asked on

Writing a customized SYSLOG server for Windows

I wish to write a SYSLOG server for Windows using Delphi (2007). I know there are many good products on the market but I have custom requirements. My objective is to obtain SYSLOG events from some wireless access points. I don't know anything about SYSLOG events so can anyone get me started? Is this just a TCP server listening on a particular port, then parsing the protocol? On the switches they just want a port and ip addr of the Syslog server.
I would take a look at RFC 3195 and RFC 3164.

In short, yes, it is just listing on a port for the data to be sent to it and log said data.
Oh and if you are not familiar with what an RFC is, you can read about it here.

I know i know the dreaded wiki link....... ahhhhhh.
I did that - opened a server socket on port 514 and told the device to send SYSLOGs to my IP addr. But have not received any SYSLOG messages. Could be a firewall thing - I'm checking that. There is no way to tell if the switch is really sending anything.

Does my server machine need any special services running or anything set up? I did a test from a client socket on another machine and it gets to my server OK via the network.
Know how to use a sniffer? If so install wireshark  (or some other sniffer) on your server and setup a filter to see if any traffic is being received by it with a destination ip or your server and a port of 514.

that way you can see at the raw network level if anything is being received.

If you are not getting anything, see if you can setup a sniffer as close to the switch as possible (close network wise) on it would be best and see if any syslog traffic is coming out of the switch.

there are other things to think about here, like firewalls. If there is a firewall between your syslog server and your switch it could be blocking that traffic. This includes the windows firewall on the server. So make sure its off, or that you add an exception for this port or app on that server.

Make sure its setup on your switch correctly. What kind of switch is it? Is it Cisco gear? If so, make sure you have logging even turned on. you could have a log server specified but not be logging anything.

if cisco switch you should have some statements like this in your config.

logging console informational   <-- this actually turns on the logging for this event
logging monitor informational    <-- this actually turns on the logging for this event

logging trap warning    <-- This set the level of logging to send to syslog server.
logging <ip address>   <--- this sets the IP address of the syslog server.
It is a Proxim AP700 - Syslog logging is enabled via http interface.
make sure its actually logging things tho. Is there a way to check the logs on it via the web interface?
Oh and I found out about the TCP / UDP thing, it could be either... so ya. I would assume most devices send via TCP
Here is a link to some source code of a simple syslog server. Maybe this will help too.

Again not a programer... so not sure how helpful this is if you are writing code in Delphi
It started working when I tried a UDP server socket, instead of a TCP socket. Thanks much, and for all the additional information too.