Avatar of doug_stephens
doug_stephensFlag for Canada asked on

Writing a customized SYSLOG server for Windows

I wish to write a SYSLOG server for Windows using Delphi (2007). I know there are many good products on the market but I have custom requirements. My objective is to obtain SYSLOG events from some wireless access points. I don't know anything about SYSLOG events so can anyone get me started? Is this just a TCP server listening on a particular port, then parsing the protocol? On the switches they just want a port and ip addr of the Syslog server.
Windows OSDelphi

Avatar of undefined
Last Comment
doug_stephens

8/22/2022 - Mon
SheaDigital

I would take a look at RFC 3195 and RFC 3164.

http://www.faqs.org/rfcs/rfc3195.html

http://www.faqs.org/rfcs/rfc3164.html

In short, yes, it is just listing on a port for the data to be sent to it and log said data.
SheaDigital

Oh and if you are not familiar with what an RFC is, you can read about it here.

http://en.wikipedia.org/wiki/Request_for_Comments

I know i know the dreaded wiki link....... ahhhhhh.
ASKER
doug_stephens

I did that - opened a server socket on port 514 and told the device to send SYSLOGs to my IP addr. But have not received any SYSLOG messages. Could be a firewall thing - I'm checking that. There is no way to tell if the switch is really sending anything.

Does my server machine need any special services running or anything set up? I did a test from a client socket on another machine and it gets to my server OK via the network.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SheaDigital

Know how to use a sniffer? If so install wireshark  (or some other sniffer) on your server and setup a filter to see if any traffic is being received by it with a destination ip or your server and a port of 514.

that way you can see at the raw network level if anything is being received.

If you are not getting anything, see if you can setup a sniffer as close to the switch as possible (close network wise) on it would be best and see if any syslog traffic is coming out of the switch.

there are other things to think about here, like firewalls. If there is a firewall between your syslog server and your switch it could be blocking that traffic. This includes the windows firewall on the server. So make sure its off, or that you add an exception for this port or app on that server.

Make sure its setup on your switch correctly. What kind of switch is it? Is it Cisco gear? If so, make sure you have logging even turned on. you could have a log server specified but not be logging anything.


if cisco switch you should have some statements like this in your config.

logging console informational   <-- this actually turns on the logging for this event
logging monitor informational    <-- this actually turns on the logging for this event

logging trap warning    <-- This set the level of logging to send to syslog server.
logging <ip address>   <--- this sets the IP address of the syslog server.
ASKER CERTIFIED SOLUTION
SheaDigital

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
doug_stephens

It is a Proxim AP700 - Syslog logging is enabled via http interface.
SheaDigital

make sure its actually logging things tho. Is there a way to check the logs on it via the web interface?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SheaDigital

Oh and I found out about the TCP / UDP thing, it could be either... so ya. I would assume most devices send via TCP
SheaDigital

Here is a link to some source code of a simple syslog server. Maybe this will help too.

http://www.codeproject.com/KB/IP/syslog_client.aspx

Again not a programer... so not sure how helpful this is if you are writing code in Delphi
ASKER
doug_stephens

It started working when I tried a UDP server socket, instead of a TCP socket. Thanks much, and for all the additional information too.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23