As network managers, we have to deal with an amazing number of events happening on any an all of the devices we are tasked to take care of. I recall, when I was a junior administrator several years ago, that my first daily task was to check each device’s error logs. A task that took an ever-increasing amount of time as the network’s size increased up to the point where it took almost all morning. Thanks to the syslog remote logging system and intelligent syslog serves, this kind of task is a thing of the past. Read on as we review the best free syslog servers that you can find.
Before we reveal our best free syslog server, we’ll start by discussing the need for centralized logging. We’ll then describe the syslog system, where it’s coming from and how it works. And since many admins have to deal with Windows devices, we’ll see how event from those systems can also be consolidated together with events from other systems. We will also discuss SNMP traps as they are yet another popular way fo transmitting system messages. And keeping the best for last, we’ll present our best free syslog servers.
The Need For Centralized Logging
If like me, you’ve ever been tasked with checking logs on dozens of devices daily, you know how boring, time-consuming and error-prone this can be. There are so many messages to sort through that overlooking an important one from time to time is almost a certainty.
Add to that the fact that many devices allocate only a certain amount of resources to logging and roll logs by removing older events as new ones happen. There is a serious risk of missing something important. This is especially true when you consider that some events could be the root cause of other, subsequent events.
There are several aspects to the need for centralized logging. First and foremost, you want to make sure that all logged events are recorded and saved. But wouldn’t it be nice if that centralized logging also had the required intelligence to analyze events and alert you automatically whenever something significant happens? This is exactly what some of the bets syslog servers do.
The Syslog System
Technically speaking–without going too technical–Syslog is two things. First, it is a protocol that defines a computer event logging system. It is also the name of the format in which syslog messages are exchanged between systems. The syslog system is a two-component system. There is a client component that runs on each logging device and a server component that receives the event information from syslog clients.
Syslog originated in the 1980’s in the Unix world, more precisely as a log exchange system for Sendmail, an e-mail delivery system. It worked so well that it was soon expanded to other areas of the Unix operating system and later included on many networking appliances such as routers, switches, and firewalls, to name a few.
The Syslog Message Format
A syslog message includes several pieces of information: the date and time of the event, the equipment’s hostname, the process that triggered the event, the event’s severity level [within square brackets ], the process ID of the event’s source and the message body. For example:
Sep 14 14:09:09 test_device dhcp service[warning] 110 message body
There are eight severity levels ranging from “debugging” to “emergency”–sometimes referred to as “panic”. This is important as many syslog servers can be configured to respond in specific ways to messages of a given severity.
What About Windows Systems?
Ever since Windows NT, back in 1993, Windows systems have also generated events. Those are typically explored using the log viewer application, a component of every Windows operating system. But if you manage a combination of Unix/Linux, networking appliances, and Windows servers, wouldn’t it be great if all system event could be centralized in a single place?
The main difficulty in accomplishing this has to do with the different format. Windows events don’t include the same information as typical syslog events. There are several ways of accomplishing this on Windows. You could do it using WinRM and PowerShell commands. You could also use software that automatically configures all aspects of forwarding for you. One such software is the free SolarWinds Event Log Forwarder For Windows.
You might already know SolarWinds. The company makes some of the best network management and monitoring software. It is known for having free 30-day evaluation versions of most of its products. But SolarWinds is also known for making some of the best free network management tools. Once such tool is the free Event Log Forwarder For Windows.
In a nutshell, the SolarWinds Event Log Forwarder for Windows can automatically forward Windows event logs as syslog messages to any syslog service. You can use it to quickly specify and automatically send events from workstations and servers. It can export event data from both Windows servers and workstations. The software lets you specify which events to forward by source, type ID, or keywords. It can be configured to send events to multiple servers.
You simply download the software from SolarWinds’s web site and install it on each server where you want to export event data. Thanks to its user-friendly graphical user interface, configuring the exporting parameters is easy. You basically specify which events to include and where to send them.
SNMP Traps — Another Type Of Event Notification
If you’re familiar with network monitoring tools, you certainly have heard of SNMP, the Simple Network Management Protocol. It is widely used by such tools to read interface counters and calculate bandwidth usage. There’s another type of SNMP traffic called SNMP traps. They are messages sent from one device to another to alert it to some specific situation.
Many networking appliances can be configured to send out SNMP traps whenever something goes wrong. It is different from syslog as each type of trap has to be manually configured. A device could, for instance, be configured to send out a trap whenever an interface goes down or when traffic exceeds a certain threshold. These traps are sent to what we refer to as a trap receiver in the SNMP world.
We wanted to mention SNMP traps here because some of the tools we’re about to present can also be used as trap receivers. With a system that supports and integrates events received from syslog messages and SNMP traps, you have a unified solution that delivers integrated monitoring in one package. We’ll make sure we let you know those that also support SNMP as we review each of the best free syslog servers.
The Best Free Syslog Servers
Syslog servers come in all shapes and sizes. Different syslog servers differ in their functionality. Some servers will only store logs in a centralized location. Some will let you display them on a management console sometimes after applying various filters. Some servers can be configured to react to certain types of event from specific hosts by, for instance, generating some type of alert. Such alert can be displayed on the console screen while sounding an alarm, some can be sent out by email or SMS. And as discussed before, some servers will only support the syslog protocol while other will also handle Windows events and/or SNMP Traps.
We’ve assembled a list of what we found to be the six best free syslog servers. Some are truly free full-fledged servers while others are scaled-down versions of a feature-rich(er) paid version. Here’s our Top 6 list:
- SolarWinds Kiwi Syslog Server Free Edition
- ManageEngine Event Log Analyzer
- Paessler PRTG
- WhatsUp Gold’s Syslog Server
- Syslog Watcher
- Visual Syslog Server for Windows
We’ve already introduced SolarWinds when we discussed its Event Log Forwarder For Windows. The Kiwi Syslog Server Free Edition is another of the company’s excellent free products. It comes with a severe limitation, though as it can only handle syslog messages from up to five devices. It will, therefore, only be suitable for the smallest networks.
The Kiwi Syslog server–which can only be installed on Windows server 2008 or 2012, or Windows 7, 8, or 10–writes all the messages it receives to a consolidated log file while also displaying them on its dashboard. It will collect data from pretty much any device that can generate syslog messages or SNMP traps. This includes most routers, switches, and security appliances.
You can have the server write logs by date or by message source type. You can set alerts on high traffic. And if you go with the paid version, there are many more alert conditions that you can use.
2. ManageEngine EventLog Analyzer
Just like our top pick, the free version of the ManageEngine EventLog Analyzer can only collect syslog data from up to five devices. Beyond that, you’ll need to purchase a license. And just like SolarWinds, ManageEngine has a solid reputation for making great network management tools and for offering excellent free software.
With a name such as EventLog Analyzer, you’d expect a lot more from this product than just a syslog server. Well, you’d be right. In addition to the aggregation of all your logging sources in one spot, the EventLog Analyzer has a few advanced features such as compliance reporting and log forensics. Paid versions come with even more of these unique features like you won’t find in other products.
3. Paessler PRTG
If you’re at all familiar with network monitoring systems, you probably know PRTG from Paessler. It is, after all, one of the best-known network monitoring package. What you may not know is that PRTG can also receive syslog data. Even in its free, limited version. As you may know, PRTG is free to use with up to 100 sensors. Well, syslog can be one of these sensors. This means that a free PRTG installation can be used to centralize syslog data and monitor 99 other parameters.
The PRTG Syslog Receiver, as it is called, will gather all Syslog messages on your network and keep them in a database. Once stored, you can get them written to log files. You can also query the database from the PRTG dashboard. And finally, you can trigger actions in response to specific conditions.
4. WhatsUp Gold’s Free Syslog Server
WhatsUp Gold is another household name in the field of network monitoring. There are few network administrators who have no at least heard of it. It’s been around for a very long time and is amongst the best packages in its category. Ipswitch, the maker of WhatsUp Gold, also makes the WhatsUp Gold’s free Syslog Server. It is a true free package that runs on Windows. It can be downloaded from Ipswitch’s web site.
The WhatsUp Gold’s free Syslog Server is a feature-rich tool that addresses most administrators syslog needs. The toll has enhanced export capabilities and can display logged messages in real-time, optionally filtering results to customize the display to one’s specific needs. The server can process up to six million messages per hour which is plenty for all but the largest of networks.
5. Syslog Watcher
Vancouver, Canada-based EZ5 Systems makes a very good syslog server for Windows called Syslog Watcher. It is a fast server that uses multithreading to ensure it properly receives and processes all syslog messages it receives. By separating the receiving and the processing of messages, it ensures that no message is dropped. It will work with both TCP and UDP messages and will support IPv4 and IPv6.
Feature-wise, this is a great package. It can export log data either to a file or a database. Storin event in a database means that you can process them in many different ways by filtering, sorting, grouping, and counting. The server also features flexible alerting. You can even combine event to generate alerts.
6. Visual Syslog Server for Windows
The Visual Syslog Server for Windows is a very neat albeit somewhat basic little piece of software from Russia. It is a truly free, open-source system. It is RFC 3164-compliant meaning that it will work with both TCP and UDP messages. Its console will display received messages in real-time with customizable color highlighting while also storing them to disk. It automatically rotates the saved log files by size or by date.
The messages display can be filtered based on several different criteria such as facility, priority, host, or message content. Alert conditions and actions can be user-defined and include not only email but also the possibility or running external programs with custom parameters. Unlike many other Windows syslog servers, the visual Syslog server runs as an application rather than a service but it minimizes to the system tray when the console is not in use and keeps logging in the background while freeing screen real-estate.
Centralizing your logging is arguably one of the best ways you can reduce your workload while improving your incident response capability. With the customizable alerting that most of these packages offer, you can automate one of the most important components of your incident response. There are many more syslog servers available for free on the Internet. We’ve only provided you with a list of those we recently found to be amongst the best. And while all our suggestions are excellent choices, we can’t help but prefer our top pick, SolarWinds SolarWinds Kiwi Syslog Server Free Edition. It was my personal favorite even before SolarWinds acquired Kiwi a few years back and it continues to be my first choice. It might not be the most feature-packed server but it gets the job done and it does it well.