Syslog questions


#1

I am looking to send logs to a NAS device for the first time and found no details in the manual or the router UI about this.

  1. Does Peplink use BSD or IETF log formats?
  2. Should I use tcp or udp? The NAS defaults to UDP
  3. Can the logs be sent securely? The NAS can export a certificate, where/how would I import it?
  4. What is the schedule for sending logs to the syslog server? I ask because the NAS is scheduled to shut down at night. Will that be fatal, or will the router just try to send the logs again should there be a failure because the NAS is off?
  5. I know of two types of logs, the Event log and URL logs. If they are both sent to the same NAS box, will they appear on the NAS as one file/log or two?

Thank you.


#2
  1. Peplink uses IETF format
  2. UDP is the standard for syslog - lower overheads for the traffic faster sending etc
  3. Yes if sent over a VPN - otherwise its should be considered insecure.
  4. Syslog isn’t scheduled - its a live feed of events and syslog events are sent as they occur. If the syslog server isn’t available the logs will simply not be recorded.
  5. That’s down to your syslog server configuration. On some you can set match patterns to route them into specific logs/views, on others its just a big bucket of logs that you need to process manually in a third party product (like Splunk). Others will let you configure the use different ports for different activities so port 514 for events and 515 for URL logging, with those logs stored in different files.

Have heard good things about https://www.graylog.org/


#3

Thank you Martin.

That the log feed is constant is a concern. If the NAS log receiver is down overnight, I would worry about how the router responds to the log events generated overnight that can not be shipped to the syslog server. Hopefully it doesn’t log those errors too, as I could see that causing a never-ending loop. Will have to test…


#4

No concern there. Syslog transmission is send and forget from the perspective of the client router. Its the responsibility of the syslog owner to guarantee uptime/availability and to spot anomalies (such as a device not sending logs). That’s why there is such a big market for cloud based log retention services…


#5

Thus, UDP vs. TCP. Send it and fuggedaboutit :slight_smile:
Thanks.


#6

I use Graylog to collect logs from our Balance One, AP One AC minis and other devices on the network. Graylog is available as a VM appliance for easy deployment. Using regex and grok patterns, it’s easy to create custom searches (with custom actions) for tracking network events. I have a grok pattern that creates a chart of logged in VPN users, as well as another one which I use to display the monthly VPN logins. Great for glanceable info on the web dashboard.