RFC 5424Lane C · DC ManagementFREE

syslog

syslog is the one-way append-only log stream that runs every Linux box. The animation shows long-rect line chips flowing one-way from source to collector — there is no response.

Animation

Engineering pitfalls

UDP/514 silently drops under load

Classic syslog uses UDP — no delivery guarantee. Under high event rate, the receiver kernel drops messages. Use TCP/6514 (RFC 5425) with TLS for reliable + secure transport.

Severity-level mismatch between source and collector

RFC 5424 defines 8 severities (0=Emergency, 7=Debug). Some apps map their own levels arbitrarily. Standardise mapping in the agent or you'll filter on the wrong level.

Log injection via untrusted user-input

User-supplied content in log messages may contain newlines or escape sequences. Properly escape before formatting or the attacker forges log lines.

References

Primary sources

RFC 5424 — The Syslog Protocol.
RFC 5425 — Transport Layer Security (TLS) Transport Mapping for Syslog.
RFC 6587 — Transmission of Syslog Messages over TCP.