Net/Systems Management /

Sampling syslog software

By Mark Gibbs
Network World, 06/17/02

Last week we discussed syslog, a system for handling status messages and logging and we looked briefly at the format of a syslog message. There's a lot more to the standard, and we encourage you to read the relevant IETF standard, RFC 3164, "The BSD syslog Protocol".

The syslog protocol is very useful, but be warned it has its deficiencies: It isn't secure; syslog messages are relatively easy to fake (sending syslog messages greater than the standard maximum of 1,024 bytes has been used in an exploit to hack syslog) and there's no sender validation. Anyway, we will forgo delving any deeper into the bowels of syslog and instead look at syslog products.

The one that caught our eye and triggered last week's exposition of the syslog protocol was WinSyslog from Adiscon GmbH.

WinSyslog is a multithreaded win32 service that runs under all Windows versions and can log syslog messages to the screen display, an NT event log, an Open Database Connectivity (ODBC) data source and flat ASCII files. It also can send e-mail alerts.

WinSyslog can process messages according to rules that let you determine how to handle the message. For example, you can send e-mail alerts or store the message in a database or file. You also can define rules that forward messages to other syslog servers (that is the relay configuration we discussed last week).

Configuration is done through a separate client program that can be launched from the WinSyslog server or on its own. This separation is clumsy.

There's also a Web front end so you can remotely review the syslog messages, but it isn't included in the distribution and you must download it separately. It consists of four Active Server Pages and an unhelpful help file. The installation instructions are nonexistent and you'd better understand ODBC configuration if you want to get the Web interface working.

Until you purchase a license (very affordable at $50), WinSyslog will run in freeware mode that presents a scrolling display of the 60 most current messages.

We haven't even begun to cover all that WinSyslog can do, and overall the tool is very good, but it could use a little polishing. While the documentation is very good, leaving the Web interface practically undocumented is unfortunate.

We award Adiscon's WinSyslog eight gearteeth out of 10.

There are syslog servers other than WinSyslog available, but how do you test them? Well, you could write a test application. A great starting point is freeware Visual Basic 6 source code you can use to send syslog message. You can find the tool on the Kiwi Enterprises downloads page.

You'll also find other interesting freeware tools there, including Kiwi's Syslog Message Generator for Win9x, ME, XP, NT4 and 2000.

This tool is terrific! It lets you select the address of the target syslog server and send syslog messages from either the local machine's IP address or from a fake random class C address or a fake random address on the local subnet. You also can select the destination port if the syslog server is not using Port 514, and there are several options for the source port value. Note that you can't select 514 as a source port if the destination port is also 514 as RFC 3164 suggests.

You can create streams (continuous messages) or bursts of messages (up to 500 per second), select message content (default, custom, sequential numbering in the text), have invalid messages sent (corrupted and or overly long content) and several other options that could stress a syslog server.

This is not only a great tool for stress testing a syslog server, it also is invaluable for testing a system of syslog servers and relays to ensure that syslog reporting and forwarding behaves as intended.

We award Kiwi Syslog Message Generator 10 gearteeth out of 10!

Connect to whatever port you like at gearhead@gibbs.com.