18 May 2012

Syslog ships with most Linux distros. Like many Linux-centric applications, it is non-trivial on Windows. To make it trivial, I use the free version of Kiwi syslog (free for life, it is not a trial - see also). The free version has some limitations, like limited scrollback, but it gets the job done for most targetted troubleshooting.

Syslog supports UDP by default because it is lower overhead, which is extremely important for a logging utility. Combined with the rudimentary nature of the log messages, remote logging often requires an aggregating intermediary/relay to secure and extend the information. Since it uses UDP, separate Windows firewall rules are required to allow the packets to reach the syslog computer. Due to the 1-way communication, it is difficult to troubleshoot whether the UDP packets arrive at the computer. For instance, testing UDP packets with PortQry.exe simply returns "LISTENING OR FILTERED", which is to say that the sender has no way to know whether the packet actually makes it to the destination.

Once Kiwi syslog server is configured and receiving packets, you see a real-time stream of log information. While it can quickly become overwhelming with too many services using the same server, it is extremely valuable when dedicated to a small enough number of services that the stream can be read.

I anticipate that we will see quite a few cloud-based syslog analyzers over the next few years that provide syslog proxy services to install on your computer. It would be a convenient way to plug cloud-based storage and analysis engines into an existing network of applications.

Technologies:


blog comments powered by Disqus