A large organization often can have multiple smaller, remote facilities. At each of the facilities, multiple devices can produce a variety of log data. For example, a satellite office of a company can maintain multiple log sources. Log sources can include devices and applications, including web servers, email servers, routers, firewalls and communication gateways. Each of the log sources can produce log data, which can include one or more records relating to actions of the log source. These log data can be transmitted to one or more central processing servers using various log protocols.
An exemplary logging protocol is Syslog (Internet Engineering Task Force (IETF) proposed standard request for comment (RFC) 5424). Syslog allows separation of a log source that generates log data from a system that stores the log data and a system that reports and analyzes the log data. Syslog can transfer data using the user datagram protocol (UDP) or transmission control protocol (TCP). Today, Syslog does not guarantee reliable storage of the log data. In addition, Syslog does not provide a standard way of managing a wide area network (WAN) that connects a log source and the central processing server. The WAN can be slow, loss-prone, insecure, and potentially overloaded.