setup a syslog server

How to Set Up a Syslog Server: A Complete Step-By-Step Guide

By Staff Member on June 13, 2025

Syslog servers are essential for centralized log management, helping network engineers monitor, troubleshoot, and secure network devices efficiently. This guide walks you through setting up a syslog server from scratch, focusing on practical steps using rsyslog on a Linux system—a common and robust choice for syslog collection.

Windows does not have a native syslog server, so you need third-party software. This article suggests the best tools for that process and guides you through the configuration.

Key takeaways:

  1. Setting up a syslog server centralizes log management, making it easier to monitor and troubleshoot network devices. Both Linux (with rsyslog) and Windows (with third-party tools) can be configured to collect logs from across your network.
  2. Secure your syslog server by enabling TCP or Transport Layer Security (TLS) to protect log data in transit, especially in sensitive environments. Regularly monitor server health and storage to ensure reliable log collection.
  3. Tools such as SolarWinds® Kiwi Syslog® Server offer user-friendly interfaces, advanced alerting, and seamless integration for both Windows and Linux environments. This streamlines log analysis and helps meet compliance and security requirements.

Step 1: Prepare Your Syslog Server Environment

  • Choose your hardware or VM: For small to medium environments (~50 devices), a server with two to four CPU cores, 8GB RAM, and 100GB+ storage is sufficient.
  • Operating system: Ubuntu 20.04 LTS and RHEL/CentOS 8 are recommended.
  • Install rsyslog: Most Linux distros come with rsyslog preinstalled.

Verify with:

text

rsyslogd -v

If missing, install with:

text

sudo apt update sudo apt install rsyslog

This lightweight setup can even run on a Raspberry Pi for small setups.

Step 2: Configure rsyslog to Receive Remote Logs

  1. Edit the main configuration file:

text

sudo nano /etc/rsyslog.conf
  1. Enable UDP and TCP syslog reception by uncommenting or adding:

text

module(load="imudp") input(type="imudp" port="514") 
module(load="imtcp") input(type="imtcp" port="514")
  • UDP (port 514) is faster but does not guarantee message delivery.
  • TCP (port 514) is more reliable and preferred for critical logs.
  1. Save and exit the file.
  2. Restart rsyslog to apply changes:

text

sudo systemctl restart rsyslog

Step 3: Secure Your Syslog Server With TLS (Optional but Recommended)

To protect log data in transit, configure TLS encryption:

  1. Prepare certificates (CA, server cert, server key).
  2. Add the following to your rsyslog config (e.g., /etc/rsyslog.conf or a dedicated file):

text

$ModLoad imtcp.so $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/rsyslog.d/cert/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert/server.cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/cert/server.key.pem $InputTCPServerStreamDriverAuthMode x509/name $InputTCPServerStreamDriverPermittedPeer <client IP address> $InputTCPServerStreamDriverMode 1 $InputTCPServerRun 10514
  1. Restart rsyslog:

text

sudo systemctl restart rsyslog
  1. Verify logs for successful TLS setup:

text

cat /var/log/messages

This ensures secure log transmission, which is critical for sensitive environments.

Step 4: Configure Network Devices to Send Logs

On each device (switch, router, and firewall):

  • Specify the syslog server IP address and port (usually 514).
  • Choose protocol (UDP/TCP).
  • For devices supporting secure syslog, configure TLS or secure syslog mode.
  • Example for a switch command-line interface:

text

syslogadmin --set -ip 192.168.1.100

For secure mode with a custom port:

text

syslogadmin --set -ip 192.168.1.100 -secure -port 2000
  • Verify configured syslog servers:

text

syslogadmin --show -ip

Up to six syslog servers can often be configured for redundancy.

Step 5: Optimize and Monitor Your Syslog Server

  • Use rsyslog modules to parse JavaScript Object Notation logs, and send logs to databases or a third-party tool for analysis.
  • Configure queues and disk buffers to handle log bursts without data loss.
  • Set up alerting rules to notify you of critical events immediately.
  • Regularly monitor syslog server health and storage capacity.

How to Set Up a Syslog Server on Windows

1. Choose and Install Syslog Server Software

Windows does not have a native syslog server, so you need third-party software. Popular options include:

  • Syslog Watcher (commercial, user-friendly)
  • Snare for Windows (flexible, open-source)
  • Kiwi Syslog Server (widely used)

For example, to install Kiwi Syslog Server:

  1. Download the latest Kiwi Syslog Server installer from the official SolarWinds website.
  2. Run the .exe installation file.
  3. Accept the license agreement.
  4. Choose Install Kiwi Syslog Daemon as an Application and proceed.
  5. Select desired shortcuts and installation location.
  6. Complete the installation and launch the Kiwi Syslog Server application.
  7. If Windows Firewall prompts, allow access for Kiwi Syslog Server to receive incoming syslog messages on port 514.
  8. Configure Kiwi Syslog Server to Receive Logs
  9. Open Kiwi Syslog Server.
  10. Go to File > Setup > Inputs tab.
  11. For the free version, specify up to five source IP addresses from which logs will be accepted.
  12. For licensed versions, you can accept logs from unlimited devices.
  13. Confirm UDP port 514 is enabled (default syslog port).
  14. Optionally configure TCP or custom ports if needed.

3. Customize Log Views and Alerts

  • Kiwi Syslog Server offers up to 25 customizable log display views to filter by IP, hostname, severity, or message content.
  • Set up intelligent alerts to notify you via email, sound, pager, or SMS when specific syslog criteria are met.
  • Use built-in actions to trigger scripts, forward logs, or archive messages automatically.

4. Test and Monitor

  • Configure your network devices to send syslog messages to the Windows server IP on port 514.
  • Verify logs that appear in the Kiwi Syslog Server interface.
  • Use the web console for remote monitoring and advanced filtering.

Simplify Syslog Monitoring and Management Across Windows and Linux With Kiwi Syslog Server

Kiwi Syslog Server offers a comprehensive and easy-to-use solution for syslog monitoring and management across both Windows and Linux environments. It collects, logs, and displays syslog messages and SNMP traps from a wide range of network devices, including routers, switches, Linux/Unix hosts, and Windows servers.

With Kiwi Syslog Server, network engineers gain centralized visibility through a customizable web console that supports real-time filtering, advanced alerting, and automated responses such as email notifications, script execution, and message forwarding. The server also supports forwarding Windows event logs using the included Log Forwarder for Windows, enabling unified log management.

Additionally, Kiwi Syslog Server helps meet compliance requirements by scheduling automated log archiving and retention, while its robust performance can handle millions of messages per hour with reliable buffering under heavy load. Whether managing logs locally or remotely, Kiwi Syslog Server streamlines syslog monitoring and empowers proactive network management across heterogeneous infrastructures.

Take control of your network’s log data today—download Kiwi Syslog Server and experience centralized, efficient syslog monitoring and management for your Windows and Linux systems.

Related Posts