Monitoring syslog facilities with Paessler PRTG Network Monitor

When it comes to network monitoring, monitoring logs is crucial for maintaining security and operational visibility. Syslog, a standard protocol for message logging, offers many advantages for transmitting, centralizing and managing different types of log messages.

In this article, we will explore what syslog facilities are, how they work within Paessler PRTG Network Monitor, specifically to help you monitor and troubleshoot your network, servers, and associated infrastructure.

What is a syslog facility?

Syslog facilities are designations used to indicate what types of messages are being sent to syslog. The facilities can be used for various things including splitting messages by the intended uses of the message. Ideally, these will help identify the component of a device or operating system that generated a particular log message.

It's essentially a categorization mechanism that helps administrators identify the source of syslog messages. It can also help us filter messages, for example if we do not want to forward debug messages, we could keep them locally on a system but not use them for monitoring.  

The syslog protocol as defined in RFC5424 establishes several standard facilities, each represented by a numerical code known as a facility value:

These facility codes help organize log messages and allow administrators to filter and route them appropriately. For example, all authentication-related logs might be directed to a specific security monitoring system, while printer-related logs might be sent elsewhere.

Syslog severity levels

In addition to facilities, syslog messages also include severity levels that indicate the importance or urgency of the message:

The combination of facility and severity creates what's called the "PRI" (priority) value of a syslog message, calculated using the formula: Priority = (Facility × 8) + Severity

How PRTG uses syslog facility

Paessler PRTG Network Monitor includes a powerful Syslog Receiver Sensor that can collect, analyze, and monitor syslog messages from various devices across your network, including Cisco devices, routers, and firewall appliances.

PRTG Syslog Receiver Sensor

The Syslog Receiver Sensor in PRTG acts as a syslog server, receiving and processing syslog messages from network devices. It displays important information including:

• The IP address of the message source
• Timestamp of the message
• The message content itself
• The header containing the facility code (source type)
• The severity level (logging level)

PRTG analyzes these components to help you identify potential issues and monitor your network effectively.

Key features of PRTG's syslog monitoring

1. Facility and Severity Analysis: PRTG reads and processes both the facility value and syslog levels of incoming messages, allowing you to immediately identify the type and importance of each message.
2. Custom Filtering: You can set up include, exclude, warning, and error filters to focus on specific types of messages and trigger appropriate alerts.
3. Real-time Alerting: PRTG can notify you immediately when critical syslog messages are received, allowing for quick response to potential issues.
4. Message Storage and Analysis: PRTG stores received messages in a log file, allowing you to review and analyze them later for troubleshooting or audit purposes.
5. Visualization: PRTG provides visual representations of syslog data, making it easier to identify patterns and anomalies.

Configuring syslog monitoring in PRTG

To set up effective syslog monitoring in PRTG, follow these steps:

Step 1: Add a Syslog Receiver Sensor

1. Navigate to your "Local Probe" (or a remote probe if you're using one)
2. Choose "Add Sensor"
3. Select "Syslog Receiver Sensor" from the "Various Protocols" section

Step 2: Configure basic settings

1. Enter a listening port (default is 514 for UDP)
2. Set how long PRTG should store received messages for analysis
3. Configure any necessary filters:
   • Include Filter: Define which messages to process
   • Exclude Filter: Define which messages to discard
   • Warning Filter: Define which messages should count as warnings
   • Error Filter: Define which messages should count as errors

Step 3: Configure devices to send syslog messages

For each network device you want to monitor:

1. Access the device's config interface
2. Find the syslog or logging settings
3. Configure the device to send syslog messages to your PRTG server's IP address on the port you specified

For Cisco devices, you might use commands like:

logging on
logging host 192.168.1.100
logging trap warnings

For Linux or Unix systems, you would modify the syslog configuration file (typically `/etc/syslog.conf` or `/etc/rsyslog.conf`).

Advanced syslog filtering in PRTG

PRTG offers powerful filtering capabilities for syslog messages. You can create filters based on:

• Source IP address
• Facility value
• Severity levels
• Hostname
• Message content
• And more

Filters use a special syntax in the form of `field[filter]` and can be combined with boolean operators (AND, OR, NOT) and brackets.

For example:

• `facility[4]` - Match messages from the auth facility
• `severity[0-3]` - Match messages with severity Emergency through Error
• `message[Error]` - Match messages containing the word "Error"

Integration with other monitoring technologies

PRTG doesn't just handle syslog—it can integrate this data with other monitoring protocols like SNMP for a more comprehensive view of your network. This allows you to correlate syslog messages with performance metrics for better troubleshooting.

Additionally, PRTG's API allows you to extend its capabilities and integrate with other systems, enabling custom solutions for specialized environments like VMware infrastructures.

Best practices for syslog monitoring with PRTG

1. Set appropriate severity thresholds: Configure your devices to send only relevant messages to avoid overwhelming your syslog server.
2. Use targeted filters: Create specific filters to focus on critical issues and reduce noise.
3. Implement centralized logging: Use PRTG as your central syslog server to collect logs from all network devices in one place.
4. Configure meaningful alerts: Set up notifications for critical syslog messages to ensure timely response to issues.
5. Regularly review logs: Periodically analyze stored logs to identify patterns and potential issues before they become critical.
6. Correlate with other metrics: Combine syslog data with other monitoring metrics in PRTG for a more comprehensive view of your network's health.
7. Secure your syslog traffic: Consider using encrypted transport for sensitive log data, especially from firewall and authentication systems.

Analyzing syslog data for network insights

A powerful syslog analyzer can help you extract valuable insights from your logs. For example:

• Tracking failed login attempts from auth facility messages to detect potential security breaches
• Monitoring kernel messages to identify hardware issues before they cause outages
• Analyzing router and firewall logs to optimize network traffic flows
• Reviewing mail system logs to ensure reliable email delivery

By properly configuring your logging facility settings across devices, you can create a comprehensive monitoring system that provides early warning of potential issues.

Conclusion

Syslog facility monitoring in PRTG provides a powerful way to centralize and analyze log data from across your network. By understanding how facilities and severity levels work together, you can effectively filter, prioritize, and respond to important system logs.

PRTG's Syslog Receiver Sensor offers comprehensive capabilities for collecting, analyzing, and alerting on syslog messages, making it an essential tool for network administrators looking to maintain security and operational efficiency.

By implementing the best practices outlined in this guide, you can leverage PRTG's syslog monitoring capabilities to gain deeper insights into your network and respond more effectively to potential issues requiring immediate action.