Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8480
Views
10
Helpful
2
Replies

What happens to syslog messages if server is unavailable?

Go to solution
JMakowski
Level 1
Level 1

‎03-23-2011 12:49 PM - edited ‎03-06-2019 04:13 PM

Our security team is going to have us offload log message from various devices (switches, routers, ASA firewall) to a syslog server for analysis/reporting/action.

The question was raised about what happens to these messages if the syslog server is unavailable due to a server or LAN issue.

If we have Logging Bufferred configured, will messages be retried to the syslog server until they arrive or will any messages generated during the outage never make it to the syslog server.

I know syslog uses UDP and that UDP is not reliable and packetsmay go missing without notice, but is the syslog logging designed with any type of reliability mechanism?

Thanks,

Jim Makowski

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-23-2011 01:14 PM

Jim

Basically they get lost.

Cisco does have support for TCP with syslog but still the problem remains that if the server is down then the messages will simply be lost ie. it cannot be sent until the server comes back up and then a TCP connection is reestablished.

So the issue is not really TCP vs UDP ie. with UDP it is sent but never received because the server is down, with TCP it isn't sent because there is no TCP connection between the router and the server.

I don't know of any method to recycle back through the buffer to resend any messages since the syslog server went down. Even if they could be sent that is supposing that you could get the server up before the buffer filled up and cycled around.

The only thing i can suggest is for critical devices you can have a separate management network (almost OOB) and then have multiple syslog servers in the router config, the one for production and one as a backup. This may not be practical depending on the size of your network, WAN etc,

Bear in mind (from memory) that some syslog servers allow you to create a hierarchy ie. you send all messages to one server and then send a subset to a centralised server. If your main worry was the WAN then in each site you could have a local syslog server for all local devices and then send the most important messages to a central server.

Jon

View solution in original post

2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-23-2011 01:14 PM

Jim

Basically they get lost.

Cisco does have support for TCP with syslog but still the problem remains that if the server is down then the messages will simply be lost ie. it cannot be sent until the server comes back up and then a TCP connection is reestablished.

So the issue is not really TCP vs UDP ie. with UDP it is sent but never received because the server is down, with TCP it isn't sent because there is no TCP connection between the router and the server.

I don't know of any method to recycle back through the buffer to resend any messages since the syslog server went down. Even if they could be sent that is supposing that you could get the server up before the buffer filled up and cycled around.

The only thing i can suggest is for critical devices you can have a separate management network (almost OOB) and then have multiple syslog servers in the router config, the one for production and one as a backup. This may not be practical depending on the size of your network, WAN etc,

Bear in mind (from memory) that some syslog servers allow you to create a hierarchy ie. you send all messages to one server and then send a subset to a centralised server. If your main worry was the WAN then in each site you could have a local syslog server for all local devices and then send the most important messages to a central server.

Jon

Go to solution
JMakowski
Level 1
Level 1
In response to Jon Marshall

‎03-23-2011 01:17 PM

Thanks Jon.  I suspected as much, but had to confirm.  Appreciate the quick response.

0 Helpful
Customers Also Viewed These Support Documents