Protocols used for syslog collection - TCP, UDP, RELP

In this page

  • User Datagram Protocol (UDP)
  • Transmission Control Protocol (TCP)
  • Reliable Event Logging Protocol (RELP)
  • Monitoring syslogs

Syslogs are the logs generated from Linux/Unix devices and other network devices like switches, routers and firewalls The syslogs can be centralized by aggregating them to a server called the syslog server, syslog daemon or syslogd. Transmission of syslogs from the devices to the syslog daemons happens with the help of TCP, UDP and RELP protocols.

User Datagram Protocol (UDP)

UDP is a connectionless and unreliable protocol. So, the syslog messages sent to the syslog daemon do not return any receipt acknowledgment. By default, the syslog transmission over UDP protocol happens through port 514. However, the user can always change this port number.

Generally it is not recommended to transmit using UDP, as syslog packets may not be properly received at the syslog server, and vital information could be lost.

You have to configure a server to act as a syslog daemon by enabling it to listen on UDP port 514.

  • Open etc/syslog.conf file in your terminal.
  • Identify the below statements and uncomment them.
    • $ModLoad imudp
    • $UDPServerRun 514
  • Restart the machine and check if the changes are applied

Transmission Control Protocol (TCP)

TCP is a connection-oriented and reliable transmission protocol that can use the same port 514 to send syslog messages to syslog daemons. TCP is used by default for data transmission in syslog collecting tools like rsyslog and syslog-ng. The syslogd sends an acknowledgement for every syslog message received. This ensures all the sysog messages are stored in a single repository.

You can configure a server to act as a syslog daemon and enable it to listen on TCP port 514 using the below commands.

  • Open etc/syslog.conf file in your terminal.
  • Identify the below statements and uncomment them.
    • $ModLoad imudp
    • $UDPServerRun 514
  • Restart the machine and check if the changes are applied

Reliable Event Logging Protocol (RELP)

RELP, originally developed for rsyslog-rsyslog communication, is a networking protocol which helps in reliable transmission of event messages to the destinations. RELP uses TCP for transmission of syslogs. However, it provides the additional functionality of identifying the messages that are properly received at the syslog daemon using a backchannel. Backchannels can view the syslog messages that are sent from devices and simultaneously listen to them at the receiver end.

If there is a sudden connection termination during syslog transmission, RELP solves the ambiguity of whether the message that was in transmission was received at the syslog server or not. It conveys a message back to the sender about the syslogs processed by the syslog server.

Monitoring syslogs

Syslogs contain vital information about events taking place in your network. Transmitting the syslogs securely to a centralized location and analyzing them makes it easier to troubleshoot critical events. Though it is possible to manually analyze the syslogs using grep and other commands, it is a time-consuming and tiring process. An automated log management solution such as EventLog Analyzer can collect, parse and analyze syslogs from devices across the network.

EventLog Analyzer can also correlate these syslogs with the rest of the network logs and identify security incidents and threats in real-time. The solution offers predefined reports and alert profiles that help you with security auditing and compliance management. Check out more about EventLog Analyzer here.

What's next?

Ensure secure and compliant log collection with EventLog Analyzer’s robust support for all major syslog protocols.