Two roles are distinguished with respect to the systems that are involved in the exchange of syslog messages: The syslog sender sends the syslog messages. The syslog receiver is the recipient of syslog messages. Generally, syslog sender and receiver correspond to management agent and manager, respectively. However, syslog receivers often have no role in actively managing a device. In fact, in many cases, the receiver resides in the device itself. The syslog receiver is simply the receiving end of a syslog message that is generally responsible for logging the message to a file on a disk.
■ The device itself, writing the messages that it generates to a local log file. This log file can be viewed by system administrators or, for example, transferred as a file via the File Transfer Protocol to an external management application when desired.
In most cases, devices have limited storage. To avoid overflowing the local file system, devices often put mechanisms such as the following in place:
— A log file has a certain maximum size. When the end of the file is reached, logging of subsequent messages starts again from the beginning, overwriting the oldest previous messages. The file can be accompanied with a pointer that points to the line with the most current entry. This mechanism is also called a circular log file (see Figure 8-8).
Figure 8-8 Circular Log File
Circular log file
Circular log file
Current " log marker
■^Oldest entry, to be overwrittten next
— Log files are created with a certain capacity—for example, one file per day, named according to the calendar date, or one file per 1000 entries, numbered sequentially. When the allocated log file capacity is reached, the oldest file is purged from the system.
■ A centralized logging host, receiving messages from several devices and logging those messages for them. Applications access this logging host instead of individual devices to access the log records (see Figure 8-9). This can reduce load on the network devices. An external host typically also has greater storage space and can be centrally backed up, facilitating the overall management task. Applications and system administrators turn to the logging host instead of the devices themselves to retrieve any particular logs.
Figure 8-9 Logging Host
A centralized logging host often also functions as a syslog relay. A syslog relay receives syslog messages on one end and sends them to another receiver on the other end—it is a proxy. This means that, in addition to logging syslog messages, it forwards those messages on to various applications. In doing so, it possibly applies a filter so that they each receive only messages that are of interest to them (see Figure 8-10). We discuss management proxies and other ways to organize management deployments in Chapter 9, "Management Organization: Dividing the Labor."
Figure 8-10 syslog Relay
■ A management application, receiving syslog messages for processing. Here, the receiver is finally truly a manager, which treats syslog as a management communications channel for events. In many cases, the manager does not just log the messages, but processes and acts on them as they occur. In many cases, management applications are deployed so that they receive syslog messages through a relay, not from the device directly. This is specifically the case when multiple applications should receive messages so that no additional load is put on the managed devices to send multiple copies of the same message to different recipients.
Was this article helpful?