Overview of syslog protocol

Syslog is a formal specification for sending messages from one computer system to another. It is formally documented in RFC 3164, published in 2001. The protocol itself has been in use since 1980. The invention of the protocol is generally attributed to Eric Allman, inventor of the Unix sendmail program, (as well as the founder of the most popular convention for indenting C-language programs, known as the Allman Style of bracketing).

Unlike many management protocols (including SNMP) the format of the message is quite simple. The message is sent in clear text to a UDP port, normally port 514. The message contains two essential fields as follows:

• Numeric header—Syslog message includes a simple text prefix, encoded in ASCII, consisting of an integer number bracketed by < and > characters. The integer number is between zero and 191.
• Text message—This message header is followed by a text string of less than 1024 characters in length. This field can be further broken down into fields, although this is not essential or consistently enforced.

Within RFC 3164, an attempt is made to further codify the specification, by defining the format of embedded time strings, identifying sub strings and conventions with that to compose the text message portion.

Although this is worth attention, none of this is practical to consider. The previous two rules comprise virtually the only aspects of the message specification that can be completely relied upon for all syslog message generation. In fact, this single paragraph describes all that is needed for a programmer to get started in generating syslog messages.

Introduction to syslog protocol

The main messaging protocol for the BMC Defender Server system is the syslog protocol. This is a simple, highly interoperable, and well-established standard.

The management of syslog messages is a valuable, but sometimes overlooked aspect of network and business management. Within your enterprise, your routers, servers, workstations, and business applications are constantly collecting important error and status information. This status information resides in error logs, transaction logs, and event logs on each computer.

If you are operating a network of any modest complexity, you are already heavily vested in the syslog protocol. This capability is already built into many of your critical systems. And this information is highly pertinent to your business operations. Syslog protocol is one of the oldest management protocols, but it is not deprecated or obsolete. Syslog protocol is a mainstay of network management that has become one of the most interoperable protocols currently in existence.

Syslog support on Windows platforms

Syslog is extensively supported on UNIX and is also supported by Cisco, Juniper, and many other hardware vendors. However, syslog is not a supported out-of-the-box function of Windows platforms. To permit BMC Defender Server to work with Windows platforms, the standard BMC Defender Server program includes redistributable utilities. These utilities are referred to as the BMC Defender Agent for Windows.

• BMC Defender Server syslog message service program—The BMC Defender Server includes the redistributable CO-sysmsg.exe program that can be installed as a service on Windows platforms. This program monitors the Windows Event Logs, and sends syslog messages of appropriate facilities and severities to the BMC Defender Server.
• BMC Defender Server log file monitor—The CO-sysmsg.exe program, as described previously, in addition to monitoring the Windows event logs, can be configured to continuously tail streaming log files, looking for match patterns. This provides a simple way of instrumenting any Windows streaming log file (including Oracle error logs, HTTP transfer logs, and other application software logs) to send syslog messages.
• Sendlog program—The BMC Defender Server includes the redistributable sendlog.exe program, that can send arbitrary syslog messages to the BMC Defender Server. This utility is easily installed and interfaced with Windows application programs, including the Windows Performance Manager.

Each of the preceding utilities runs as a non-intrusive Windows service on all Microsoft platforms, including Win200X, XP, and Vista platforms. You can select any or all of the preceding techniques to quickly add syslog capability to a Windows system. For more information, see BMC Defender Agent for Windows.