Article created 2005-05-17 by
Hamid Ali Raja.
Creating a simple Syslog Server
In this scenario, a simple Syslog server will be created. No other services are configured. The Syslog server will operate as a standard Syslog server on the
default port of 514/UDP. All incoming data will be written to a single text
Step 1 – Defining a Rule Set for File Logging
The rule set specifies what action to carry out. You might be tempted to define
the service first, but starting with the rule set makes things easier as it
will be already present when the service is defined later and needs to be bound
to a rule set.
To define a new rule set, right click "Rules". A pop up menu will appear.
Select "Add Rule Set" from this menu. On screen, it looks as follows:
Then,a wizard starts. Change the name of the rule set to whatever name you
like. We will use "Write Syslog Log File" in this example. The screen looks as
Click"Next". A new wizard page appears:
There,select file logging. Do not select any other options for this example.
Also, leave the "Create a Rule for each of the following actions" setting
selected. Click "Next".
This is just a confirmation page. Click "Finish" to create the rule set.
The wizard closes and the client shows a newly created rule set.
As you can see, the "Write Syslog Log File" rule set is now present. Please
expand it in the tree view until you have the following screen contents:
As you can see, we have a "File Logging" action configured. We will review the
settings just for your information. Click on "Filter Conditions":
As you can see, none of the filter conditions are enabled. This means that the
all information units (incoming messages) will be matched by these filter
conditions. As such, the rules for the "File Logging" action will always be
Please note that this also means that all Syslog priorities and facilities will
be written to the same file.
Now let us check the "File Logging" action itself. Please select it in the tree
As you can see, it has been created with the default parameters. Each day, a
file will be created in the C:\temp directory and its base name will be
MonitorWare. It will include all information items in the file.
If you would like to store it into a separate directory or change the file
name, here is the place to do it. Important: please make sure the
directory you specify exists! If it does not yet exist, please create it before
you start the service. If the directory does not exist, the service is not able
to store any files.
In our example, we would like to save it to "c:\logfiles" with a base name of
"Syslog". Therefore, we change these properties:
After doing so, you will notice the yellow text on top of the window. It tells
you that the configuration changes have not yet been applied. To do so, press
Now you have a workable rule set for logging incoming messages to a text file.
Step 2 – Create a Syslog Server Service
Now we need to define a Syslog server service. A Syslog server is also
sometimes called a "Syslog daemon", "Syslogd" or "Syslog listener". It is the
process that receives incoming messages.
To define it, right click on "Services", then select "Add Service" and the
Once you have done so, a new wizard starts:
Again, you can use either the default name or any one you like. We will use "My
Syslog Server" in this example. Leave the "Use default settings" selected and
As we have used the default, the wizard will immediately proceed with step 3,
the confirmation page. Press "Finish" to create the service. The wizard
completes and returns to the configuration client. There, you will see the
newly created service beneath the "Services" part of the tree view:
To check its parameters, select it:
As you can see, the service has been created with the default parameters. As
such, it operates as a RFC compliant standard Syslog server.
Please note that the "Write Syslog Log File" has been automatically assigned as
the rule set to use. This is the case because we already created it and it is
the only rule set. By default, the wizard will always assign the first rule set
visible in the tree view to new services. If another one is to be used, you
need to change it to the correct one here in the service definition.
Also, note that the wizard uses the default properties from the "Service
Defaults". Obviously, if these are changed, the default properties for new
services will differ.
This procedure completes the configuration of the Syslog server.
Step 3 – (Re-) Start the Service
Application cannot dynamically read changed configurations. As such, it
needs to be restarted after such changes. In our example, the service was not
yet started, so we simply need to start it. If it's already running, you need to
Service control can be done with both the respective operating system
capabilities (like service manager MMC) or with the configuration client. These
are shown in the red surrounded area in the following screen shot:
The buttons resemble Windows service manager – start, stop and restart. In this
example, stop and restart are grayed out because the service is not running.
After service restart, the new definitions are active and application is
ready to accept and store incoming messages.
Step 4 – Configure your Syslog-Enabled Devices
Even though application is now ready, it can only receive messages if some
devices send them. Remember, Syslog is a protocol where the server is passively
waiting for incoming messages. As long as no device sends message, the Syslog
server will not log anything.
Since there are a large variety of devices, we unfortunately cannot provide device
specific instructions. However, almost all devices need to be configured with
their specific configuration tool. Typically, only two settings need to be
made: one to activate Syslog messages at all and one with the Syslog server IP
address or name.
For some devices, we have step-by-step guides. Please read "Sample Syslog Device
Configurations" for further details.
Remember: the computer running application now acts as a Syslog
server. As such, you need to find out its IP address or name and supply it to
the device as the Syslog server. Please note that not all devices can operate
with computer names. Use the IP address, if in doubt.