Re: [Syslog] Syslog message to Remote Rerver

Rainer Gerhards <> Tue, 26 February 2013 10:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EB3D021F8949; Tue, 26 Feb 2013 02:34:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r1+KaQtuFVMp; Tue, 26 Feb 2013 02:34:52 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id BE5D121F868B; Tue, 26 Feb 2013 02:34:50 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 300EA74A37B; Tue, 26 Feb 2013 11:33:40 +0100 (CET)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Adrm+8IDQhmf; Tue, 26 Feb 2013 11:33:40 +0100 (CET)
Received: from ( []) by (Postfix) with ESMTPSA id 1B7FF74A358; Tue, 26 Feb 2013 11:33:40 +0100 (CET)
Received: from ([fe80::8cb1:e14c:5f97:b29b]) by ([fe80::8cb1:e14c:5f97:b29b%10]) with mapi id 14.02.0342.003; Tue, 26 Feb 2013 11:34:48 +0100
From: Rainer Gerhards <>
To: "Aditya Dogra (addogra)" <>
Thread-Topic: [Syslog] Syslog message to Remote Rerver
Thread-Index: Ac4QUAvJ5qy04rHwSuGPQ3t4GDBIhQDtHheA
Date: Tue, 26 Feb 2013 10:34:47 +0000
Message-ID: <1361874887.37195.8.camel@localhost>
References: <>
In-Reply-To: <>
Accept-Language: de-DE, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "" <>, "" <>
Subject: Re: [Syslog] Syslog message to Remote Rerver
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Issues in Network Event Logging <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Feb 2013 10:34:53 -0000

sorry for the late reply, have been off to a conference...

On Thu, 2013-02-21 at 16:25 +0000, Aditya Dogra (addogra) wrote:

> Currently syslog messages collected locally on the network device are
> transmitted to the remote syslog servers as per RFC 5424 (UDP protocol
> used for transmission)

RFC5424 does NOT specify UDP transport. In fact, it does not specify any
transport at all, it just describes the format and the stack. Transport
mappings are done in

RFC5425 - TLS (TCP), the recommended protocol
RFC5426 - UDP

there is also historic RFC6587 on industry standard plain tcp, but this
is just for interoperating with legacy systems, not for new
implementation. It is strongly discouraged to use that in new systems.

>  and RFC 3195 (TCP protocol used for transmission) 
RFC3195 is a bit dated and would need to be changed to base on RFC5424.
This has not yet been done as there was no notable implementation of

> However, we have observed that increasingly, customers are using
> syslog messages archived in the remote server for business logic .
> In some networks, it is possible that some of the syslog messages may
> be dropped due to link failure or other network conditions. 
> However, the customers are expecting much higher resiliency for the
> syslog messages. 
> The questions we seek clarification are: 
> a)         What are the expectations from the external syslog
> delivery? 

There is a very small window of exposure, see section 5.3 of RFC5425. I
also wrote a somewhat more elaborate blog post on this problem, which
may be useful for you:
> b)         Should we rely on syslog's alone ? Please note that SNMP
> traps functionality for network management is also there.?

that's something that you need to answer based on your use cases and
requirements. As far as my personal experience goes, the loss potential
is very slim, and lot's of our customers use the RFC protocols to do biz
critical things. Some use other protocols in addition. 

side-note: modern-day syslogd implementations do not rely on the syslog
protocol alone. They accept input from a wide variety of sources,
including SNMP.