37.7. Appendix

The SYSLOG protocol provides a transport to allow a machine to send event notification messages across IP networks to event message collectors.

SYSLOG messages aren't formatted, the protocol is simply designed to transport these event messages. The scenario includes:

No acknowledgement of the receipt is made.

SYSLOG uses the user datagram protocol (UDP). The UDP port that has been assigned to SYSLOG is 514. It's recommended that the source port also be 514.

SYSLOG protocol definitions:

37.7.1. SYSLOG architecture

The architecture of the devices may be summarized as follows:

  • Senders send messages to relays or collectors with no knowledge of whether it's a collector or relay.

  • Senders may be configured to send the same message to multiple receivers.

  • Relays may send all or some of the messages that they receive to a subsequent relay or collector. In the case where they do not forward all of their messages, they're acting as both a collector and a relay. In the following diagram, these devices will be designated as relays.

  • Relays may also generate their own messages and send them on to subsequent relays or collectors. In that case, it's acting as a device. These devices will also be designated as a relay in the following diagram.

Some possible SYSLOG architectures:

Figure 37.5. SYSLOG architectures

SYSLOG architectures