By default, syslog uses user datagram protocol (UDP) to transport messages from “client” to “server”. However, there might be specific design requirements that required you to consider other options for transporting messages across the LAN or WAN networks. The following port/protocol combinations are supported for the ingestion of syslog data by vRealize Log Insight.

 

 

With UDP, syslog clients can send messages over an IP network without prior communication to set up special transmission channels or data paths. UDP has no handshaking process and, thus, provides no guarantee of delivery of the syslog messages to the syslog target. This protocol is suitable for syslog when error checking and correction are not necessary to meet site requirements. Time-sensitive packets are dropped, which avoids extra processing overhead at the network interface level. This method of handling is preferable to waiting to send delayed packets, which might not be an option in a real-time monitoring system.

However, what if the solution design requires assurance that syslog messages are delivered to the syslog server for compliance or regulatory reasons? If this is the case, you will need to employ a transport protocol that uses reliable and ordered transmission methods and also provides error correction facilities on the data stream at the network interface level, which, for syslog, is the Transmission Control Protocol (TCP).

The network connection between the syslog source and the syslog target server is critical to confirming that events are delivered at the remote destination. A number of factors affecting the underlining network, such as latency, load, and the transport protocol used, can prevent log events from being delivered. With UDP, logs can be dropped by the network, without any easy way of determining why. TCP guarantees that the events are transported from the source to target server. TCP can be employed to overcome unreliable network issues, but it does not confirm that the syslog server itself will capture and keep the event. For example, if the vRealize Log Insight ingest pipeline is backed up, messages will be dropped, even if TCP is used. TCP is still preferred over UDP, however, when transporting events between the syslog source and target server, if traffic is traversing a WAN connection or another less reliable network.

What if a service provider requires syslog data to be encrypted between source and destination to meet solution requirements? After all, the information contained in syslog entries could be highly sensitive and easily be used by a hacker to map the network, uncover what hardware is being operated in the data center, and find vulnerabilities within the infrastructure. For these reasons, syslog also supports the ability to encrypt traffic with Transport Layer Security (TLS), allowing messages to be delivered to the target syslog server using TLS over TCP.

Typically, a solution architect will base design decisions regarding transport protocols on the following requirements and constraints: