Syslog is a standardized logging format/protocol that is generally used in a wide variety of devices and operating systems to log events related to computer system management and security auditing. Syslog is a client/server protocol that usually includes a syslog sender sending a syslog message to a syslog receiver within an IP network. A typical syslog message is a small (i.e., less than 1 kilobyte) text message. The syslog protocol is generally supported by a wide variety of devices and receivers across multiple platforms and is often used to integrate log data from virtually any number of systems into a single data repository.
Syslog has become standardized within the syslog working group of the Internet Engineering Task Force (IETF). In 2001, the IETF published Request for Comments no. 3164 (“RFC 3164”), which is publicly available at http://www.ietf.org/rfc/rfc3164.txt. For UNIX and Linux systems, syslog is practically the de facto standard for such logging. Syslog is also commonly used in routers and firewalls.
Regulations driven by the Sarbanes-Oxley Act (SOX), the Payment Card Industry Data Security Standards (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and many others typically require organizations to implement systems that can collect and analyze logs from many different sources. Because of the wide use of syslog by many different kinds of devices and operating systems, log management systems must be capable of efficiently consuming, correlating, and analyzing syslog messages in order to be a viable solution in the marketplace.
One reason for syslog's popularity is its flexibility. For example, a typical syslog message is simply a text message having a header and a message body. However, because there is no widely accepted standard for the content or syntax of a syslog message body, there are at least as many variations of a syslog message body as there are devices configured to output syslog messages. This presents a significant challenge to companies that structure their products to provide log analysis and reporting capabilities. These products must be prepared to parse a myriad of formats in order to extract relevant event data and store it in a database in normalized form where it can be analyzed, correlated, reported, etc.