Running syslog over TCP

Syslog has always been considered an undependable means of reporting network problems by serious network administrators as it runs over unreliable UDP transport. Sometime in the twilight zone between IOS releases 12.3T and 12.4, Cisco IOS got the capability to transport syslog messages over TCP with the logging host ip-address transport tcp port configuration command (the command is documented in 12.4 manuals but missing in 12.3T manuals).

Note: IOS implements standard syslog stream over TCP, not the more complex RFC 3195.

To support syslog over TCP, you also need TCP-capable syslog server. In Unix environments, you can use syslog-ng, on Windows, Kiwi syslog daemon is a perfect choice.

Note: to enable syslog over TCP in Kiwi Syslog Daemon, go to File/Setup/Inputs/TCP, click Listen for TCP Syslog messages and enter the desired TCP port number.

4 comments:

  1. Hi,
    So IOS implements standard syslog stream over TCP but do you happen to know how the syslog server receiving the messages knows where a message stops and one another starts? Because with UDP you know that when you receive something, you only have one message. As for TCP you could have several messages next to each other. Is there for example an EOL character between 2 messages or something else?
    Cheers,
    Hank
  2. Also Cisco IOS Software Releases 12.4 T implements "Reliable Delivery and Filtering for Syslog"
    http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00807883c3.html
  3. While it's commonly believed that TCP is a pure stream service, it's usually true that a single socket write results in all the data being returned from a single socket read call on the other side of the TCP session (assuming the application's receive buffer is big enough). That's the "mechanism" IOS is using. Each syslog message is sent in a separate TCP packet (there are no extra separators), so the recipient (usually) gets them one-by-one. Of course this mechanism is not 100% reliable.

    The syslog daemon like Kiwi can split the stream into messages based on what gets returned from a single read call (that's how Kiwi works). Additionally, Kiwi can recognize various separators (CR, CRLF, LF, NULL). In theory, you could also identify the start of a properly formatted syslog message, as they all have to start with <digit digit digit> sequence, but this method is not reliable either. If you want a completely reliable solution, you should use BEEP (but I don't think there are too many syslog daemons out there supporting it).
  4. Hum, ok, thanks for the useful info!
Add comment
Sidebar