What is Syslog?
Syslog is a standard protocol for log message transport used to send system, application, or network log messages to a centralised log server.
It is widely used in both IT and OT environments for Monitoring, fault detection, auditing, and security analysis.
🧠 How does Syslog work?
- A device (e.g. server, router, firewall, PLC) generates a log message
- The message is sent using the Syslog protocol (UDP 514, sometimes TCP)
- A central Syslog server collects, filters, indexes, and stores these messages
- Syslog supports priorities, facility codes, and timestamps
🛠 Typical Syslog sources
| Category | Examples |
|---|---|
| Network equipment | Routers, switches, firewalls |
| Servers | Linux, Unix, Windows (via agent) |
| Security | IDS, IPS, SIEM, EDR, Firewall |
| OT systems | PLC, SCADA, RTU with Syslog support |
| Software | Applications, web servers, databases |
🔍 Example of a Syslog message
<34>1 2025-07-25T14:23:00Z host01 appname 1234 ID47 - User login failed
| Element | Meaning |
|---|---|
<34> |
Priority (severity + facility) |
1 |
Syslog version |
host01 |
Hostname |
appname |
Application or service name |
1234 |
Process ID |
User login failed |
Message body |
🔐 Security functions
- Central log storage prevents tampering on the source device
- Combine with SIEM for correlation, detection, and alerting
- Use TLS/SSL for secure log transport (RFC 5425)
- Logging of security events is essential for NIS2, ISO 27001, IEC 62443
🧰 Tools and solutions
- Syslog servers: rsyslog, syslog-ng, Graylog, Logstash
- Visualisation and analysis: Kibana, Grafana, Splunk, ELK stack
- Integration with SIEM solutions (e.g. Azure Sentinel, QRadar)
📌 In summary
Syslog is the standard protocol for collecting and analysing log messages in a central location. It is an indispensable building block for management, auditing, and cybersecurity in both IT and OT environments.