Q

Should syslog format be mandatory in a log management product?

Matt Pascucci discusses what to look for when evaluating a log management product and whether syslog format should be a requirement.

We're considering a network log management product, but the vendor isn't committed to the syslog format. While there's really no network logging standard, syslog is the closest thing to it. Should lackluster syslog support be a deal-breaker?

Ask the Expert!

Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)

When searching for a network log management product, syslog is indeed an important consideration. While there is no defined standard for the contents of log traffic, the syslog protocol is an important standard for ensuring the interoperability of systems that create logs and servers that collect them. Syslog allows organizations to stand up a log collection infrastructure without needing to coordinate the log transmission capabilities of a wide variety of log providers.

In my opinion, if a network log management provider can't support syslog, it's a deal breaker. Companies like Cisco Systems Inc., Check Point Software Technologies Ltd., Juniper Networks Inc. and Palo Alto Networks Inc. all support logging via syslog in their products, and there isn't much those companies agree on.

So if a vendor claiming to be a network log management provider can't successfully parse or store logs within this format, then I fear they'll have a very short life as a company.

Not only is syslog format used for almost all network security systems and appliances, but Linux and Unix boxes use it for logging as well. As it seems that most network appliances these days are running some flavor of Linux, syslog is only going to become more of a de facto standard for logging as these appliances grow in popularity.

My advice is to drop this vendor and move toward others that support this format, which should be just about anyone else, and watch how they parse the syslog after it's collected. I've personally never seen a log management product that's had trouble with the syslog format. I've seen issues with collecting Windows event logs without agents in the past, but never an issue with syslog.

Creating an RFP with the questions and priorities you need in a log management product would come in handy when looking for and evaluating future solutions. If you come up with other needs that the system must have, I would suggest creating a proposal and sending it to vendors first to fill out before getting involved with them. Knowing upfront what they can and can't provide will help lay some expectations as to which solution will be the best fit for your company's needs.

This was first published in March 2013

Dig deeper on Network Device Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close