instance can’t perform all of those tasks simultaneously.
SureLog is aimed at small businesses, but it isn’t free. You can install the software on Windows. It is aimed at the system security market and it filters out regular event messages to highlight security threats. As well as trapping Syslog messages and storing them to files, the SureLog service monitors those log files to ensure that they are not tampered with by hackers trying to cover their tracks. Finally, the utility also shows those important messages in its log viewer.
Best Syslog Servers for Linux/Unix
Linux is known as a “Unix-like” operating system. In general, a piece of software that will run on Linux will probably also run on Unix. Here is a list of Syslog servers that install on Linux and/or Unix.
9. Icinga 2
Icinga is one of the leading open source system monitoring tools in the world. It is free to use and its latest version is called Icinga 2. The tool installs on Linux and one of its features is a log message monitoring facility. You can specify the type of messages to trap and one of the options is Syslog. The server will display Syslog messages and also write them to file. Finally, you can also load stored messages into the viewer.
The Icinga system has two parts, which are a processing section, called Icinga Core and a front end, which is called Web 2.0. You don’t even have to use Web 2.0 as the interface to the data processor because there are other applications that are compatible. As the code is open source you can also adapt the Web 2.0 program to create your own corporate front end.
Syslog-NG installs on Linux computers. This tool is free and is an open source project. The utility collects Syslog messages and Windows events. It will store those messages in files. You can also choose to get the tool to insert records into an SQL database or forward them to other applications. Syslog-NG doesn’t include any analysis tools, but the files that the server creates can be opened in other facilities.
Logstash is an open source system that installs on Linux. This is a free utility that forms part of a group of applications called the “Elastic Stack.” The key program in the Elastic Stack is Elasticsearch. Another module in the stack is called Kibana, which is a very well-known free front end that can interface with many different processing engines. Logstash is the collector in the stack. It listens for Syslog messages and files them. If you want more functionality, install Elasticsearch, which will sort and filter the Syslog data for analysis. Finally, you then add on Kibana to access the records through a viewer.
The log message detection processes of Logstash are universal and not specific to one particular type of error logging format. You would need to customize the system to focus on Syslog data by installing a free plug-in. The message processing functions of Logstash can conditionally file records, missing out less important messages and writing to different files according to a set of rule that you define in the user interface. Logstash can even output files in formats that are compatible with Nagios, Icinga, Loggly, Graylog, AWS, and Graphite.
Graylog is a log file manager that runs on Linux. You can get the utility for free — but that version is limited to collecting up to just 5 GB of data per day. The interface for Graylog is browser based, which makes it operating system independent and easy on the eye. You can use the front end of Graylog and the data collection module of some other tool, such as Logstash. Alternatively, you could use the data collection module of Graylog with Kibana as a front end. As you can see, this tool gives you a lot of options.
Fluend is a free open source Syslog server that runs on Linux and Mac OS. The utility can collect a wide range of log message types as well as Syslog. You need to add on a plug-in to extend the tool’s capabilities. However, you must be aware that this is just a data collection system. You will need to add on another front end, such as Nagios in order to get an analysis and viewing interface on front of the processing capabilities of Fluentd.
Humio runs on Linux, but you can also get it as an online service. The system isn’t free to use, but it is available for prospective buyers to run it through its paces with a free trial. The tool is supported by a user community and it can even be expanded by plug-ins. However, this is a collector only and you will need other tools to view and analyze the Syslog records that get collected by Humio.
Best Syslog Servers for Windows or Linux/Unix
Although Windows is the most installed computer operating system in the world, many networking utilities require Linux to operate. Making sure to catch both of these markets, many software producers create their software so that they have both a Windows and a Linux version. Here is a list of Syslog servers that are produced in versions for Windows and Linux/Unix.
15. ManageEngine Event Log Analyzer
ManageEngine is one of the world’s leading producers of infrastructure monitoring tools. Its Event Log Analyzer installs on Windows and Linux and it is free to use to monitor five sources or less. The ManageEngine tool doesn’t just collect Syslog messages, but it uses the header information in passing messages to map your network. Finally, the utility can also collect SNMP messages.
You can view new messages in the tool’s dashboard and also get them written to files. While in the dashboard, you can sort and filter messages for analysis. Log files are compressed and encrypted, with access restricted to only authorized staff. The files can be read into the dashboard from the archive, so you even have access to historical data for analysis. This tool integrates well with the ManageEngine network monitoring package, which is called OpManager.
16. The Dude
The Dude is a product of network equipment manufacturer MikroTik. However, it can pick up Syslog messages generated by the equipment produced by any manufacturer. This is a free utility and it can be installed on Windows, Linux, or Mac OS. The tool is very flexible and it can collect SNMP messages as well as Syslog data.
The tool will parse messages to different files according to the requirements you enter in the settings pages of the interface. Messages will also be displayed in the dashboard and you can even be alerted by a sound or a popup message when messages arrive. Finally, the message viewer allows you to sort and filter records for analysis.
17. Nagios Log Server
Nagios Core is a free open source network monitoring system. Icinga 2, which is detailed above, was developed from a copy of the Nagios Core code. This is a very well respected tool that is literally imitated by others. There is also a paid version of Nagios, called Nagios XI, and the developers of this product also created a log server tool. The log server isn’t free, but you don’t have to pay to use it to monitor 500 MB of data per day or less.
The Nagios Log Server runs on Windows and Linux. It will gather Windows events as well as Syslog data. Records will be written to file and they are also listed in the log server’s dashboard. The logs can be stored in one central location or distributed across several servers. There is also an option to create backups of log files. You can even filter Syslog messages so not all of them get stored, or optionally divert important messages to a separate file. Finally, the dashboard allows you to sort and filter live data and also analyze historical data read in from Syslog files.
Splunk file analysis package that is a is available in both free and paid versions. The free version is restricted to analyzing file data. However, you can get it to look at your live Syslog messages if you channel them through a file. Unfortunately, you will need to use a different tool to collect those messages in the first place. Splunk will run on Linux, Windows, and Mac Os. The free version is limited to a data throughput of 500 MB per day.
Choose a Syslog Server
You can try several of the Syslog servers on this list because most of them are free and those that aren’t offer free trials. Managing Syslog messages will enable you to get important feedback on your network and that channel of feedback shouldn’t be overlooked!
Do you already use a Syslog server that you would recommend to others? Do you use any of the systems recommended in our list? Leave a message in the Comments section below and share your experience.