With today’s systems generating a ton of logging data, it’s no surprise that administrators are always looking for log management solutions. Logs are, by default, often stored locally. This makes sense as it makes it easy to link them to their source. But when trying to troubleshoot issues and find their root cause, we sometimes have to look at multiple log files on numerous devices. Wouldn’t it be nice if all the logs from all devices were stored in one, centralized place? This is the purpose of log management. And if your platform of choice is Linux, there are plenty of options available. Read on as we discover some of the best log management for Linux
We’ll start off by defining log management. You will see that it can be quite a bit more than just centralizing log storage. Next, we’ll discuss various logging technologies. They are the cornerstone of log management and it wouldn’t likely exist without them. Continuing, we’ll differentiate syslog servers from log management systems and realize that there is no clear demarcation between them. Next, we’ll pause briefly and discuss Security Information and Event Management systems. They are another type of system that is often confused with log management, thanks to the somewhat unclear definition of each. And finally, we’ll review the best log management for Linux.
What Is Log Management?
Before we can talk about log management, let’s define what a log is. Simply defined, a log is the automatically-produced and time-stamped documentation of an event relevant to a particular system. In other words, whenever an event takes place on a system, a log is generated. Systems and devices will generate logs for different types of events and many systems give administrators some degree of control over which event generates a log and which doesn’t.
As for log management, It is simply referring to the processes and policies used to administer and facilitate the generation, transmission, analysis, storage, archiving and eventual disposal of large volumes of log data. Although not clearly stated, log management implies a centralized system where logs from multiple sources are collected. Log management is not just log collection, though. It is the management part which is the most important. And log management systems often have multiple functionalities, collecting logs being just one of them.
Once logs are received by the log management system, they need to be standardized into a common format as different systems format logs differently and include different data. Some start a log with the date and time, some start it with an event number. Some only include an event ID while others include a full-text description of the event. One of the purposes of log management systems is to ensure that all collected log entries are stored in a uniform format. This will event correlation and eventual searching much easier down the line.
Even correlation and searching are two additional major functions of several log management systems. The best of them feature a powerful search engine that allows administrators to zero-in on precisely what they need. Correlation functions will automatically group related events, even if they are from different sources. How—and how successfully—different log management system accomplish that is a major differentiating factor.
Log management would be much more difficult, perhaps not even possible, if it were not for logging protocols. A few of them exist. They define what data is to be included in logs, how that should be formatted and, sometimes, how they are to be transmitted between systems.
Syslog is arguably the most-used logging protocol, especially in the Linux world. The technology was invented in the early eighties and has become the de-facto standard for all Unix-like systems. One of the greatest assets of the syslog technology is how it facilitates the separation between the system or software that generates logs, the system that stores them, and the software that reports and analyzes them. Using the Syslog technology makes log management much easier. And Syslog is not a Unix exclusive. Many non-Unix devices such as switches, routers and all sorts of equipment from many vendors use a variant of the syslog protocol.
There are other logging technologies. Microsoft Windows, for example, uses a different logging system. It might have to do with the fact that Windows operating systems and applications have logs that typically contain more detailed information than the Syslog technology permits. Fortunately, the Windows Event Collector functions provide a mean for log management that various systems can use to receive events from Windows hosts. This post is about Linux log management so let’s not waste too much time on Windows, though.
No matter what logging technology is used, an important part of log management is configuring devices to send their logs to the management system. Other types of tools such as network monitoring systems can fetch data from the systems they monitor but with log management, each device must be “told” where to send its logs. It is, however, a relatively simple task which is often accomplished by issuing a simple command.
FURTHER READING: Best Network Diagram Mapping and Topology Software
Log Servers or Log Management?
Since it has been available on every Unix-like system—including Linux—for a quite a while, Syslog is often used as a log server with one computer receiving Syslog data from several others. While this centralized storage of logs has definite advantages, it is not enough to be called log management.
To deserve the Log Management System name, a product must include at least some of the more advanced functions. According to Wikipedia, “log management is comprised of the following functions: log collection, centralized log aggregation, long-term log storage and retention, log rotation, log analysis, log search, and reporting”. Wow! That’s a lot of functionality. Log servers, on the other hand, often only offer the log collection and storage and rarely more than that.
A Word (Or Two) About SIEM
Another popular technology that is associated with logs and often confused with log management systems is Security Information and Event Management, or SIEM. This is different from log management yet it is closely related. The line is so thin between them that some products advertised as log management systems are actually SIEM systems while some basic SIEM systems are nothing more than advanced log management systems.
The confusion stems from the fact that log management—or, at the very least, log analysis—is an important component of SIEM systems. What differentiates SIEM systems is that they perform log analysis with the ultimate goal of identifying security issues. They will, for instance, look for signs of unsuccessful logins which could be a tell-tale sign of an unauthorized intrusion attempt. These systems continuously scan log entries looking for anything out of the ordinary. While some SIEM systems do include extensive log management features, some use an external log management system and it’s not uncommon to see both systems running side by side.
RELATED READING: Best IP Scanners for Mac
The Best Log Management For Linux
Hopefully, we now have a common understanding of what log management is and what it isn’t. So, let’s have a look at what’s available for Linux. But first, let’s clarify something. When referring to Linux log management, what we mean are log management systems that can accommodate Linux logs and that will either run on the Linux platform or in the cloud. Some of our selections—particularly cloud-based systems—will also work with logs from other platforms.
SolarWinds has become a household name among network administrators. It’s making some of the best tools for almost 20 years, bringing us great bandwidth monitoring tools and one of the best NetFlow analyzers and collectors. The company is also well-known for publishing several free tools that address some specific needs of network administrators such as subnet calculator or a syslog server.
Not so long ago, SolarWinds acquired Papertrail, a popular log management system. It aggregates log files from a wide variety of popular products like Apache or MySQL as well as Ruby on Rails apps, different cloud hosting services and other standard syslog and text-based log files. Papertrail users can then use the web-based search interface or command-line tools to search through these files to help diagnose various issues. Papertrail also integrates with other SolarWinds products such as Librato and Geckoboard for graphing results.
Papertrail is a cloud-based, software as a service (SaaS) offering from SolarWinds. Being cloud-based means that it will work fine in an all-Linux environment. The platform is easy to implement, use, and understand, and it will give you instant visibility across all systems within minutes. Furthermore, the product has a very effective search engine that can search both stored and streaming logs. And it is lightning fast.
Papertrail is available under several plans including a free plan. It is somewhat limited, though, and only allows 100 MB of logs each month. It will, however, allow 16 GB of logs in the first month which is equivalent to giving you a free 30-day trial. Paid plans start at $7/month for 1GB/month of logs, 1 year of archive and 1 week of index. Noise filtering allows the tool to preserve data by not saving useless logs.
Loggly is another cloud-based online service. Primarily a log consolidator, it also offers log analysis functionality. As a virtue of being cloud-based, this system requires no installation and is ready to use the minute you subscribe. Of course, your systems and devices will need to be configured to upload their standard log files periodically to the online server.
Loggly then converts the received log data into a standard format, thereby allowing the analyzer to process records from various sources and enabling events tracking and correlation across all systems, regardless of their operating system or logging technology. The sources of log data are not limited to your on-premises servers. The system is, of course, able to process logs generated by online servers, such as Amazon’s AWS and it can include messages created by specific applications such as Docker and Logstash, just to name a few.
The Loggly service is available under three different plans, with increasing data processing limits and retention times. You need to pick the right one to give you enough space for your log data. The entry-level plan is called Loggly Lite. It is free to use. Under this plan, you can upload 200 MB of log data per day and the system will retain each record for seven days. Next is the Standard plan which gives you an upload allowance of 1 GB per day and retains records for 30 days. Paid plans also let you use multiple user accounts. With the Standard package, you can have three user accounts. The top tier is called Loggly Enterprise. It has no limit to the number of users accounts you can set up and prices vary depending on the amount of upload capacity and the retention period that you require. Payment for all paid plans can be either monthly or annually and a free 14-day trial is available on the Standard plan.
Splunk is a well-known—within the system administration community—comprehensive log management system for Linux, Mac OS, and Windows. More than just a basic log management system, some consider it to be a full-fledged intrusion prevention system. The product is available in three versions. At the top is Splunk Enterprise which is more of a network management system rather than just a log management tool. Pricing starts at $173 per month and you get a lot of functionality.
There is also a free version of Splunk which is basically the same tool without some of its most advanced functionalities. In essence, it is restricted to log file analysis. You can feed in any of your standard logs files or send it live data through a file into the analyzer. The free version has a few limitations. It can, for instance, only have one user account and its data throughput is limited to 500 MB of logs per day. Data sorting and filtering functionality is built into Splunk, facilitating your troubleshooting efforts. You can use these features for dividing log records by date and writing each group out to new files. In fact, this functionality is very flexible.
4. Nagios Log Server
Nagios is best known for its excellent network monitoring software but its Log Server is just as interesting. The product is simply called the Nagios Log Server and it offers centralized log management, monitoring, and analysis. This tool can greatly simplify the process of searching your log data. It also lets you set alerts to be notified of potential threats Furthermore, the software has high availability and fail-over built right into it. Furthermore, its easy source setup wizards will help you quickly configure servers to send all log data and start monitoring your logs in minutes.
The Nagios Log Server allows for an easy correlation of log events across all servers in just a few clicks. The system will let you view log data in real-time, giving you the ability to analyze and solve problems as they occur. The product features impressive scalability and it will continue to meet your needs as your organization grows. Additional Nagios Log Server instances can be added to a monitoring cluster, allowing you to quickly add more power, speed, storage, and reliability.
The single-instance price for the Nagios Log Server is $3 995 and although a free trial doesn’t appear to be available, a free online demo is, should you prefer to have a first-hand look at the product.
Next on our list is a product called Graylog. The product offers many interesting features. The tool will parse and enrich logs and event data from any data source. Its processing pipelines allow for some flexibility in routing, blacklisting, modifying and enriching messages in real-time. Graylog will search through terabytes of log data to discover and analyze important information. The powerful search syntax lets you find exactly what you are looking for.
With Graylog, you can create dashboards to visualize metrics and observe trends in one central location. You can use field statistics, quick values, and charts from the search results page to dive in for deeper analysis of your data. The system also has the option to trigger actions or issue notifications on events such as failed login attempts, exceptions or performance degradation.
Graylog is a free, open-source log file-based system that can give you a lot more functionality than just a log archiving utility. This log analyzer has a graphical user interface and it can run on Ubuntu, Debian, CentOS, and SUSE Linux. You can also run it on a virtual machine on Microsoft Windows and you can install the Graylog system on Amazon AWS.
6. ManageEngine EventLog Analyzer
ManageEngine, another common name among network administrator, makes an excellent log management system called the ManageEngine EventLog Analyzer. The product will collect, manage, analyze, correlate, and search through the log data of over 700 sources using a combination of agentless and agent-based log collection as well as log import.
Speed is one of the ManageEngine EventLog Analyzer’s strength. It can processes log data at an impressive 25,000 logs/second and detect attacks in real-time. It can also perform fast forensic analysis to reduce the impact of a breach. The system’s auditing capabilities extend to the network perimeter devices’ logs, user activities, server account changes, user accesses, and more, helping you meet security auditing needs.
The ManageEngine EventLog Analyzer is available in a feature-reduced free edition which only supports 5 log sources or in a premium edition which starts at $595 and varies according to the number of devices and applications. A free, full-featured 30-day trial version is also available.