Logs are the eyes and ears of your network; they capture events and tell you when fire breaks out. Whether it is building a firewall rule set, tuning an IDS or validating which ports should be open on a server, logs are going to give you the information you need to make these critical decisions--if you are looking.
It's practically impossible to wade through the volumes of log data produced by all your servers and network devices. It is critical to put all events into a single format so they can be analyzed and correlated. Syslog exists in native form for most non-Windows operating systems and devices including Unix, all Unix daemons, routers, firewalls, switches and Web servers. There are free and commercial tools, such as Kiwi Enterprises' Kiwi Syslog Daemon, that allow Windows to integrate with syslog. (See "Syslog for Windows")
With a relatively small investment of time, you can start reaping the following benefits of syslog:
- Visibility into network activity.
- Creation of a central repository for host logs, giving you a single location for backing up or analyzing log files.
- Correlation across many diverse systems. Typi-cally, for example, server logs are viewed independent from router logs. With syslog, you can view them all together to better understand what's happening on your network.
- Validation for other devices. A syslog server can make sure other devices are working properly. For example, if a firewall is supposed to be blocking a certain type of traffic that appears in a syslog entry, it means something is not working or is configured incorrectly.
- Detection of attacks by enabling you to quickly spot potentially malicious events.
