How to Configure SNMP and Syslog on Windows and Linux servers - Part 2: A Complete Guide for Sysadmins
Table of Contents
Introduction
Windows Servers
-SNMP
--Transmitting SNMP
--Receiving SNMP
-Syslog
--Transmitting Syslog
--Receiving Syslog
Linux Servers
-SNMP
--Transmitting SNMP
--Receiving SNMP
-Syslog
--Transmitting Syslog
--Receiving Syslog
Conclusion
Introduction
Part 1 provided a brief introduction to SNMP (and its versions) as well as Syslog. It also covered how to configure, verify and troubleshoot all versions of SNMP and Syslog for both Cisco Switches and Juniper Firewalls. This blog post (Part 2) continues with how to configure, verify and troubleshoot SNMP and Syslog for Windows and Linux Servers, where those messages are sent to another server (covered in the Transmitting sections). In the Receiving sections, the scenario where the Windows and Linux Server can act as a Network Management System (NMS) and receive SMNMP and Syslog information are covered.
Windows Servers
SNMP
Transmitting SNMP
SNMP v1, v2c and v3 secure configuration on Windows Server 2016
This guide explains how to securely configure SNMP on Windows Server 2016 for use with a legacy Network Management System (NMS) at 10.1.1.1. The guide covers:
- SNMP v1
- SNMP v2c
- SNMP v3
- GUI configuration
- PowerShell configuration
- Windows Firewall hardening
- Verification and troubleshooting
- Security best practices
This guide assumes:
- Windows Server 2016 standalone server
- IPv4 only
- Monitoring only (read-only)
- Enterprise production environment
- Legacy NMS support required for SNMP v1/v2c
- SNMP v3 configured with SHA authentication and AES encryption (authPriv)
- Windows Defender Firewall enabled
- An understanding of SNMP Versions
Part 1 — Install the SNMP Service on Windows Server 2016 (SNMP v1/v2c only)
Windows Server 2016 includes Microsoft SNMP Service for SNMP v1/v2c. It is important to note that Microsoft’s native SNMP service does NOT support SNMP v3. Therefore SNMP v3 requires a third party agent.
Installing SNMP via GUI
Step 1 — Open Server Manager
Navigate to: Server Manager → Manage → Add Roles and Features
Why This Matters: Windows Server 2016 installs SNMP as an optional feature rather than enabling it by default. This reduces the attack surface.
Step 2 — Select Role based Installation
Choose: Role based or feature based installation. Click Next.
Why This Matters: This method installs SNMP directly on the local server.
Step 3 — Select the Local Server
Choose the target Windows Server 2016 instance. Click Next.
Step 4 — Install SNMP Service
Navigate to: Features → SNMP Service. Select SNMP Service.
Optional: SNMP WMI Provider. Click Install.
Why This Matters: The SNMP Service provides SNMP polling capability. The WMI Provider allows Windows management integration but is not required for standard NMS polling.
Installing SNMP via PowerShell
Run PowerShell as Administrator.
Install-WindowsFeature -Name SNMP-Service -IncludeManagementTools
Verify installation:
Get-WindowsFeature SNMP*
Why This Matters: PowerShell enables repeatable enterprise deployment and automation.
Part 2 — Configure SNMP v1/v2c Securely
SNMP v1/v2c use nearly identical configuration methods on Windows.
Step 1 — Configure SNMP via GUI. Open SNMP Service Properties
Open services.msc. Locate SNMP Service. Right-click → Properties.
Step 2 — Configure the Agent Tab and enter the contact and location information. Example:
- Contact: Network Operations
- Location: Datacenter Rack A
Why This Matters: these fields help administrators identify devices in large monitoring environments.
Avoid sensitive information like:
- usernames
- phone numbers
- internal asset IDs
Step 3 — Enable Required Services
Select only required options:
- Physical
- Applications
- Internet
- End to end
Why This Matters: these values identify server capabilities to the NMS. They are informational only.
Step 4 — Configure the Security Tab. This is the most important section.
Remove “public”
Delete any default community strings.
Why This Matters: public is universally known and heavily targeted. Leaving it enabled creates a serious security risk.
Step 5 — Create Read-Only Community String
Add a community string and ensure its rights are set to READ ONLY
Why This Matters: Read-only access prevents remote configuration changes.
Never use the following unless absolutely required: READ WRITE or READ CREATE
Step 6 — Accept SNMP Packets from Approved Hosts Only
Select:
accept SNMP packets from these hosts Add 10.1.1.1
Why This Matters: This is one of the most important hardening controls. Without this restriction, any host capable of reaching UDP/161 could attempt SNMP queries. Restricting polling to the NMS IP dramatically reduces exposure.
Step 7 — Disable Authentication Traps (Optional)
In high-security environments:
Uncheck: Send authentication trap
Why This Matters: authentication traps can generate excessive noise and may expose monitoring behaviour patterns. Some environments still enable them for alerting purposes.
Step 8 — Restart the SNMP Service
Restart-Service SNMP or use Services.msc.
Why This Matters: SNMP configuration changes do not always apply until the service restarts.
Step 9 — Configure Windows Firewall to allow SNMP from NMS Only
GUI Method
Open: Windows Defender Firewall with Advanced Security
Create inbound rule:
| Setting | Value |
|---|---|
| Protocol | UDP |
| Port | 161 |
| Remote IP | 10.1.1.1 |
| Action | Allow |
PowerShell Method
New-NetFirewallRule ` -DisplayName "Allow SNMP from NMS" ` -Direction Inbound ` -Protocol UDP ` -LocalPort 161 ` -RemoteAddress 10.1.1.1 ` -Action Allow
Why This Matters: firewall restrictions provide a second security layer even if the SNMP configuration becomes misconfigured. Defense in depth is essential in enterprise environments.
Verify SNMP v1/v2c Configuration
Verify Service Status
Get-Service SNMP
Expected:
Status : Running
Verify Listening Ports
netstat -ano | findstr :161
Expected:
UDP 0.0.0.0:161
Test from NMS
Example Linux command:
snmpwalk -v2c -c examplestring 10.1.1.10 system
Example Windows Net-SNMP command:
snmpwalk.exe -v2c -c examplestring 10.1.1.10 system
Why This Matters: snmpwalk validates:
- connectivity
- authentication
- MIB access
- firewall rules
Troubleshooting SNMP v1/v2c
Problem: Timeout
Possible causes:
- Windows Firewall blocking UDP/161
- Incorrect source IP restriction
- SNMP service stopped
- NMS IP mismatch
Check:
Test-NetConnection -ComputerName localhost -Port 161
Note: UDP testing is limited with Test-NetConnection.
Problem: Authentication Failure
Possible causes:
- Incorrect community string
- Wrong SNMP version
- Packet filtering restrictions
Problem: SNMP Service Missing
Check installation:
Get-WindowsFeature SNMP-Service
Part 3 — Secure SNMP v3 on Windows Server 2016
Because Microsoft SNMP does not support SNMP v3, a third-party agent is required. The recommended Free/Open-Source SNMP v3 Agent is Net- SNMP as it is widely used in enterprise environments. It supports:
- SNMP v1
- SNMP v2c
- SNMP v3
- SHA authentication
- AES encryption
Install Net-SNMP on Windows
Step 1 — Download Net-SNMP
Download the Windows build from the official project or a trusted enterprise repository. Install to: C:\usr. The directory matters as Net-SNMP uses UNIX-style directory structures even on Windows.
Step 2 — Locate snmpd.conf for SNMPv3
Typical location: C:\usr\etc\snmp\snmpd.conf
Step 3 — Configure Secure SNMP v3 User
Example configuration:
createUser snmpv3user SHA "StrongAuthPassword123!" AES "StrongPrivacyPassword123!" rouser snmpv3user authPriv
Why This Matters: this configuration provides the recommended production configuration:
| Feature | Purpose |
|---|---|
| SHA | Authentication integrity |
| AES | Encryption |
| authPriv | Authentication + privacy |
Restrict SNMP v3 Access to the NMS
Step 4 — Restrict Source Access
Add:
agentAddress udp:161 com2sec notConfigUser 10.1.1.1/32 examplestring
For stricter VACM controls:
view all included .1 80 access notConfigGroup "" any noauth exact all none none
Why This Matters: access control reduces the risk of unauthorised polling attempts.
Configure Windows Firewall for SNMP v3
Step 5 — Allow UDP/161 from NMS Only
New-NetFirewallRule ` -DisplayName "Allow SNMP v3 from NMS" ` -Direction Inbound ` -Protocol UDP ` -LocalPort 161 ` -RemoteAddress 10.1.1.1 ` -Action Allow
Start the Net-SNMP Service
Step 6 — Start SNMP Service
Start-Service snmpd
Set startup type:
Set-Service snmpd -StartupType Automatic
Verify SNMP v3
Test Using snmpwalk
snmpwalk -v3 \ -u snmpv3user \ -l authPriv \ -a SHA \ -A StrongAuthPassword123! \ -x AES \ -X StrongPrivacyPassword123! \ 10.1.1.10 system
Why This Matters: this validates:
- authentication
- encryption
- VACM permissions
- UDP connectivity
Troubleshooting SNMP v3
Problem: Unknown User Name
Cause: user not created correctly
Check:
createUser line exists
Restart service afterward.
Problem: Decryption Errors
Cause: AES password mismatch
Verify:
--X privacy password -AES enabled on NMS
Problem: Unsupported Security Level
Cause: NMS configured for authNoPriv instead of authPriv
Ensure both sides match.
Operational Hardening Best Practices
1. Prefer SNMP v3 Whenever Possible
SNMP v3 should always be the production standard. Use SNMP v1/v2c only for legacy devices or temporary compatibility.
2. Never Use Default Community Strings
Avoid: public, private or manager and use complex strings instead. In production, use long randomised values and password vault storage.
3. Restrict SNMP to Specific Hosts
Always restrict access to 10.1.1.1. Never allow any host or entire subnets unless required.
4. Use Read-Only Access
Monitoring systems rarely need write access. Read-write SNMP dramatically increases risk.
5. Limit Firewall Exposure
Allow only UDP/161 from the NMS. Block all other sources.
6. Monitor SNMP Logs
Review:
- Windows Event Viewer
- Net-SNMP logs
- Firewall logs
Look for:
- authentication failures
- scanning activity
- unexpected polling sources
Recommended Enterprise Deployment Strategy
| Environment | Recommendation |
|---|---|
| Legacy monitoring only | SNMP v2c with strict ACLs |
| Modern secure environment | SNMP v3 authPriv |
| High-security environment | SNMP v3 only |
| Internet exposed systems | Avoid SNMP entirely |
Receiving SNMP
This guide explains how to configure Windows Server 2016 as a Network Management System (NMS) that:
- Securely polls approximately 1,000 devices
- Receives SNMP traps
- Receives INFORM messages where supported
- Supports SNMP v1, v2c, and v3
- Uses Net-SNMP tools for testing and troubleshooting
- Includes operational hardening and scale optimisation
When acting as an NMS, the Windows Server performs two separate SNMP functions:
| Function | Direction |
|---|---|
| Polling devices | Outbound UDP/161 |
| Receiving traps/informs | Inbound UDP/162 |
For a production deployment monitoring 1,000 devices, the recommended architecture is:
| Component | Recommendation |
|---|---|
| SNMP polling | SNMP v3 where possible |
| Legacy support | SNMP v2c only where required |
| SNMP v1 | Avoid unless absolutely necessary |
| Trap reception | Centralised trap listener |
| Polling intervals | Staggered |
| Network | Dedicated management VLAN |
| Firewalling | Restrict SNMP traffic to known subnets |
Part 1 — Install SNMP Components
There are two distinct requirements:
- Windows SNMP Service used for local SNMP agent functionality
- Net-SNMP Tools used for polling, testing, trap reception and SNMP v3 support
Install Windows SNMP Service
GUI Installation
Navigate to: Server Manager → Manage → Add Roles and Features Select: SNMP Service Optional: SNMP WMI Provider
PowerShell Installation
Install-WindowsFeature -Name SNMP-Service -IncludeManagementTools
Verify:
Get-WindowsFeature SNMP*
Why This Matters: The Windows SNMP service allows:
- local monitoring of the NMS itself
- interoperability with legacy tools
- trap forwarding integration in some environments
Install Net-SNMP
Use: the Net-SNMP Official Website
<https://www.net-snmp.org/>
Install to C:\usr. The Net-SNMP toolkit includes:
| Tool | Purpose |
|---|---|
| snmpwalk | Poll devices |
| snmpget | Query single OIDs |
| snmptrap | Send test traps |
| snmptrapd | Receive traps |
| snmpbulkwalk | Efficient large polling |
Part 2 — Configure the Windows SNMP Agent
Even though this server acts primarily as an NMS, it should still expose a local SNMP agent for monitoring.
Configure SNMP v1/v2c Agent
Step 1 — Open SNMP Service Properties
Open services.msc Locate: SNMP Service Right-click → Properties.
Step 2 — Configure Community String
Under the Security tab:
Remove: public and private
Add:
| Community | Rights |
|---|---|
| examplestring | READ ONLY |
Why This Matters: default community strings are heavily targeted by attackers. READ ONLY prevents configuration modification via SNMP.
Step 3 — Restrict Allowed Hosts
Select:
Accept SNMP packets from these hosts Add trusted management subnet examples: 10.1.1.0/24
Why This Matters: restricting source IPs reduces unauthorised polling risk. This is mandatory in enterprise deployments.
Step 4 — Restart SNMP Service
Restart-Service SNMP
Part 3 — Configure Windows Firewall
The NMS must carry out the below functions:
| Function | Port |
|---|---|
| Poll devices | UDP/161 outbound |
| Receive traps | UDP/162 inbound |
Configure Inbound Trap Rules
Allow SNMP Traps New-NetFirewallRule ` -DisplayName "Allow SNMP Traps" ` -Direction Inbound ` -Protocol UDP ` -LocalPort 162 ` -RemoteAddress 10.1.1.0/24 ` -Action Allow
Configure Outbound Polling Rules
Allow SNMP Polling New-NetFirewallRule ` -DisplayName "Allow Outbound SNMP Polling" ` -Direction Outbound ` -Protocol UDP ` -RemotePort 161 ` -RemoteAddress 10.1.1.0/24 ` -Action Allow
Why This Matters: many engineers forget outbound firewall filtering but without outbound UDP/161, polling fails silently.
Part 4 — Polling Workflow
The NMS performs the below polling flow:
- NMS → UDP/161 → Device
- Device → UDP response → NMS
For SNMP v3: authentication and encryption occur before data exchange
Some recommended polling intervals for 1000+ Devices
| Device Type | Recommended Interval |
|---|---|
| Core routers/switches | 60 seconds |
| Access switches | 300 seconds |
| Servers | 300 seconds |
| Printers | 900 seconds |
| Environmental sensors | 300-600 seconds |
Why This Matters: Over polling creates:
- unnecessary CPU load
- UDP packet drops
- delayed trap processing
Scale optimisation for 1000 devices
1. Use SNMP BULK Operations
Prefer snmpbulkwalk instead of repeated snmpget. Why This Matters: bulk retrieval dramatically reduces:
- packets per second
- CPU usage
- polling latency
2. Stagger Polling Windows
Avoid polling all devices simultaneously. Recommended to distribute polling across 60-second windows. Why This Matters: simultaneous polling bursts can overwhelm:
- NIC queues
- UDP buffers
- firewall state tables
3. Separate Trap Processing from Polling
If possible dedicate separate services/processes and prioritise trap listener responsiveness. Why This Matters: trap storms can delay polling while polling spikes can drop traps.
4. Use Dedicated Management NICs
For large environments to isolate SNMP traffic from production workloads
5. Avoid Excessive OID Polling
Do not poll unless operationally required:
- unnecessary interface counters
- full routing tables
- large ARP tables
- massive environmental datasets
Part 5 — Configure SNMP v3 Polling
The Microsoft SNMP service does not support SNMP v3 so Net-SNMP tools is used to handle SNMPv3 polling. Below is an example shared SNMP v3 profile:
| Setting | Value |
|---|---|
| Username | snmpv3user |
| Security Level | authPriv |
| Authentication | SHA |
| Privacy | AES128 |
Below is a SNMP v3 polling example using snmpwalk from the Net-SNMP toolset:
snmpwalk -v3 \ -u snmpv3user \ -l authPriv \ -a SHA \ -A AuthPassword123! \ -x AES \ -X PrivacyPassword123! \ 10.1.1.50 system
Why This Matters: This validates:
- SNMP v3 authentication
- encryption
- UDP connectivity
- firewall access
Below is an efficient SNMP v3 polling example using snmpbulkwalk:
snmpbulkwalk -v3 \ -u snmpv3user \ -l authPriv \ -a SHA \ -A AuthPassword123! \ -x AES \ -X PrivacyPassword123! \ 10.1.1.50 ifDescr
Why This Matters: bulk polling is essential at enterprise scale.
Part 6 — Configure Trap Reception
Devices send unsolicited notifications (traps) in this order: Device → UDP/162 → NMS. INFORM messages differ because the NMS acknowledges receipt.
Step 1 — Configure Net-SNMP Trap Receiver using snmptrapd.conf
File location C:\usr\etc\snmp\snmptrapd.conf
Example:
authCommunity log,execute,net examplestring createUser snmpv3user SHA "AuthPassword123!" AES "PrivacyPassword123!" authUser log,execute,net snmpv3user
Why This Matters: this authorises:
- SNMP v2c trap processing
- SNMP v3 trap processing
- without exposing unrestricted access.
Step 2 — Start snmptrapd
Start-Process "C:\usr\bin\snmptrapd.exe"
Step 3 — Verify Listening Port
netstat -ano | findstr :162
Expected:
UDP 0.0.0.0:162
Part 7 — Test Trap Reception
Send Test SNMP v2c Trap
snmptrap -v2c -c examplestring 10.1.1.1 '' coldStart
Send Test SNMP v3 Trap
snmptrap -v3 \ -u snmpv3user \ -l authPriv \ -a SHA \ -A AuthPassword123! \ -x AES \ -X PrivacyPassword123! \ 10.1.1.1 '' coldStart
Why This Matters: trap testing validates:
- firewall rules
- UDP/162 access
- SNMP v3 credentials
- listener functionality
Part 8 — Troubleshooting
Verify UDP Ports
netstat -ano | findstr :161 netstat -ano | findstr :162
Test Connectivity
Test-NetConnection 10.1.1.50 -Port 161
Note: UDP testing is limited in PowerShell.
SNMP v1/v2c Polling Debug
snmpwalk -d -v2c -c examplestring 10.1.1.50 system
SNMP v3 Debugging
snmpwalk -DALL -v3 \ -u snmpv3user \ -l authPriv \ -a SHA \ -A AuthPassword123! \ -x AES \ -X PrivacyPassword123! \ 10.1.1.50 system
Why This Matters: verbose debugging helps identify:
- engine ID mismatches
- authentication failures
- packet parsing problems
Common SNMP v3 Problems
Problem: Unknown Engine ID
Cause:
- Device engine ID changed
- Cached engine IDs invalid
Fix:
- clear cached SNMP v3 data
- rediscover device
Problem: Not in Time Window
Cause: clock drift between NMS and device
Fix: synchronise using NTP
Why This Matters: SNMP v3 uses time synchronisation to prevent replay attacks.
Problem: Authentication Failure
Cause:
- incorrect SHA password
- username mismatch
Verify:
- security level
- authentication protocol
Problem: Decryption Errors
Cause: incorrect AES privacy password
Verify: AES enabled on both sides
Problem: Traps Not Received
Possible causes:
| Cause | Description |
|---|---|
| Firewall blocking UDP/162 | Most common |
| Wrong trap destination | Device misconfigured |
| Trap daemon stopped | snmptrapd not running |
| VLAN ACLs | Management network filtering |
| INFORM acknowledgment failures | NMS not responding |
Problem: High CPU During Polling
Common causes:
- Polling too frequently
- Excessive OID requests
- Polling all devices simultaneously
- Large SNMP tables
Fixes:
- Increase polling intervals
- Use bulk polling
- Reduce monitored OIDs
- Stagger polling windows
Part 9 — Enterprise Hardening Recommendations
1. Prefer SNMP v3 Wherever Possible
SNMP v3 provides:
- authentication
- integrity
- encryption
SNMP v1/v2c does not.
2. Restrict Management VLAN Access
Only management hosts should access:
- UDP/161
- UDP/162
3. Use Read-Only Access
Avoid SNMP write access unless operationally necessary.
4. Limit Trap Sources
Restrict UDP/162 inbound access to known management subnets.
5. Monitor Trap Storms
Excessive traps can:
- overwhelm the NMS
- cause dropped packets
- increase CPU usage
So use filtering where possible.
6. Use INFORM Messages for Critical Alerts
INFORM messages provide delivery acknowledgment. Use them for:
- HA failures
- UPS alerts
- environmental alarms
- core network failures
Syslog
Transmitting Syslog
This guide explains how to securely configure Syslog forwarding on Windows Server 2016 using the free and widely deployed NXLog Community Edition agent. The guide includes:
- UDP Syslog forwarding
- TCP Syslog forwarding
- TLS encrypted Syslog forwarding
- Windows Firewall logging
- Security and System event forwarding
- Noise reduction and filtering
- Log retention and rotation
- Verification and troubleshooting
- Operational hardening practices
1. Design Overview
| Environment component | Value |
|---|---|
| Windows Server | Windows Server 2016 |
| Syslog Server/NMS | 10.1.1.1 |
| IP version | IPv4 only |
| Deployment type | Enterprise production |
| Logging agent | NXLog Community Edition |
| Event Logs Forwarded | Security and System |
| Event Severity | Warnings and Errors |
| Firewall | Windows Defender |
| Transport options | UDP, TCP and TLS |
2. Why NXLog?
Windows does not natively send Syslog messages in the same way Linux systems do. NXLog is commonly used because it:
- Converts Windows Event Logs into Syslog format
- Supports UDP, TCP and TLS
- Has filtering capabilities
- Uses low system resources
- Is widely deployed in enterprise environments
3. Recommended Production Architecture
| Priority | Protocol | Use case |
|---|---|---|
| Best | TLS | Production secure environments |
| Good | TCP | Internal trusted networks |
| Avoid if possible | UDP | Legacy compatibility only |
Verify Connectivity
Open PowerShell:
Test-NetConnection 10.1.1.1 -Port 514
This confirms:
- The Syslog server is reachable
- Routing works
- Firewalls are not blocking traffic
5. Install NXLog
Step 1 — Download NXLog
Download NXLog Community Edition
Step 2 — Install NXLog
Run the installer with administrative privileges.
Default installation path C:\Program Files\nxlog
Administrative privileges are required because NXLog:
- Reads Windows Event Logs
- Runs as a Windows service
- Accesses firewall log files
6. Configure Windows Firewall Logging
Step 1 — Enable Firewall Logging
Open PowerShell as Administrator:
Set-NetFirewallProfile `
-Profile Domain,Public,Private `
-LogBlocked True `
-LogAllowed True `
-LogFileName '%systemroot%\system32\LogFiles\Firewall\pfirewall.log' `
-LogMaxSizeKilobytes 32767
This enables:
- Logging of blocked traffic
- Logging of allowed traffic
- Centralised firewall logging
- A larger maximum log size
Firewall logs are important for:
- Threat detection
- Troubleshooting
- Security investigations
7. Create a Backup of the NXLog Configuration
Step 1 — Backup Existing Configuration
Copy-Item ` "C:\Program Files\nxlog\conf\nxlog.conf" ` "C:\Program Files\nxlog\conf\nxlog.conf.bak"
Always back up production configurations before modification. This allows:
- Fast rollback
- Easier troubleshooting
- Safer change management
8. Hardened NXLog Configuration
Main configuration file C:\Program Files\nxlog\conf\nxlog.conf
9. Configure Common Event Collection
Replace the contents of nxlog.conf with the following baseline.
10. Hardened Base Configuration
define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="System">
*[System[(Level=2 or Level=3)]]
</Select>
<Select Path="Security">
*[System[(Level=2 or Level=3)]]
</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Input firewall>
Module im_file
File "C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log"
SavePos TRUE
ReadFromLast TRUE
PollInterval 5
</Input>
Event Filtering (Level=2 or Level=3) means:
| Level | Meaning |
|---|---|
| 2 | Error |
| 3 | Warning |
This significantly reduces noise and performance impact.
Why Filter Logs?
Without filtering:
- Excessive disk usage occurs
- Network bandwidth increases
- SIEM ingestion costs increase
- Important events become harder to identify
11. Configure UDP Syslog
Add This Output Block
<Output udp_out>
Module om_udp
Host 10.1.1.1
Port 514
Exec to_syslog_bsd();
</Output>
<Route udp_route>
Path eventlog, firewall => udp_out
</Route>
UDP Syslog:
- Is fast
- Uses minimal overhead
- Does not guarantee delivery
Use only for:
- Legacy collectors
- Low security environments
- Non critical telemetry
12. Configure TCP Syslog
Replace UDP Output With TCP
<Output tcp_out>
Module om_tcp
Host 10.1.1.1
Port 514
Exec to_syslog_bsd();
</Output>
<Route tcp_route>
Path eventlog, firewall => tcp_out
</Route>
TCP improves reliability because:
- Sessions are established
- Packets are acknowledged
- Delivery failures are detected
TCP is preferred over UDP in enterprise networks.
13. Configure TLS Encrypted Syslog (Recommended)
Without TLS:
- Logs travel unencrypted
- Credentials and security events may be exposed
- Attackers can tamper with logs
TLS provides:
- Encryption
- Integrity
- Authentication
Step 1 — Create Certificate Directory
New-Item ` -ItemType Directory ` -Path "C:\Program Files\nxlog\cert" ` -Force
Step 2 — Copy Certificates
Place inside C:\Program Files\nxlog\cert:
| File | Purpose |
|---|---|
| client-cert.pem | Client certificate |
| client-key.pem | Private key |
| ca.pem | Trusted CA |
Step 3 — Configure TLS Output
<Output tls_out>
Module om_ssl
Host 10.1.1.1
Port 6514
CAFile %ROOT%\cert\ca.pem
CertFile %ROOT%\cert\client-cert.pem
CertKeyFile %ROOT%\cert\client-key.pem
AllowUntrusted FALSE
Exec to_syslog_bsd();
</Output>
<Route tls_route>
Path eventlog, firewall => tls_out
</Route>
Port 6514 is the standard Syslog-over-TLS port. AllowUntrusted FALSE prevents:
- Rogue collectors
- Man-in-the-middle attacks
- Invalid certificates
Never disable this in production.
14. Configure Windows Firewall Rules
UDP Rule
New-NetFirewallRule ` -DisplayName "Syslog UDP Outbound" ` -Direction Outbound ` -Protocol UDP ` -RemoteAddress 10.1.1.1 ` -RemotePort 514 ` -Action Allow
TCP Rule
New-NetFirewallRule ` -DisplayName "Syslog TCP Outbound" ` -Direction Outbound ` -Protocol TCP ` -RemoteAddress 10.1.1.1 ` -RemotePort 514 ` -Action Allow
TLS Rule
New-NetFirewallRule ` -DisplayName "Syslog TLS Outbound" ` -Direction Outbound ` -Protocol TCP ` -RemoteAddress 10.1.1.1 ` -RemotePort 6514 ` -Action Allow
Restricting firewall rules to:
- A single destination IP
- Specific ports
- Outbound only
Reduces attack surface.
15. Configure Windows Event Log Retention
Increase Security Log Size
wevtutil sl Security /ms:268435456
Increase System Log Size
wevtutil sl System /ms:134217728These commands configure:
| Log | Size |
|---|---|
| Security | 256 MB |
| System | 128 MB |
Larger logs reduce the chance of overwriting events during outages.
16. Configure Log Rotation
NXLog automatically rotates its own logs. Verify Rotation Settings
Check C:\Program Files\nxlog\data
Monitor:
- nxlog.log
- Cache files
- Spool files
Operational Best Practice is to implement:
- Daily log archival
- Centralised SIEM retention
- 30–90 day hot retention
- 1 year cold archival if required
17. Configure Time Synchronisation
Time synchronisation matters because incorrect timestamps make:
- Incident response difficult
- Correlation unreliable
- Forensics inaccurate
Configure NTP
w32tm /config /manualpeerlist:"pool.ntp.org" /syncfromflags:manual /update Restart-Service w32time
Verify Time Sync
w32tm /query /status
18. Start NXLog Service
Restart Service
Restart-Service nxlog
Verify Service Status
Get-Service nxlog
The service should show:
Status : Running
If not:
- Configuration syntax may be invalid
- Certificates may be missing
- Ports may be blocked
19. Verification and Testing
Test 1 — Generate a Failed Login Event
runas /user:fakeuser cmd
This creates:
- Security log failures
- Authentication warning events
These should appear on the Syslog server.
Test 2 — Generate Firewall Events
Attempt a blocked connection. For example:
Test-NetConnection 10.1.1.1 -Port 9999
Test 3 — Verify Port Connectivity
UDP
Test-NetConnection 10.1.1.1 -Port 514 -Udp
TCP
Test-NetConnection 10.1.1.1 -Port 514
TLS
Test-NetConnection 10.1.1.1 -Port 6514
20. Troubleshooting
NXLog will not start so check the log file C:\Program Files\nxlog\data\nxlog.log
Common causes include:
| Problem | Cause |
|---|---|
| Invalid config | Syntax error |
| TLS failure | Bad certificate |
| No logs forwarded | Firewall block |
| Missing firewall logs | Logging disabled |
Validate NXLog Configuration
& "C:\Program Files\nxlog\nxlog.exe" -v
21. Enterprise hardening recommended production settings
| Setting | Recommendation |
|---|---|
| Protocol | TLS |
| Port | 6514 |
| Firewall scope | Restrict to NMS only |
| Event filtering | Warning and Errors only |
| Time sync | Mandatory |
| Certificate validation | Enabled |
| Log storage | Centralised |
| Local Admin access | Restricted |
22. Noise reduction best practices
Avoid Collecting:
- Informational events
- Debug logs
- Excessive audit success events
- Forward Only useful logs where a documented action will be taken
Recommended:
- Errors
- Warnings
- Authentication failures
- Service failures
- Firewall drops
23. Recommended production configuration summary
| Component | Recommendation |
|---|---|
| Agent | NXLog |
| Transport | TLS |
| Syslog port | 6514 |
| Filtering | Warnings and Errors |
| Firewall logging | Enabled |
| Retention | 30-90 days |
| Rotation | Enabled |
| Time sync | NTP |
| Encryption | TLS required |
Receiving Syslog
This guide explains how to configure Windows Server 2016 as a hardened centralised Syslog server using NXLog Community Edition. The server will:
- Receive Syslog messages from infrastructure devices
- Support UDP, TCP and TLS Syslog
- Store logs locally for long term retention
- Rotate and compress logs daily
- Restrict trusted Syslog senders
- Protect against log flooding
- Monitor service health
- Provide searchable local logs
- Use enterprise baseline hardening
1. Assumed environment overview
| Component | Value |
|---|---|
| Operating system | Windows Server 2016 |
| Deployment type | Dedicated syslog server |
| Event volume | Medium |
| Infrastructure devices | Mixed vendor environment |
| IP version | IPv4 only |
| Syslog protocols | UDP, TCP and TLS |
| TLS certificates | Self signed |
| Storage | Local disk |
| Log rotation | Daily |
| Compression | Enabled |
| Syslog software | NXLog community edition |
2. Recommended Architecture
| Protocol | Ports | Purpose |
|---|---|---|
| UDP syslog | 514 | Legacy devices |
| TCP syslog | 514 | Reliable syslog |
| TLS syslog | 6514 | Secure encrypted syslog |
Separating transport protocols:
- Simplifies troubleshooting
- Improves security visibility
- Helps identify unsupported devices
- Prevents protocol conflicts
3. Install NXLog
Step 1 — Download NXLog
Download NXLog Community Edition
Step 2 — Install NXLog
Run the installer as Administrator. Default installation path C:\Program Files\nxlog. NXLog provides:
- Syslog listeners
- Log parsing
- TLS support
- Log rotation
- File writing
- Filtering
Windows Server cannot natively act as a full Syslog server without additional software.
4. Create Dedicated Log Storage
Create Log Directory Structure. Open PowerShell as Administrator:
New-Item -ItemType Directory -Path "D:\Syslog" -Force New-Item -ItemType Directory -Path "D:\Syslog\UDP" -Force New-Item -ItemType Directory -Path "D:\Syslog\TCP" -Force New-Item -ItemType Directory -Path "D:\Syslog\TLS" -Force New-Item -ItemType Directory -Path "D:\Syslog\Archive" -Force
Separating logs by protocol:
- Simplifies investigations
- Improves organisation
- Makes troubleshooting easier
Using a dedicated drive:
- Prevents operating system disk exhaustion
- Improves performance
- Reduces risk during log floods
5. Harden NTFS Permissions
Restrict Log Folder Access
icacls D:\Syslog /inheritance:r icacls D:\Syslog /grant Administrators:F icacls D:\Syslog /grant SYSTEM:F
This prevents:
- Unauthorised access
- Log tampering
- Accidental deletion
Least privilege is critical on logging servers.
6. Create Self Signed TLS Certificates
Step 1 — Create Certificate Folder
New-Item ` -ItemType Directory ` -Path "C:\Program Files\nxlog\cert" ` -Force
Step 2 — Create Self Signed Certificate
New-SelfSignedCertificate ` -Type SSLServerAuthentication ` -Subject "CN=syslog-server" ` -KeyLength 4096 ` -HashAlgorithm SHA256 ` -CertStoreLocation Cert:\LocalMachine\My
This creates:
- A TLS certificate
- 4096 bit encryption
- SHA256 hashing
TLS encrypts Syslog traffic and prevents interception.
Step 3 — Export Certificate
Open certlm.msc -Export: -Certificate -Private key -Base-64 format Save into C:\Program Files\nxlog\cert. Example filenames: -server-cert.pem -server-key.pem -ca.pem
7. Configure Windows Firewall
Without firewall restrictions:
- Rogue devices can send logs
- Attackers can flood the server
- Storage can be exhausted
Step 1 — Remove Broad Syslog Rules
Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*Syslog*"} | Remove-NetFirewallRule
Step 2 — Create restricted UDP rule. Replace example IPs with real device subnets.
New-NetFirewallRule ` -DisplayName "Syslog UDP Inbound" ` -Direction Inbound ` -Protocol UDP ` -LocalPort 514 ` -RemoteAddress 10.1.1.0/24,10.2.2.0/24 ` -Action Allow
Step 3 — Create restricted TCP rule
New-NetFirewallRule ` -DisplayName "Syslog TCP Inbound" ` -Direction Inbound ` -Protocol TCP ` -LocalPort 514 ` -RemoteAddress 10.1.1.0/24,10.2.2.0/24 ` -Action Allow
Step 4 — Create restricted TLS rule
New-NetFirewallRule ` -DisplayName "Syslog TLS Inbound" ` -Direction Inbound ` -Protocol TCP ` -LocalPort 6514 ` -RemoteAddress 10.1.1.0/24,10.2.2.0/24 ` -Action Allow
Restricting source addresses:
- Blocks unauthorised devices
- Reduces attack surface
- Helps prevent log flooding
8. Configure NXLog
Main configuration file C:\Program Files\nxlog\conf\nxlog.conf Backup original configuration first. Copy-Item ` "C:\Program Files\nxlog\conf\nxlog.conf" ` "C:\Program Files\nxlog\conf\nxlog.conf.bak"
9. Hardened Enterprise NXLog Configuration
Replace the configuration with the following.
Full Hardened NXLog Configuration
define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
# =========================
# UDP SYSLOG INPUT
# =========================
<Input udp_in>
Module im_udp
Host 0.0.0.0
Port 514
Exec if $raw_event =~ /(.{4096,})/ drop();
</Input>
# =========================
# TCP SYSLOG INPUT
# =========================
<Input tcp_in>
Module im_tcp
Host 0.0.0.0
Port 514
Exec if $raw_event =~ /(.{4096,})/ drop();
</Input>
# =========================
# TLS SYSLOG INPUT
# =========================
<Input tls_in>
Module im_ssl
Host 0.0.0.0
Port 6514
CertFile %ROOT%\cert\server-cert.pem
CertKeyFile %ROOT%\cert\server-key.pem
CAFile %ROOT%\cert\ca.pem
AllowUntrusted FALSE
Exec if $raw_event =~ /(.{4096,})/ drop();
</Input>
# =========================
# UDP OUTPUT FILE
# =========================
<Output udp_file>
Module om_file
File "D:\\Syslog\\UDP\\udp-%Y-%m-%d.log"
CreateDir TRUE
</Output>
# =========================
# TCP OUTPUT FILE
# =========================
<Output tcp_file>
Module om_file
File "D:\\Syslog\\TCP\\tcp-%Y-%m-%d.log"
CreateDir TRUE
</Output>
# =========================
# TLS OUTPUT FILE
# =========================
<Output tls_file>
Module om_file
File "D:\\Syslog\\TLS\\tls-%Y-%m-%d.log"
CreateDir TRUE
</Output>
# =========================
# ROUTES
# =========================
<Route udp_route>
Path udp_in => udp_file
</Route>
<Route tcp_route>
Path tcp_in => tcp_file
</Route>
<Route tls_route>
Path tls_in => tls_file
</Route>
10. Explanation of Hardening Features
Log Flood Protection
Exec if $raw_event =~ /(.{4096,})/ drop();
Drops oversized log entries. This protects against:
- Malformed packets
- Log flooding
- Storage exhaustion
Daily Log Rotation
udp-%Y-%m-%d.log
Creates daily logs automatically. Benefits:
- Easier archival
- Faster searching
- Reduced corruption risk
- Protocol separation
Separate folders allow:
- Easier troubleshooting
- Better auditing
- Device capability analysis
11. Configure Log Compression
Step 1 — Create Compression Script
Create the below script C:\Scripts\Compress-Syslog.ps1
$source = "D:\Syslog"
$archive = "D:\Syslog\Archive"
Get-ChildItem $source -Recurse -Filter *.log |
Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-1)} |
ForEach-Object {
Compress-Archive `
-Path $_.FullName `
-DestinationPath "$archive\$($_.BaseName).zip"
Remove-Item $_.FullName
}
This script:
- Compresses logs older than 1 day
- Reduces storage usage
- Maintains searchable archives
Step 2 — Schedule Compression Task
Open taskschd.msc Create task:
| Setting | Value |
|---|---|
| Trigger | Daily |
| Run as | SYSTEM |
| Program | powershell.exe |
| Arguments | -ExecutionPolicy Bypass -File C:\Scripts\Compress-Syslog.ps1 |
12. Configure NXLog Service Monitoring
Step 1 — Create Monitoring Script
Create the below script C:\Scripts\Monitor-NXLog.ps1
$service = Get-Service nxlog
if ($service.Status -ne "Running") {
Restart-Service nxlog
Write-EventLog `
-LogName Application `
-Source "Windows PowerShell" `
-EntryType Error `
-EventId 1001 `
-Message "NXLog service restarted automatically."
}
This script:
- Detects NXLog failure
- Restarts the service automatically
- Creates an event log alert
Step 2 — Schedule Monitoring Task
Run every 5 minutes.
13. Alert When Syslog Stops Arriving
Step 1 — Create Monitoring Script
Create the below script C:\Scripts\Monitor-SyslogFlow.ps1
$latest = Get-ChildItem D:\Syslog\UDP\*.log |
Sort-Object LastWriteTime -Descending |
Select-Object -First 1
if ($latest.LastWriteTime -lt (Get-Date).AddMinutes(-15)) {
Write-EventLog `
-LogName Application `
-Source "Windows PowerShell" `
-EntryType Warning `
-EventId 2001 `
-Message "No recent Syslog activity detected."
}
This script detects:
- Network outages
- Device failures
- Logging interruptions
- NXLog processing failures
14. Configure Least Privilege
| Component | Recommended setting |
|---|---|
| Local Administrators | Restricted |
| RDP access | Limited |
| Firewall | Allowlisted |
| Internet access | Restricted |
| Antivirus exclusions | NXLog folders only |
This matters because Syslog servers often contain:
- Authentication failures
- Security alerts
- Firewall events
- Infrastructure diagnostics
Compromised logging servers create major visibility gaps.
15. Verification and Testing
Step 1 — Verify Listening Ports
netstat -ano | findstr 514
Verify TLS:
netstat -ano | findstr 6514
You should see:
| Port | Protocol |
|---|---|
| 514 | UDP |
| 514 | TCP |
| 6514 | TCP |
Step 2 — Verify NXLog Service
Get-Service nxlog
Expected:
Status : Running
Step 3 — Verify Log Creation
Check D:\Syslog
You should see:
- UDP logs
- TCP logs
- TLS logs
Step 4 — Verify Firewall Rules
Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*Syslog*"}
16. Troubleshooting
NXLog Will Not Start
Check NXLog Logs C:\Program Files\nxlog\data\nxlog.log
Validate Configuration Syntax
& "C:\Program Files\nxlog\nxlog.exe" -v
Common Problems include:
| Problem | Cause |
|---|---|
| No logs received | Blocked by firewall |
| TLS failure | Invalid certificate |
| Service crash | Syntax error |
| High disk usage | Flooding or no compression |
| Empty logs | Devices misconfigured |
17. Operational enterprise best practices
| Setting | Recommendation |
|---|---|
| Preferred protocol | TLS |
| Legacy support | UDP |
| Reliable support | TCP |
| Log rotation | Daily |
| Compression | Enabled |
| Source restrictions | Mandatory |
| Dedicated storage volume | Recommended |
| Monitoring scripts | Enabled |
| Least priviledge | Enforced |
18. Recommended security best practices
- Use TLS whenever supported
- Restrict allowed source IPs
- Disable unused protocols if possible
- Rotate logs daily
- Compress archives
- Monitor storage usage
- Monitor NXLog service health
- Prevent oversized Syslog messages
- Restrict administrative access
- Back up configuration files regularly
19. Final Production Recommendation
For enterprise production environments:
- Use TLS on port 6514 whenever devices support it
- Use TCP for reliable legacy compatibility
- Use UDP only where unavoidable
- Separate logs by protocol
- Restrict inbound Syslog sources
- Rotate and compress logs daily
- Monitor NXLog continuously
- Protect against log flooding
- Store logs on dedicated storage
Linux Servers
SNMP
Transmitting SNMP
Hardened SNMP Configuration Guide for Ubuntu 22.04 Using Net-SNMP. This guide provides production focused configuration procedures for:
- SNMP v1
- SNMP v2c
- SNMP v3 (authPriv using SHA and AES128)
- SNMP traps
- Validation and troubleshooting
Platform: Ubuntu Server 22.04 using Net-SNMP and Server management IP is 10.1.1.50
Monitoring station: 10.1.1.1, IPv4 only and SNMP bound only to the management interface/IP
Replace all example values with your production values.
1. Base Preparation (Required for All Versions)
These steps apply to SNMP v1, v2c and v3.
Step 1 — Install Net-SNMP Packages
sudo apt update sudo apt install -y snmp snmpd
This installs:
- snmpd — the SNMP daemon
- snmp — SNMP client utilities such as snmpwalk, snmpget and snmptrap
These tools are required for operational validation and troubleshooting.
Step 2 — Identify the Management Interface
ip addr
Identify:
- The management interface name
- The IPv4 management address
Example:
Interface: ens192 IP address: 10.1.1.50
The SNMP daemon will later bind only to this IP address to reduce exposure.
Step 3 — Back Up the Default Configuration
sudo cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
Always preserve the vendor default configuration before modifying production services.
Step 4 — Restrict File Permissions
sudo chown root:root /etc/snmp/snmpd.conf sudo chmod 600 /etc/snmp/snmpd.conf
SNMP configuration files may contain:
- Community strings
- SNMP v3 credentials
- Trap destinations
Restricting permissions prevents credential exposure.
Step 5 — Configure Local Firewall Rules
Ubuntu 22.04 commonly uses either:
- ufw
- iptables
- nftables
The examples below use ufw.
sudo ufw allow from 10.1.1.1 to any port 161 proto udp sudo ufw allow from 10.1.1.1 to any port 162 proto udp
This restricts SNMP polling and traps to the NMS only. No other hosts can communicate with the SNMP service.
2. Hardened SNMP v1 Configuration (Legacy Only)
SNMP v1 should only be used for legacy interoperability. Example SNMP v1 Polling Configuration:
Step 1 — Replace the Default Configuration
sudo nano /etc/snmp/snmpd.conf
Configuration
######################################################################## # SYSTEM INFORMATION ######################################################################## sysLocation Data Centre Rack A sysContact Network Operations sysName ubuntu-server-01 ######################################################################## # AGENT BINDING ######################################################################## agentAddress udp:10.1.1.50:161 ######################################################################## # ACCESS CONTROL ######################################################################## com2sec readonlyv1 10.1.1.1/32 LEGACY-V1-RO group MyROGroup v1 readonlyv1 view AllView included .1 80 access MyROGroup "" any noauth exact AllView none none ######################################################################## # PERFORMANCE AND SECURITY ######################################################################## dontLogTCPWrappersConnects yes ######################################################################## # TRAPS ######################################################################## trapsink 10.1.1.1 LEGACY-V1-RO authtrapenable 1
Key hardening controls:
- Binds only to 10.1.1.50
- Only allows polling from 10.1.1.1
- Uses read-only access
- Disables unnecessary logging noise
- Enables authentication failure traps
Step 2 — Restart the SNMP Service
systemd
sudo systemctl restart snmpd sudo systemctl enable snmpd
or SysV Init
sudo service snmpd restart sudo update-rc.d snmpd defaults
This:
- Applies the configuration
- Ensures SNMP starts after reboot
Step 3 — Validate the Service
sudo systemctl status snmpd
Confirm:
- Service state is active (running)
- No startup errors are present
Step 4 — Validate from the NMS
snmpwalk -v1 -c LEGACY-V1-RO 10.1.1.50 system
This confirms:
- UDP/161 reachability
- SNMP authentication
- Read-only access functionality
3. Hardened SNMP v2c Configuration (Legacy Only)
SNMP v2c remains common operationally but still uses plaintext community strings.
Example SNMP v2c Polling Configuration:
Step 1 — Replace the Configuration
sudo nano /etc/snmp/snmpd.conf
Configuration
######################################################################## # SYSTEM INFORMATION ######################################################################## sysLocation Data Centre Rack A sysContact Network Operations sysName ubuntu-server-01 ######################################################################## # AGENT BINDING ######################################################################## agentAddress udp:10.1.1.50:161 ######################################################################## # ACCESS CONTROL ######################################################################## com2sec readonlyv2 10.1.1.1/32 S3cure-V2C-Read0nly group MyROGroup v2c readonlyv2 view AllView included .1 80 access MyROGroup "" any noauth exact AllView none none ######################################################################## # SECURITY HARDENING ######################################################################## dontLogTCPWrappersConnects yes ######################################################################## # TRAPS ######################################################################## trap2sink 10.1.1.1 S3cure-V2C-Read0nly authtrapenable 1
This configuration:
- Restricts access to one NMS
- Uses a non default complex community string
- Limits access to read-only
- Enables SNMP v2 traps
Step 2 — Restart the Service
systemd
sudo systemctl restart snmpd
or SysV Init
sudo service snmpd restart
Step 3 — Validate the Configuration
snmpwalk -v2c -c S3cure-V2C-Read0nly 10.1.1.50 system
This validates:
- SNMP v2c authentication
- SNMP object retrieval
- ACL restrictions
4. Hardened SNMP v3 Configuration (Recommended)
SNMP v3 with authPriv should be the production standard. This guide uses:
- Authentication: SHA
- Encryption: AES128
- SNMP v3 Polling Configuration
Step 1 — Stop the SNMP Service
systemd
sudo systemctl stop snmpd
or SysV Init
sudo service snmpd stop
The SNMP v3 user creation utility requires the daemon to be stopped.
Step 2 — Remove Existing Persistent Configuration
sudo rm -f /var/lib/snmp/snmpd.conf
Net-SNMP stores SNMP v3 user credentials in a persistent file. Removing stale entries prevents:
- Duplicate engine IDs
- User conflicts
- Credential mismatches
Step 3 — Create the SNMP v3 User
sudo net-snmp-create-v3-user \ -ro \ -a SHA \ -A "Str0ngAuthPassw0rd!" \ -x AES \ -X "Str0ngPrivPassw0rd!" \ snmpv3user
This creates:
- Read-only user
- SHA authentication
- AES128 encryption
The credentials are automatically written securely to /var/lib/snmp/snmpd.conf
Step 4 — Configure the Main SNMP Daemon
sudo nano /etc/snmp/snmpd.conf
Configuration
######################################################################## # SYSTEM INFORMATION ######################################################################## sysLocation Data Centre Rack A sysContact Network Operations sysName ubuntu-server-01 ######################################################################## # AGENT BINDING ######################################################################## agentAddress udp:10.1.1.50:161 ######################################################################## # ACCESS CONTROL ######################################################################## view AllView included .1 80 rouser snmpv3user authPriv -V AllView ######################################################################## # SECURITY HARDENING ######################################################################## dontLogTCPWrappersConnects yes ######################################################################## # TRAPS ######################################################################## createUser trapuser SHA "TrapAuthPass123!" AES "TrapPrivPass123!" trapsess -v 3 \ -u trapuser \ -l authPriv \ -a SHA -A "TrapAuthPass123!" \ -x AES -X "TrapPrivPass123!" \ 10.1.1.1 authtrapenable 1
Key security controls:
- Only encrypted/authenticated SNMP v3 access
- No plaintext community strings
- Restricts users to authenticated encrypted sessions
- Sends encrypted SNMP v3 traps
Step 5 — Restart the Service
systemd
sudo systemctl restart snmpd sudo systemctl enable snmpd
or SysV Init
sudo service snmpd restart sudo update-rc.d snmpd defaults
Step 6 — Validate SNMP v3 Polling
snmpwalk -v3 \ -u snmpv3user \ -l authPriv \ -a SHA -A "Str0ngAuthPassw0rd!" \ -x AES -X "Str0ngPrivPassw0rd!" \ 10.1.1.50 system
This validates:
- Authentication
- Encryption
- SNMP v3 user access
- SNMP object retrieval
5. Hardened Trap Configuration
The following traps are operationally useful with minimal performance impact:
- Cold start
- Warm start
- Authentication failures
- Link up/down events
Step 1 — Enable Useful Trap Modules
sudo nano /etc/default/snmpd Configuration: SNMPDOPTS='-LSwd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf'
This disables unnecessary modules while keeping the daemon lightweight.
Step 2 — Enable Interface Monitoring
sudo nano /etc/snmp/snmpd.conf Add linkUpDownNotifications yes
This enables:
- Interface up/down traps
- Basic operational visibility
These traps are lightweight and useful for monitoring.
Step 3 — Restart the Service
systemd
sudo systemctl restart snmpd
or SysV Init
sudo service snmpd restart
6. Manual Trap Testing
SNMP v2c Trap Test
snmptrap -v2c \ -c S3cure-V2C-Read0nly \ 10.1.1.1 '' \ SNMPv2-MIB::coldStart
This sends a manual coldStart trap to the NMS.
SNMP v3 Trap Test
snmptrap -v3 \ -u trapuser \ -l authPriv \ -a SHA -A "TrapAuthPass123!" \ -x AES -X "TrapPrivPass123!" \ 10.1.1.1 '' \ SNMPv2-MIB::coldStart
This validates:
- SNMP v3 trap authentication
- Encryption
- NMS trap reception
7. Validation Procedures
Verify Listening Socket
sudo ss -lunp | grep 161
Expected Result
udp UNCONN 0 0 10.1.1.50:161
Confirms:
- SNMP listens only on the management IP
- IPv6 listeners are absent
Verify Firewall Rules
sudo ufw status numbered
Confirm only 10.1.1.1 can access UDP/161 and UDP/162
Verify SNMP v3 User Creation
sudo grep createUser /var/lib/snmp/snmpd.conf
Confirms persistent SNMP v3 credentials exist
Review Service Logs
systemd Journal
sudo journalctl -u snmpd sudo tail -f /var/log/syslog
Useful for:
- Authentication failures
- Binding errors
- Trap issues
- Startup problems
8. Troubleshooting
Problem — SNMP Timeout
Checks
sudo systemctl status snmpd sudo ss -lunp | grep 161 sudo ufw status
Common Causes:
- Firewall blocking UDP/161
- Incorrect bind IP
- Wrong community string
- Incorrect SNMP v3 credentials
Problem — Authentication Failure Traps
Usually indicates:
- Incorrect community string
- Incorrect SNMP v3 credentials
- Unauthorised polling source
Verification:
sudo journalctl -u snmpd | grep -i auth
Problem — SNMP v3 User does not work
Check Persistent File: sudo cat /var/lib/snmp/snmpd.conf
Common Causes:
- User created before deleting old persistent file
- Password mismatch
- Incorrect security level
Problem — Traps Not Received
Validate UDP/162 reachability from the Linux Server
nc -vu 10.1.1.1 162
Capture packets on the Linux Server
sudo tcpdump -n udp port 162
Confirms:
- Traps are transmitted
- Traffic reaches the network
9. Production Hardening Recommendations
- Use SNMP v3 only wherever possible
- Never use default community strings
- Restrict SNMP to management interfaces
- Restrict access to the NMS only
- Disable IPv6 listeners unless using IPv6
- Use read-only access unless writes are operationally required
- Rotate SNMP v3 credentials periodically
- Monitor authentication failure traps
- Back up SNMP configurations securely
- Restrict file permissions on all SNMP configuration files
10. Final Verification Checklist
Post production deployment verify:
- SNMP listens only on the management IP
- Only 10.1.1.1 can poll
- SNMP v3 authPriv works successfully
- Traps are received by the NMS
- Firewall rules are enforced
- No IPv6 listeners exist
- Configuration files are permission restricted
- Service survives reboot
Receiving SNMP
Hardened SNMP manager and agent configuration guide for Ubuntu 22.04 using Net-SNMP as both NMS and SNMP agent. This guide configures the Ubuntu server as:
- A SNMP Network Management System (NMS)
- A SNMP trap receiver
- A SNMP polling system
- A SNMP monitored host itself
The guide covers:
- SNMP v1
- SNMP v2c
- SNMP v3 authPriv (SHA + AES128)
- SNMP polling
- SNMP traps
- Trap logging
- Service hardening
- Scaling guidance
- Troubleshooting
- Validation procedures
Network Assumptions:
| Function | IP address |
|---|---|
| Management inferface | 10.1.1.50 |
| SNMP polling/trap interface | 10.1.1.1 |
Design assumptions:
- SSH and administrative management use 10.1.1.50
- All SNMP polling and trap traffic uses 10.1.1.1
- IPv4 only
- Approximately 500 monitored devices
- Read-only polling only
- Shared SNMP v3 credentials across monitored devices
- Raw trap logging only
1. Unified Hardened Baseline
This section applies to all SNMP versions.
Step 1 — Install Required Packages
sudo apt update sudo apt install -y \ snmp \ snmpd \ snmptrapd \ libsnmp-base \ libsnmp-dev
Installed components:
| Package | Purpose |
|---|---|
| snmpd | Local SNMP agent |
| snmptrapd | SNMP trap receiver |
| snmp | Polling and testing utilities |
| libsnmp-* | Net-SNMP runtime libraries |
Step 2 — Identify Interfaces
ip addr
Confirm:
- 10.1.1.50 exists for administrative management
- 10.1.1.1 exists for SNMP traffic
The SNMP services will bind only to 10.1.1.1. This reduces exposure and simplifies firewall policy enforcement.
Step 3 — Back Up Default Configurations
sudo cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak sudo cp /etc/snmp/snmptrapd.conf /etc/snmp/snmptrapd.conf.bak
Always make a note of any vendor defaults before changing them in production.
Step 4 — Harden File Permissions
sudo chown root:root /etc/snmp/snmpd.conf sudo chmod 600 /etc/snmp/snmpd.conf sudo chown root:root /etc/snmp/snmptrapd.conf sudo chmod 600 /etc/snmp/snmptrapd.conf
SNMP configuration files contain:
- Community strings
- SNMP v3 credentials
- Trap receiver settings
Restricting access prevents credential disclosure.
Step 5 — Configure UFW Firewall Rules
sudo ufw default deny incoming sudo ufw allow from 10.1.1.50 to any port 22 proto tcp sudo ufw allow to 10.1.1.1 port 161 proto udp sudo ufw allow to 10.1.1.1 port 162 proto udp sudo ufw enable
This permits:
- SSH management on 10.1.1.50
- SNMP polling on UDP/161
- Trap reception on UDP/162
The SNMP services remain isolated to the SNMP interface.
Step 6 — Create Persistent Trap Log Directory
sudo mkdir -p /var/log/snmp sudo touch /var/log/snmp/snmptrapd.log sudo chown Debian-snmp:Debian-snmp /var/log/snmp/snmptrapd.log
Creates persistent storage for:
- Raw traps
- Authentication failures
- Operational events
Step 7 — Configure AppArmor Awareness
sudo aa-status
Ubuntu commonly protects SNMP services using AppArmor. If custom paths are used later then the AppArmor profiles may require updates. Default paths used in this guide generally avoid AppArmor conflicts.
Step 8 — Configure Service Hardening
Create systemd Override Directory
sudo mkdir -p /etc/systemd/system/snmpd.service.d sudo mkdir -p /etc/systemd/system/snmptrapd.service.d
Harden snmpd Service
sudo nano /etc/systemd/system/snmpd.service.d/override.conf
Configuration:
[Service] NoNewPrivileges=true PrivateTmp=true ProtectSystem=strict ProtectHome=true ProtectKernelTunables=true ProtectControlGroups=true RestrictAddressFamilies=AF_INET AF_UNIX ReadWritePaths=/var/lib/snmp
Harden snmptrapd Service
sudo nano /etc/systemd/system/snmptrapd.service.d/override.conf
Configuration:
[Service] NoNewPrivileges=true PrivateTmp=true ProtectSystem=strict ProtectHome=true ProtectKernelTunables=true ProtectControlGroups=true RestrictAddressFamilies=AF_INET AF_UNIX ReadWritePaths=/var/log/snmp
Reload system
sudo systemctl daemon-reload
These controls reduce daemon attack surface by:
- Restricting filesystem access
- Preventing privilege escalation
- Restricting network families
- Limiting writable paths
2. Hardened SNMP v1 Configuration (Legacy Only)
Step 1 — Configure snmpd
sudo nano /etc/snmp/snmpd.conf
Configuration:
######################################################################## # SYSTEM INFORMATION ######################################################################## sysLocation GENERIC-DATACENTRE sysContact NOC sysName GENERIC-NMS ######################################################################## # BIND ONLY TO SNMP INTERFACE ######################################################################## agentAddress udp:10.1.1.1:161 ######################################################################## # ACCESS CONTROL ######################################################################## com2sec readonlyv1 default LEGACY-V1-RO group MyROGroup v1 readonlyv1 view AllView included .1 80 access MyROGroup "" any noauth exact AllView none none ######################################################################## # SECURITY ######################################################################## dontLogTCPWrappersConnects yes ######################################################################## # TRAPS ######################################################################## trapsink 10.1.1.1 LEGACY-V1-RO authtrapenable 1 linkUpDownNotifications yes
This configuration:
- Restricts SNMP to the SNMP interface
- Uses read-only access
- Enables operationally useful traps
- Enables self monitoring capability
Step 2 — Configure snmptrapd
sudo nano /etc/snmp/snmptrapd.conf
Configuration:
######################################################################## # LISTENING ADDRESS ######################################################################## snmpTrapdAddr udp:10.1.1.1:162 ######################################################################## # LOGGING ######################################################################## logOption f /var/log/snmp/snmptrapd.log ######################################################################## # ACCESS CONTROL ######################################################################## authCommunity log,execute,net LEGACY-V1-RO ######################################################################## # AUTHENTICATION FAILURE LOGGING ######################################################################## ignoreAuthFailure no
This:
- Receives SNMP v1 traps
- Logs raw traps persistently
- Logs authentication failures
Step 3 — Start Services
systemd
sudo systemctl enable snmpd snmptrapd sudo systemctl restart snmpd snmptrapd
or SysV Init
sudo update-rc.d snmpd defaults sudo update-rc.d snmptrapd defaults sudo service snmpd restart sudo service snmptrapd restart
Step 4 — Validate Local Polling
snmpwalk -v1 -c LEGACY-V1-RO 10.1.1.1 system
Confirms:
- Local polling works
- SNMP daemon is operational
- Interface binding is correct
Step 5 — Test Trap Reception
snmptrap -v1 \ -c LEGACY-V1-RO \ 10.1.1.1 \ ENTERPRISE-MIB::netSnmpExampleHeartbeatNotification
Verify Log:
sudo tail -f /var/log/snmp/snmptrapd.log
3. Hardened SNMP v2c Configuration (Legacy Only)
Step 1 — Configure snmpd
Configuration:
agentAddress udp:10.1.1.1:161 com2sec readonlyv2 default S3cure-V2C-R0 group MyROGroup v2c readonlyv2 view AllView included .1 80 access MyROGroup "" any noauth exact AllView none none trap2sink 10.1.1.1 S3cure-V2C-R0 authtrapenable 1 linkUpDownNotifications yes
This:
- Enables SNMP v2c polling
- Enables SNMP v2 traps
- Maintains read-only operation
Step 2 — Configure snmptrapd
Configuration:
snmpTrapdAddr udp:10.1.1.1:162 logOption f /var/log/snmp/snmptrapd.log authCommunity log,execute,net S3cure-V2C-R0 ignoreAuthFailure no
Step 3 — Restart Services
systemd
sudo systemctl restart snmpd snmptrapd
or SysV Init
sudo service snmpd restart sudo service snmptrapd restart
Step 4 — Validate Polling
snmpwalk -v2c -c S3cure-V2C-R0 10.1.1.1 system
Step 5 — Validate Trap Reception
snmptrap -v2c \ -c S3cure-V2C-R0 \ 10.1.1.1 '' \ SNMPv2-MIB::coldStart
4. Hardened SNMP v3 Configuration (Recommended)
Step 1 — Stop Services
systemd
sudo systemctl stop snmpd snmptrapd
or SysV Init
sudo service snmpd stop sudo service snmptrapd stop
Step 2 — Remove Old Persistent Files
sudo rm -f /var/lib/snmp/snmpd.conf sudo rm -f /var/lib/snmp/snmptrapd.conf
Step 3 — Create SNMP v3 User
sudo net-snmp-create-v3-user \ -ro \ -a SHA \ -A "GENERIC-AUTH-PASSWORD" \ -x AES \ -X "GENERIC-PRIV-PASSWORD" \ GENERIC-SNMPV3-USER
Creates:
- Read-only user
- SHA authentication
- AES128 encryption
Step 4 — Configure snmpd
Configuration:
agentAddress udp:10.1.1.1:161 view AllView included .1 80 rouser GENERIC-SNMPV3-USER authPriv -V AllView createUser trapuser SHA "TRAP-AUTH-PASSWORD" AES "TRAP-PRIV-PASSWORD" trapsess -v 3 \ -u trapuser \ -l authPriv \ -a SHA -A "TRAP-AUTH-PASSWORD" \ -x AES -X "TRAP-PRIV-PASSWORD" \ 10.1.1.1 authtrapenable 1 linkUpDownNotifications yes
Step 5 — Configure snmptrapd
Configuration:
snmpTrapdAddr udp:10.1.1.1:162 logOption f /var/log/snmp/snmptrapd.log createUser trapuser SHA "TRAP-AUTH-PASSWORD" AES "TRAP-PRIV-PASSWORD" authUser log,execute,net trapuser ignoreAuthFailure no
This:
- Accepts encrypted SNMP v3 traps
- Logs raw traps
- Logs authentication failures
Step 6 — Start Services
systemd
sudo systemctl enable snmpd snmptrapd sudo systemctl restart snmpd snmptrapd
or SysV Init
sudo update-rc.d snmpd defaults sudo update-rc.d snmptrapd defaults sudo service snmpd restart sudo service snmptrapd restart
Step 7 — Validate SNMP v3 Polling
snmpwalk -v3 \ -u GENERIC-SNMPV3-USER \ -l authPriv \ -a SHA -A "GENERIC-AUTH-PASSWORD" \ -x AES -X "GENERIC-PRIV-PASSWORD" \ 10.1.1.1 system
Step 8 — Validate SNMP v3 Trap Reception
snmptrap -v3 \ -u trapuser \ -l authPriv \ -a SHA -A "TRAP-AUTH-PASSWORD" \ -x AES -X "TRAP-PRIV-PASSWORD" \ 10.1.1.1 '' \ SNMPv2-MIB::coldStart
5. Polling Scale and Performance Guidance
For approximately 500 devices, some recommended polling timeouts:
SNMP v1/v2c
snmpwalk -t 2 -r 1
SNMP v3
snmpwalk -t 3 -r 1
Where the parameters mean the below:
| Flag | Value |
|---|---|
| -t | Timeout in seconds |
| -r | Retries |
These values reduce:
- an excessive queue building up
- polling overlap
- long running failures
Polling Rate Limiting Guidance
It is recommended to do the following:
- Poll in batches
- Avoid polling all devices simultaneously
- Stagger polling windows
The recommended maximum is 50–75 simultaneous SNMP requests.
Resource Monitoring Guidance
Monitor:
- CPU utilisation
- UDP socket drops
- Disk I/O for trap logs
- SNMP queue delays
A useful command is:
netstat -su
6. Validation Procedures
Verify Listening Sockets
sudo ss -lunp | grep -E '161|162'
Expected:
udp UNCONN 0 0 10.1.1.1:161 udp UNCONN 0 0 10.1.1.1:162
Verify Trap Logging
sudo tail -f /var/log/snmp/snmptrapd.log
Verify Firewall Rules
sudo ufw status numbered
Verify Service Status
systemd
sudo systemctl status snmpd sudo systemctl status snmptrapd
or SysV Init
sudo service snmpd status sudo service snmptrapd status
7. Debugging Procedures
Run snmpd in Foreground Debug Mode.
sudo systemctl stop snmpd sudo snmpd -f -Lo -DALL
Useful for:
- startup issues
- access control failures
SNMP v3 problems
Run snmptrapd in Debug Mode
sudo systemctl stop snmptrapd sudo snmptrapd -f -Lo -DALL
Packet Capture Troubleshooting.
Polling:
sudo tcpdump -n udp port 161
Traps:
sudo tcpdump -n udp port 162
8. Common Problems
Problem — SNMP Timeout
Checks:
sudo ss -lunp | grep 161 sudo ufw status sudo systemctl status snmpd
Common Causes:
- Firewall blocking UDP/161
- Incorrect community string
- Incorrect SNMP v3 credentials
- Wrong bind interface
Problem — Traps Not Logged
Checks:
sudo systemctl status snmptrapd sudo tail -f /var/log/snmp/snmptrapd.log
Common Causes:
- UDP/162 blocked
- snmptrapd not bound correctly
- Authentication failure
- Incorrect trap version
Problem — SNMP v3 Authentication Failure
Verify Persistent Users:
sudo cat /var/lib/snmp/snmpd.conf
Common Causes:
- Wrong authentication password
- Wrong privacy password
- Incorrect security level
- Engine ID mismatch
9. Production Hardening Recommendations
- Prefer SNMP v3 authPriv wherever possible
- Treat SNMP v1/v2c as temporary legacy support only
- Restrict SNMP to dedicated interfaces
- Restrict UDP/161 and UDP/162 using firewalls
- Use read-only access unless write is operationally required
- Monitor authentication failures
- Rotate SNMP v3 credentials periodically
- Avoid excessive debug logging in production
- Monitor trap log growth
- Back up SNMP configuration securely
- Keep Net-SNMP packages updated
Syslog
Transmitting Syslog
This guide explains how to configure secure and operationally resilient Syslog forwarding on Ubuntu 22.04:
- Ubuntu Server 22.04
- using rsyslog
- forwarding logs to the NMS at 10.1.1.1
using:
- UDP
- TCP
- TLS
with:
- local log retention
- persistent forwarding queues
- firewall configuration using ufw
- hardened log rotation
- verification and troubleshooting procedures
The server will ONLY forward logs and NOT receive inbound Syslog
1. Understanding Syslog Transport Methods
Before configuring Syslog, it is important to understand the transport options.
UDP Syslog
uses
- protocol: UDP
- default port: 514
Advantages:
- Lightweight
- Minimal overhead
- Common on legacy devices
Disadvantages:
- No delivery confirmation
- Logs can be lost during congestion
- No encryption
- No session management
Operational use:
- Legacy environments
- Low security networks
- High volume but low criticality logging
Rsyslog syntax:
@10.1.1.1:514 Single @ means UDP.
TCP Syslog uses:
- protocol: TCP
- default port: 514
Advantages:
- Reliable delivery
- Ordered transmission
- Session based communication
Disadvantages:
- Slightly higher overhead
- No encryption unless TLS is added
Operational use:
- Recommended minimum standard for production
Rsyslog syntax:
@@10.1.1.1:514 Double @@ means TCP.
TLS Syslog uses:
- protocol: TCP with TLS encryption
- common port: 6514
Advantages:
- Encryption in transit
- Authentication support
- Protection against interception
- Best practice for production
Disadvantages:
- More complex setup
- Requires certificates
- Slightly higher CPU overhead
Operational use:
- Enterprise production
- Compliance driven environments
- Security sensitive infrastructure
2. Install and Verify rsyslog
Ubuntu 22.04 normally includes rsyslog by default.
Verify Installation
sudo systemctl status rsyslog
This:
- Confirms rsyslog is installed
- Verifies service state
- Confirms startup status
Expected output:
active (running)
If they are missing then install them:
sudo apt update sudo apt install rsyslog rsyslog-gnutls -y
rsyslog is the main Syslog daemon and rsyslog-gnutls is required for TLS encryption support
3. Create a Dedicated Forwarding Configuration
Production systems should avoid editing the main rsyslog configuration directly. Instead create modular configuration files in /etc/rsyslog.d/
4. Configure Persistent Queues (Availability Requirement)
Persistent queues prevent log loss during:
- NMS outages
- network interruptions
- reboot events
Create the queue directory:
sudo mkdir -p /var/spool/rsyslog
Set permissions:
sudo chown syslog:adm /var/spool/rsyslog sudo chmod 750 /var/spool/rsyslog
This:
- Restricts queue access
- Prevents unauthorised reading of queued logs
5. Configure UDP Forwarding
Create the configuration file:
sudo nano /etc/rsyslog.d/10-nms-udp.conf
Add the below configuration:
# System logs *.info;mail.none;authpriv.none;cron.none @10.1.1.1:514 # Security logs authpriv.* @10.1.1.1:514 # Reliable queue settings $ActionQueueType LinkedList $ActionQueueFileName udpqueue $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on
Save and exit.
Explanation of the UDP Configuration
System Logs Rule *.info;mail.none;authpriv.none;cron.none
Meaning:
- Forward informational and higher logs
- Exclude mail logs, authentication logs and cron logs
This:
- Reduces unnecessary noise
- Security logs handled separately
Security Logs Rule
authpriv.* Forward authentication/security logs
Examples:
- SSH authentication
- sudo activity
- PAM events
Queue Configuration
$ActionQueueType LinkedList
Creates an in-memory queue.
$ActionQueueFileName udpqueue
Enables disk backed persistence.
$ActionResumeRetryCount -1
Retry forever.
$ActionQueueSaveOnShutdown on
Preserve queued logs during reboot.
6. Configure TCP Forwarding
Create:
sudo nano /etc/rsyslog.d/20-nms-tcp.conf
Add the below configuration:
# System logs *.info;mail.none;authpriv.none;cron.none @@10.1.1.1:514 # Security logs authpriv.* @@10.1.1.1:514 # Reliable queue settings $ActionQueueType LinkedList $ActionQueueFileName tcpqueue $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on TCP Configuration Differences
The ONLY syntax change is:
@@10.1.1.1:514
Double @@ enables TCP.
7. Configure TLS Syslog Forwarding
Create Certificates Directory
sudo mkdir -p /etc/rsyslog-keys sudo chmod 700 /etc/rsyslog-keys
Copy CA Certificate
Example:
sudo cp ca-cert.pem /etc/rsyslog-keys/
Set permissions:
sudo chmod 600 /etc/rsyslog-keys/ca-cert.pem
This ensures:
- TLS requires certificate trust validation
- Restrictive permissions reduce exposure
Create TLS Configuration
sudo nano /etc/rsyslog.d/30-nms-tls.conf
Add the below configuration:
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/rsyslog-keys/ca-cert.pem"
)
# System logs
action(
type="omfwd"
target="10.1.1.1"
port="6514"
protocol="tcp"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
queue.type="LinkedList"
queue.filename="tlsqueue"
action.resumeRetryCount="-1"
queue.saveonshutdown="on"
)
*.info;mail.none;authpriv.none;cron.none
# Security logs
action(
type="omfwd"
target="10.1.1.1"
port="6514"
protocol="tcp"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
queue.type="LinkedList"
queue.filename="tlsqueue-auth"
action.resumeRetryCount="-1"
queue.saveonshutdown="on"
)
authpriv.*
8. TLS Configuration Explanation
StreamDriver StreamDriver="gtls"
Enables TLS transport.
StreamDriverMode StreamDriverMode="1"
Enables TLS only mode.
Authentication Mode StreamDriverAuthMode="x509/name"
Validates certificate identity.
Port 6514
6514 is the standard port for Syslog over TLS.
9. Validate rsyslog Configuration
Always validate before restarting services.
sudo rsyslogd -N1
This command:
- Checks syntax only
- Prevents broken production deployments
Expected output:
rsyslogd: End of config validation run. Bye.
10. Restart rsyslog
sudo systemctl restart rsyslog
To verify:
sudo systemctl status rsyslog
11. Configure Firewall (ufw)
Because this server only forwards logs, outbound access is required but inbound Syslog is NOT required
Allow Outbound UDP Syslog:
sudo ufw allow out 514/udp
Allow Outbound TCP Syslog:
sudo ufw allow out 514/tcp
Allow Outbound TLS Syslog:
sudo ufw allow out 6514/tcp
Verify the firewall rules:
sudo ufw status numbered
This:
- Confirms firewall policy
- Verifies outbound ports
12. Configure Log Rotation Hardening
Ubuntu uses logrotate. Inspect the existing rsyslog rotation:
sudo nano /etc/logrotate.d/rsyslog
Some recommended hardened settings:
/var/log/syslog
/var/log/auth.log
{
rotate 30
daily
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
systemctl reload rsyslog >/dev/null 2>&1 || true
endscript
create 0640 syslog adm
}
13. Log Rotation Explanation
rotate 30
Keeps 30 rotated logs that are useful for:
- investigations
- compliance
- outage review
compress
Reduces disk usage.
delaycompress
Avoids compressing the newest rotated log immediately which can be useful during troubleshooting.
create 0640 syslog adm
Secure permissions:
- readable by administrators
- not world readable
14. Verify Forwarding
Verify rsyslog Service
sudo systemctl status rsyslog
Verify Listening Connections
For TCP/TLS:
ss -antp | grep rsyslog
For UDP:
ss -aunp | grep rsyslog
Verify Queue Files
ls -lh /var/spool/rsyslog
This command:
- Confirms persistent queues exist
- Indicates retry buffering is operational
Verify Local Log Retention
sudo tail -f /var/log/syslog
And:
sudo tail -f /var/log/auth.log
This command:
- Confirms local logging remains enabled
- Ensures forwarding does not replace retention
15. Troubleshooting
Validate Configuration
sudo rsyslogd -N1
Check Service Logs
sudo journalctl -u rsyslog
Useful for:
- TLS errors
- syntax issues
- queue failures
- connectivity issues
Verify Firewall Status
sudo ufw status verbose
Confirm Port Reachability
UDP:
nc -vzu 10.1.1.1 514
TCP:
nc -vz 10.1.1.1 514
TLS:
nc -vz 10.1.1.1 6514
16. Production Recommendations
For production deployments the preferred order:
- TLS Syslog as TLS provides confidentiality and authentication
- TCP Syslog as TCP provides reliability
- UDP Syslog as UDP provides neither
Recommended operational defaults:
- persistent queues enabled
- local retention enabled
- restricted queue permissions
- outbound only firewall rules
- separate modular rsyslog configuration files
- syntax validation before restart
- compressed log rotation
- infinite retry count for delivery resilience
Receiving Syslog
This guide explains how to deploy a hardened centralised Syslog server on Ubuntu 22.04 using rsyslog. The server will:
- receive Syslog from up to 500 devices
- support UDP Syslog, TCP Syslog and TLS Syslog
- retain logs locally for 90 days
- organise logs per host
- use raw IP addresses (as opposed to DNS names, which introduce a potential performance bottleneck)
- apply operational hardening
- use persistent queues
- apply performance tuning
- reduce noisy logs
- restrict inbound access to 10.2.1.0/24 and 10.3.1.0/24 subnets
Infrastructure assumptions:
- Ubuntu server has 8 vCPU, 16GB RAM and 1TB SSD RAID1
- medium logging volume
- standard enterprise environment
1. Architecture Overview
The Syslog server performs four major functions:
- Receives remote Syslog messages
- Writes logs to disk by source IP
- Retains logs locally for 90 days
- Protects against log floods, queue exhaustion, disk pressure and transport interruptions
This deployment uses:
- modular rsyslog configuration
- disk assisted queues
- per host storage
- explicit firewall rules
- controlled permissions
- transport separation
2. Install Required Packages
Update the server:
sudo apt update sudo apt upgrade -y
Install rsyslog and TLS support:
sudo apt install rsyslog rsyslog-gnutls logrotate ufw -y
3. Verify rsyslog Service
Check service status:
sudo systemctl status rsyslog
Expected output:
active (running)
Enable startup persistence:
sudo systemctl enable rsyslog
4. Create Directory Structure
Create directories for:
- remote logs
- queues
- TLS certificates
sudo mkdir -p /var/log/remote sudo mkdir -p /var/spool/rsyslog sudo mkdir -p /etc/rsyslog-keys
5. Configure Secure Permissions
Set ownership:
sudo chown syslog:adm /var/log/remote sudo chown syslog:adm /var/spool/rsyslog
Set permissions:
sudo chmod 750 /var/log/remote sudo chmod 750 /var/spool/rsyslog sudo chmod 700 /etc/rsyslog-keys
This:
- prevents unauthorised log access
- restricts queue access
- protects TLS certificate storage
6. Create Main Remote Logging Configuration
Create:
sudo nano /etc/rsyslog.d/10-remote-logging.conf
Add the configuration:
############################
# GLOBAL SETTINGS
############################
global(
workDirectory="/var/spool/rsyslog"
maxMessageSize="8k"
)
############################
# MODULES
############################
module(load="imudp")
module(load="imtcp")
module(load="imptcp")
module(load="gtls")
############################
# UDP LISTENER
############################
input(
type="imudp"
port="514"
threads="4"
timeRequery="500"
batchSize="128"
)
############################
# TCP LISTENER
############################
input(
type="imtcp"
port="514"
workerthreads="4"
ratelimit.interval="0"
)
############################
# TLS LISTENER
############################
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/rsyslog-keys/ca-cert.pem"
)
input(
type="imtcp"
port="6514"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.AuthMode="anon"
workerthreads="4"
)
############################
# TEMPLATES
############################
template(
name="PerHostLogs"
type="string"
string="/var/log/remote/%FROMHOST-IP%/%PROGRAMNAME%.log"
)
############################
# FILTERING RULES
############################
if ($syslogseverity-text == 'debug') then {
stop
}
if ($programname == 'snmpd') then {
stop
}
if ($msg contains 'LINK-3-UPDOWN') then {
stop
}
############################
# REMOTE LOG STORAGE
############################
*.* ?PerHostLogs
############################
# FILE PERMISSIONS
############################
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0750
############################
# QUEUE SETTINGS
############################
$ActionQueueType LinkedList
$ActionQueueFileName remotequeue
$ActionQueueMaxDiskSpace 20g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
Save and exit.
7. Understanding the Configuration
7.1 UDP Listener
input(
type="imudp"
port="514"
)
Purpose: accepts UDP Syslog traffic
Operational characteristics:
- connectionless
- lowest overhead
- least reliable
Used by:
- older switches
- printers
- environmental monitors
UDP Performance Tuning
threads="4"
Uses multiple processing threads. Benefits:
- improved parallelism
- better CPU utilisation
batchSize="128"
Processes multiple UDP packets together. Benefits:
- reduced CPU overhead
- improved throughput
7.2 TCP Listener
input(
type="imtcp"
port="514"
)
Purpose: accepts reliable TCP Syslog traffic.
Benefits:
- guaranteed delivery
- ordered transmission
- improved stability
Common devices:
- network switches, routers and firewalls
- Linux server
- Windows collectors
TCP Worker Threads
workerthreads="4"
TCP Worker Threads allows parallel TCP processing. This is important for:
- burst handling
- large numbers of simultaneous senders
7.3 TLS Listener
port="6514"
Port 6514 is the standard Syslog TLS port.
StreamDriver.Name="gtls"
TLS Driver enables encrypted transport.
StreamDriver.Mode="1"
TLS Mode enforces TLS only communication.
StreamDriver.AuthMode="anon"
TLS Authentication encrypts traffic without client certificate validation.
Enterprise note:
- acceptable for internal enterprise logging
- mutual certificate validation is more secure but operationally heavier
7.4 Per Host Logging
string="/var/log/remote/%FROMHOST-IP%/%PROGRAMNAME%.log"
Creates:
- separate directories per source IP
- separate files per application/program
Example: /var/log/remote/10.2.1.10/sshd.log
Benefits:
- easier troubleshooting
- scalable retention
- simpler incident analysis
7.5 Noise Reduction Filters
if ($syslogseverity-text == 'debug')
Drop debug messages prevents excessive low value logging.
if ($programname == 'snmpd')
Drop SNMP Daemon Noise as it is often noisy in enterprise networks.
if ($msg contains 'LINK-3-UPDOWN')
Drop interface flapping spam to reduce excessive switch interface events.
7.6 Queue Engineering
$ActionQueueMaxDiskSpace 20g
Limits queue growth and prevents:
- disk exhaustion
- filesystem outages
$ActionQueueSaveOnShutdown on
Persistent queues preserves queue state during reboot.
8. Configure TLS Certificates
Copy the CA certificate:
sudo cp ca-cert.pem /etc/rsyslog-keys/
Set permissions:
sudo chmod 600 /etc/rsyslog-keys/ca-cert.pem
9. Configure Firewall Rules
Enable UFW:
sudo ufw enable
Allow UDP Syslog
sudo ufw allow proto udp from 10.2.1.0/24 to any port 514 sudo ufw allow proto udp from 10.3.1.0/24 to any port 514
Allow TCP Syslog
sudo ufw allow proto tcp from 10.2.1.0/24 to any port 514 sudo ufw allow proto tcp from 10.3.1.0/24 to any port 514
Allow TLS Syslog
sudo ufw allow proto tcp from 10.2.1.0/24 to any port 6514 sudo ufw allow proto tcp from 10.3.1.0/24 to any port 6514
Verify Rules
sudo ufw status numbered
10. Configure Log Rotation
Create:
sudo nano /etc/logrotate.d/remote-syslog
Add the below configuration:
/var/log/remote/*/*.log
{
daily
rotate 90
compress
delaycompress
missingok
notifempty
sharedscripts
create 0640 syslog adm
postrotate
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
11. Understanding Log Rotation
rotate 90
Retains 90 daily archives. Matches enterprise retention requirement
compress
Reduces SSD utilisation.
delaycompress
Keeps newest rotated log readable which is very useful during investigations.
12. Validate Configuration
Always validate before restart.
sudo rsyslogd -N1
Expected output:
rsyslogd: End of config validation run. Bye.
13. Restart rsyslog
sudo systemctl restart rsyslog
Verify:
sudo systemctl status rsyslog
14. Verify Listening Ports
Check UDP:
ss -ulpn | grep 514
Check TCP:
ss -tlpn | grep 514
Check TLS:
ss -tlpn | grep 6514
15. Verify Log Creation
Check remote directories:
sudo ls -R /var/log/remote
Verify permissions:
sudo ls -l /var/log/remote
16. Verify Queue Files
sudo ls -lh /var/spool/rsyslog
17. Troubleshooting
Validate Syntax
sudo rsyslogd -N1
Check rsyslog Service Logs
sudo journalctl -u rsyslog
This is useful for:
- TLS failures
- listener startup failures
- queue issues
- permission errors
Check Firewall
sudo ufw status verbose
Verify Listening State
ss -tulpn | grep rsyslog
18. Enterprise Operational Recommendations
Recommended transport priority is:
- TLS as TLS provides encryption
- TCP as TCP provides reliability
- UDP as UDP provides compatibility
A recommended device mapping:
| Device type | Recommended transport |
|---|---|
| Firewalls | TLS |
| Linux servers | TLS |
| Windows servers | TCP/TLS |
| Network switches | UDP/TCP |
| Printers | UDP |
| Environmental monitors | UDP |
19. Final Production Characteristics
This deployment provides:
- centralised enterprise logging
- per host organisation
- 90 day retention
- encrypted logging support
- queue persistence
- SSD aware log rotation
- explicit firewall restrictions
- scalable ingestion for 500 devices
- operationally hardened permissions
- filtering of noisy events
- performance tuning for medium volume enterprise environments
Conclusion
This completes our foray into the world of SNMP and Syslog. Although both protocols originate in the 1980s, they are still widely used in enterprises today. Wherever possible, operationally hardened configurations have been used, together with line by line explanations of what they mean. Hopefully, the discussions around what version or transport method to use are sufficient in order to define a network monitoring architecture and to demonstrate the decisions that need to be made, in order to gain the greatest value from the network monitoring solution.