We're considering a network log management product, but the vendor isn't committed to the syslog format. While there's really no network logging standard, syslog is the closest thing to it. Should lackluster syslog support be a deal-breaker?
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
When searching for a network log management product, syslog is indeed an important consideration. While there is no defined standard for the contents of log traffic, the syslog protocol is an important standard for ensuring the interoperability of systems that create logs and servers that collect them. Syslog allows organizations to stand up a log collection infrastructure without needing to coordinate the log transmission capabilities of a wide variety of log providers.
In my opinion, if a network log management provider can't support syslog, it's a deal breaker. Companies like Cisco Systems Inc., Check Point Software Technologies Ltd., Juniper Networks Inc. and Palo Alto Networks Inc. all support logging via syslog in their products, and there isn't much those companies agree on.
So if a vendor claiming to be a network log management provider can't successfully parse or store logs within this format, then I fear they'll have a very short life as a company.
Not only is syslog format used for almost all network security systems and appliances, but Linux and Unix boxes use it for logging as well. As it seems that most network appliances these days are running some flavor of Linux, syslog is only going to become more of a de facto standard for logging as these appliances grow in popularity.
My advice is to drop this vendor and move toward others that support this format, which should be just about anyone else, and watch how they parse the syslog after it's collected. I've personally never seen a log management product that's had trouble with the syslog format. I've seen issues with collecting Windows event logs without agents in the past, but never an issue with syslog.
Creating an RFP with the questions and priorities you need in a log management product would come in handy when looking for and evaluating future solutions. If you come up with other needs that the system must have, I would suggest creating a proposal and sending it to vendors first to fill out before getting involved with them. Knowing upfront what they can and can't provide will help lay some expectations as to which solution will be the best fit for your company's needs.
This was first published in March 2013