Syslog Monitoring

Syslog monitoring was added in FrameFlow v2016.6. Let’s go over the new features and options.

What is Syslog and What are its Uses?

What is Syslog? It’s a protocol used by Linux based systems and various types of networking gear. Syslog messaging works in a fashion that is similar to SNMP traps in that you configure your syslog devices to send messages to a central server which decides how to handle them. For example your Cisco switch can be configured to send syslog messages when link status changes for any port or to send messages when console logins fail.

Cisco Syslog Messages
Examples of Cisco syslog messages.

Generic Protocol

Syslog is a very generic protocol that allows for multiple uses. Each syslog message includes two standard codes. The first is called the “facility code” and it can have one of 24 different values that help to categorize each syslog message. Unfortunately many of these were set in stone in the early days of Unix so they are rarely applicable now. For example, code 6 is reserved for messages about the “line printer subsystem.” Luckily the protocol designers added 8 generic facility codes called local0 through local7. These local codes are the ones that are typically used now.

The second is called the “priority level” code and it has 8 values of its own: Emergency, Alert, Critical, Error, Warning, Notice, Informational, and Debug. These are often used for filtering messages. For example, you could configure a device to only send syslogs for emergency and critical conditions.

In addition to the two standard codes is the message itself, which is a text string that can contain any message that the device wants to deliver. There are no standards to define the content of the message so manufacturers typically define their own on a case by case basis.

FrameFlow Syslog Receiver

Starting with v2016.6, the FrameFlow monitoring service includes a syslog receiver. That means you can configure your devices to send syslog to your FrameFlow system and they will automatically be received and recorded. The next step is monitoring. In your FrameFlow configuration, add a new event monitor and select the Syslog event monitor. It has options to convert the priority and facility codes into text strings. It also has options to scan the syslog message for specified keywords and text strings. There are four keyword fields corresponding to the four severity levels implemented for FrameFlow alerts.

Syslog Monitoring Options.
Available Syslog Monitoring Options

Event Monitor Configuration

The Syslog event monitor runs locally on the FrameFlow system. Since it does not need to reach out over the network, it runs very quickly and that’s good news because you probably want to get timely alerts about incoming systems. For the reasons above, it’s usually a good idea to set the event monitor run on a fairly fast schedule, perhaps every 15 seconds or even faster.

Syslog Wrap Up

We hope you’ve enjoyed this summary of the syslog protocol, how it’s used and how you can monitor it using FrameFlow. To get started with it just make sure you are running v2016.6 or later and then add your syslog event monitor.