Syslog performance: Data modeling and transport

Syslog is one of the basic methods for event logging in computer networks. Log messages that are generated by syslog can be used for a number of purposes, including optimizing system performance, system auditing, and investigating malicious activities in a computer network. Considering all these attractive uses, both timeliness and reliability is needed when syslog messages are transported over a network. The unreliable transport protocol UDP was specified in the original syslog specification; later a reliable transport service based on TCP was also proposed. However, TCP is a costly alternative in terms of delay. In our previous work, we introduced the partially reliable extension of SCTP, PR-SCTP, as a transport service for syslog, trading reliability against timeliness by prioritizing syslog messages. In this work, we first model syslog data using real syslog traces from an operational network. The model is then used as input in the performance evaluation of PR-SCTP. In the experiments, real congestion is introduced in the network by running several competing flows. Although PR-SCTP clearly outperformed TCP and SCTP in our previous work, our present evaluations show that PR-SCTP performance is largely influenced by the syslog data size characteristics.