When something goes wrong in your network, you often don’t find out about it until your users are affected, and you’re left scrambling to identify the issue and understand its root cause.
The faster you find out about a network issue and why it’s happening, the quicker you can implement the right fix and spare your network users from unnecessary downtime. SNMP monitoring—like what’s available in Auvik—can alert you when something bad happens, but it can’t answer why it’s happening. That’s where syslog comes in.
What is syslog and why is it important?
Log messages are generated by a device and create a record of events that occur on the device. The logs give you information about important events, device health, and normal and abnormal happenings on a device—information which can be absolutely critical when troubleshooting a network issue.
Logs are stored locally on the device memory and, historically, you’d have to go directly to the device to access them. This led to two key problems:
- If a device reboots, all of its logs are gone.
- You have to log into each device on a network separately in order to access its logs.
Syslog is a standard network-based logging protocol which was created to solve these two problems and is widely adopted. Syslog works on essentially every device on your network—whether it’s a router, switch, or firewall—and allows the devices to send free text-formatted log messages to a remote server.
Why should I use syslog in Auvik?
Although syslog servers have solved the problem of centralized access to logs and plenty of standalone log management systems exist, separate servers and systems create huge administrative headaches for IT teams.
Auvik centralizes syslog data for all your network devices across all your sites, allowing you to search and filter to get to the root cause of network issues and troubleshoot them faster. This has several benefits.
1) It removes administrative overhead
With one lightweight Auvik collector for all of your data sources—including device metrics, flows, and logs—you don’t have to install or maintain any additional collectors just for syslog.
You don’t have to maintain inventory details in yet another system and you don’t have to rotate log files and maintain an additional database. With Auvik, you simply have to forward syslog to the same collector you’re already using.
2) It speeds up resolution times by having all the context you need in one place
With standalone syslog systems, your team not only has to learn how to use a new, separate tool, but they also have to switch between tools when troubleshooting.
Jumping between multiple tools takes up valuable time, and also makes it incredibly difficult to understand why a network issue is happening. It’s tough to correlate performance metrics to logs when the whole picture is splintered across multiple tools.
With Auvik, you can easily see network topology, performance metrics, configurations, traffic, and logs without having to leave your browser. By having all the context you need to troubleshoot a network issue in one place, you save tons of time and can resolve issues faster.
3) It gives you visibility across all of your sites
Due to the administrative overhead and the additional costs of a separate tool, IT teams have historically centralized syslog only for their largest or most important sites, leaving the rest in the dark.
With Auvik, you don’t have to pick and choose which sites benefit from syslog. Since Auvik is super simple to roll out across sites, lives in the cloud, and has a scalable pricing model, you can standardize the visibility you have into each of your networks. As long as it’s a Performance site in Auvik, you can set up syslog and troubleshoot issues quickly, regardless of whether it’s HQ, a remote branch office, or a client site.
Quick facts about syslog in Auvik
Syslog is available on all of your Performance sites. Before digging into your device logs, here are some important facts you should know:
- Setup is simple—you only have to configure a device to forward syslog to the Auvik collector. There are no additional collectors to install and maintain in the network, and there’s no need to set up and maintain a local database to store logs. In fact, if you have an Auvik collector installed on the network and you’ve configured your device to forward syslog, you’ll start seeing logs in minutes. See How do I get started with syslog? for more information.
- You can search and filter logs on any device without leaving the device dashboard. You can also export logs as a CSV file to send them to a device manufacturer’s technical support team or attach the file to a ticket in your PSA or ITSM.
- By default, Auvik only processes messages with severity levels 0 to 4—emergency to warning—so you only store logs that matter. (But even this is customizable—if you want to reduce the noise even further, you can easily turn off warning messages with a single click. If you’re debugging an issue, you can turn on severity levels 5 to 7 temporarily.) See How do I discard or process syslog based on severity? for more information.
- While you’ll only need to access logs from the past three or four days for a majority of troubleshooting scenarios, Auvik retains logs for 14 days to help you shed even more light on intermittent issues. See How long are syslog messages retained in Auvik? for more information.
- There’s a transfer volume limit that defines how many messages can be sent in total for each site. It’s defined by the number of billable devices, so the larger your site, the higher the limit. Currently, the limit in a 14-day window is 700,000 messages per billable device. See How many syslog messages can a site send to Auvik? for more information.
- We understand that spikes happen and you may occasionally exceed the transfer volume limit. Auvik has a fair usage policy and continues to process and retain messages even if your site exceeds its limit. However, if the site exceeds twice its volume limit and is sustained for more than 14 days, you might see a notification inside Auvik asking you to modify the severity filters or investigate further.
What’s next on the Auvik roadmap for syslog?
Centralizing the logs to make it easier to view, search, and filter is only the first phase for syslog in Auvik. We’re working hard to build out the feature to help you solve even more problems, including:
- Long-term retention: We’re working on giving you the ability to archive logs and store them in your own cloud storage for however long you’d like.
- Real-time alerts: To support real-time network monitoring and help you proactively respond to network issues, we’re working on being able to trigger alerts from syslog messages.
How can I get started with syslog in Auvik?
If you’re already an Auvik customer, see How do I get started with syslog?
If you’re not an Auvik customer, try Auvik free for 14 days.