Monitor syslog messages with Kiwi Syslog Server

If your network uses syslog protocol to send log messages to a central server, engaging in robust syslog monitoring should be one of your top priorities. By monitoring syslog messages, you can analyze your logs, identify anomalous actions within your network, minimize or prevent downtime, and troubleshoot network incidents faster to maintain optimal network performance. Syslog message monitoring can simplify security audits and policy compliance and provide valuable insight into your services, devices, and systems.

However, monitoring, collecting, and managing logs from your network’s devices and servers can be time-consuming and overwhelming. After all, your network’s servers, routers, firewalls, and switches create thousands of logs every second, making monitoring logs without a dedicated tool nearly impossible. A centralized server log monitoring tool streamlines the process of monitoring and managing your logs, saving you time and energy. A centralized syslog monitoring software like Kiwi Syslog Server is built to give you insights into potential security threats and allow you to monitor, collect, and archive logs in real-time.

You can monitor syslog messages more effectively in the Kiwi Syslog Server by defining rules and using filters. This robust syslog monitor offers the ability to define up to 100 rules (and 100 filters and 100 actions per each rule), so you can process and respond to syslog messages according to your criteria and needs. Kiwi Syslog Server offers keyboard shortcuts to simplify deleting, inserting, copying, pasting, moving, renaming, and auto-naming your rules, filters, actions, and schedules.

Rules tell Kiwi Syslog Server how to process incoming syslog messages, including which messages trigger which actions. If a rule applies to a log message, Kiwi Syslog Server will compare the message to each filter in the rule, starting with at the top. If any filter condition is false, Kiwi Syslog Server will stop processing the rule and apply the next rule to the message. However, if every condition in a filter is true, Kiwi Syslog Server will repeat the process with the following filter. If a message passes every filter in a rule, Kiwi Syslog Server will begin performing all your actions in order. Once it’s finished with all the filters and actions in your first rule, Kiwi Syslog Server will move on to the following rule, so applying rules in order is essential.

Adding rules to determine which actions occur after a message is received is easy. To start, select File then Setup from the Kiwi Syslog Service Manager. Then click Rules and Add Rule in the Kiwi Syslog Server dialogue box to add a new rule to the tree. Finally, rename the rule, add rule filters and rule actions, and save your changes by clicking OK. After creating a rule, you can easily export it to share with another Kiwi Syslog Server user by choosing File and Setup within the Kiwi Syslog Service Manager and right-clicking a rule. Then, select Export rule and pick a location to save your rule before clicking Save.

You can set filters to control whether a message triggers a rule’s actions. SolarWinds Kiwi Syslog Server enables you to filter messages based on IP address, priority, time of day, hostname, input source, regular expressions, and message text. Once you’ve created your filters, Kiwi Syslog Server will automatically apply them in the order they’re listed, but if you forgo filters, every message will trigger an action.

You can configure Kiwi Syslog Server to perform a specific action when a message passes through all of a rule’s filters. Common actions include:

• Running a script or external program
• Sending an SMS message or an email
• Logging incoming messages to a file, Papertrail™, Loggly^®, or Kiwi Server Web Access
• Sending a syslog message or an SNMP trap
• Resting counters and flags
• Playing a sound
• Displaying a message

Configuring your syslog-capable devices to start sending messages to Kiwi Syslog Server for syslog monitoring is easy. To start, ensure your device has its message logging capabilities enabled. Fortunately, most devices capable of generating syslog messages automatically enable logging, but it’s still a good idea to double-check. Then, set up your device to send syslog messages to a port (usually port 514) on the computer with Kiwi Syslog Server.

The RFC standard 5426 named port 514 as the default port for syslog messages. Kiwi Syslog Server will listen for User Datagram Protocol (UDP) messages on port 514 by default. However, if this doesn’t suit your needs, you can easily configure your Kiwi Syslog Server’s settings to listen for Transmission Control Protocol (TCP) messages, secure TCP messages, and Simple Network Management Protocol (SNMP) traps instead of UDP messages. You can configure Kiwi Syslog Server to listen for UDP, TCP, secure TCP, or SNMP messages on a different port.

To configure UDP input options, open the Kiwi Syslog Server Setup dialog box by clicking File then Setup. Then expand the Inputs node, click UDP, and specify the port where you’d like to listen for UDP messages. Any port value between 1 and 65535 will work if the device transmitting the syslog message supports the new port number. It’s best for most people to leave the Bind to address field blank and allow your UDP socket to listen for messages on all interfaces. However, specifying the IP address in the Bind to address field will allow you to limit binding to a specific interface. You can establish which decoding method will be applied to any incoming data by selecting an encoding format from the drop-down menu or entering the code’s page number under the Data encoding section. After configuring your settings, save changes by clicking Apply.

Configuring TCP, secure TCP, and SNMP trap input options is just as simple. Instead of clicking UDP under the Inputs node, select TCP or SNMP. You can then configure your settings. For example, the default port for TCP syslog messages is 1468, but you can choose a different port number. As with UDP messages, you can alter the Bind to address field and data encoding format. Then, specify your message delimiters, also known as separators, which signify which character or sequence of characters split a TCP stream into separate syslog messages.

As a network or system engineer, you’ll want to use a syslog management tool to collect and monitor syslog messages from your network’s devices. Kiwi Syslog Server can collect syslog data from an unlimited number of devices, so you can easily monitor all your switches, firewalls, and routers.

In addition to monitoring syslog messages, Kiwi Syslog Server can collect Simple Network Management Protocol (SNMP) traps from Unix, Linux, and Windows systems, enabling you to view essential information across your IT infrastructure in a centralized location.

You can view your data in real-time with the user-friendly syslog viewer web console from anywhere in the world with web access. Kiwi Syslog Server’s web console has 25 customizable views and syslog statistics graphs, so you can quickly understand and troubleshoot network or device performance issues. You can filter syslog messages by host IP address, priority, hostname, or time of day to locate crucial messages.

Beyond simply collecting and monitoring syslog messages, SNMP traps, and Windows event logs, Kiwi Syslog Server can respond to syslog messages thanks to its built-in actions.

Other Kiwi Syslog Server advantages include the ability to:

• Archive syslog messages on disks, files, or ODBC-compliant databases
• Forward messages to other SolarWinds IT management tools like Loggly, Papertrail, Security Event Manager (SEM), and Network Performance Monitor (NPM)
• Keep your inbox clear thanks to Kiwi Syslog Server’s advanced message buffering capabilities
• Store, archive, and cleanup logs to help demonstrate compliance with SOX, PCI-DSS, and HIPAA