How to Configure SNMP and Syslog on Windows and Linux servers - Part 2: A Complete Guide for Sysadmins

Table of Contents

Introduction
Windows Servers
-SNMP
--Transmitting SNMP
--Receiving SNMP
-Syslog
--Transmitting Syslog
--Receiving Syslog
Linux Servers
-SNMP
--Transmitting SNMP
--Receiving SNMP
-Syslog
--Transmitting Syslog
--Receiving Syslog
Conclusion

 

Introduction

Part 1 provided a brief introduction to SNMP (and its versions) as well as Syslog. It also covered how to configure, verify and troubleshoot all versions of SNMP and Syslog for both Cisco Switches and Juniper Firewalls. This blog post (Part 2) continues with how to configure, verify and troubleshoot SNMP and Syslog for Windows and Linux Servers, where those messages are sent to another server (covered in the Transmitting sections). In the Receiving sections, the scenario where the Windows and Linux Server can act as a Network Management System (NMS) and receive SMNMP and Syslog information are covered.

Windows Servers

SNMP

Transmitting SNMP

SNMP v1, v2c and v3 secure configuration on Windows Server 2016

This guide explains how to securely configure SNMP on Windows Server 2016 for use with a legacy Network Management System (NMS) at 10.1.1.1. The guide covers:

  1. SNMP v1
  2. SNMP v2c
  3. SNMP v3
  4. GUI configuration
  5. PowerShell configuration
  6. Windows Firewall hardening
  7. Verification and troubleshooting
  8. Security best practices

This guide assumes:

  1. Windows Server 2016 standalone server
  2. IPv4 only
  3. Monitoring only (read-only)
  4. Enterprise production environment
  5. Legacy NMS support required for SNMP v1/v2c
  6. SNMP v3 configured with SHA authentication and AES encryption (authPriv)
  7. Windows Defender Firewall enabled
  8. An understanding of SNMP Versions

Part 1 — Install the SNMP Service on Windows Server 2016 (SNMP v1/v2c only)

Windows Server 2016 includes Microsoft SNMP Service for SNMP v1/v2c. It is important to note that Microsoft’s native SNMP service does NOT support SNMP v3. Therefore SNMP v3 requires a third party agent.

Installing SNMP via GUI

Step 1 — Open Server Manager

Navigate to: Server Manager → Manage → Add Roles and Features

Why This Matters: Windows Server 2016 installs SNMP as an optional feature rather than enabling it by default. This reduces the attack surface.

Step 2 — Select Role based Installation

Choose: Role based or feature based installation. Click Next.

Why This Matters: This method installs SNMP directly on the local server.

Step 3 — Select the Local Server

Choose the target Windows Server 2016 instance. Click Next.

Step 4 — Install SNMP Service

Navigate to: Features → SNMP Service. Select SNMP Service.

Optional: SNMP WMI Provider. Click Install.

Why This Matters: The SNMP Service provides SNMP polling capability. The WMI Provider allows Windows management integration but is not required for standard NMS polling.

Installing SNMP via PowerShell

Run PowerShell as Administrator.

Install-WindowsFeature -Name SNMP-Service -IncludeManagementTools

Verify installation:

Get-WindowsFeature SNMP*

Why This Matters: PowerShell enables repeatable enterprise deployment and automation.

Part 2 — Configure SNMP v1/v2c Securely

SNMP v1/v2c use nearly identical configuration methods on Windows.

Step 1 — Configure SNMP via GUI. Open SNMP Service Properties

Open services.msc. Locate SNMP Service. Right-click → Properties.

Step 2 — Configure the Agent Tab and enter the contact and location information. Example:

  • Contact: Network Operations
  • Location: Datacenter Rack A

Why This Matters: these fields help administrators identify devices in large monitoring environments.

Avoid sensitive information like:

  • usernames
  • phone numbers
  • internal asset IDs

Step 3 — Enable Required Services

Select only required options:

  • Physical
  • Applications
  • Internet
  • End to end

Why This Matters: these values identify server capabilities to the NMS. They are informational only.

Step 4 — Configure the Security Tab. This is the most important section.

Remove “public”

Delete any default community strings.

Why This Matters: public is universally known and heavily targeted. Leaving it enabled creates a serious security risk.

Step 5 — Create Read-Only Community String

Add a community string and ensure its rights are set to READ ONLY

Why This Matters: Read-only access prevents remote configuration changes.

Never use the following unless absolutely required: READ WRITE or READ CREATE

Step 6 — Accept SNMP Packets from Approved Hosts Only

Select:

accept SNMP packets from these hosts
Add 10.1.1.1

Why This Matters: This is one of the most important hardening controls. Without this restriction, any host capable of reaching UDP/161 could attempt SNMP queries. Restricting polling to the NMS IP dramatically reduces exposure.

Step 7 — Disable Authentication Traps (Optional)

In high-security environments:

Uncheck: Send authentication trap

Why This Matters: authentication traps can generate excessive noise and may expose monitoring behaviour patterns. Some environments still enable them for alerting purposes.

Step 8 — Restart the SNMP Service

Restart-Service SNMP or use Services.msc.

Why This Matters: SNMP configuration changes do not always apply until the service restarts.

Step 9 — Configure Windows Firewall to allow SNMP from NMS Only

GUI Method

Open: Windows Defender Firewall with Advanced Security

Create inbound rule:

Setting Value
Protocol UDP
Port 161
Remote IP 10.1.1.1
Action Allow

PowerShell Method

New-NetFirewallRule `
-DisplayName "Allow SNMP from NMS" `
-Direction Inbound `
-Protocol UDP `
-LocalPort 161 `
-RemoteAddress 10.1.1.1 `
-Action Allow

Why This Matters: firewall restrictions provide a second security layer even if the SNMP configuration becomes misconfigured. Defense in depth is essential in enterprise environments.

Verify SNMP v1/v2c Configuration

Verify Service Status

Get-Service SNMP

Expected:

Status : Running

Verify Listening Ports

netstat -ano | findstr :161

Expected:

UDP    0.0.0.0:161

Test from NMS

Example Linux command:

snmpwalk -v2c -c examplestring 10.1.1.10 system

Example Windows Net-SNMP command:

snmpwalk.exe -v2c -c examplestring 10.1.1.10 system

Why This Matters: snmpwalk validates:

  • connectivity
  • authentication
  • MIB access
  • firewall rules

Troubleshooting SNMP v1/v2c

Problem: Timeout

Possible causes:

  • Windows Firewall blocking UDP/161
  • Incorrect source IP restriction
  • SNMP service stopped
  • NMS IP mismatch

Check:

Test-NetConnection -ComputerName localhost -Port 161

Note: UDP testing is limited with Test-NetConnection.

Problem: Authentication Failure

Possible causes:

  • Incorrect community string
  • Wrong SNMP version
  • Packet filtering restrictions

Problem: SNMP Service Missing

Check installation:

Get-WindowsFeature SNMP-Service

Part 3 — Secure SNMP v3 on Windows Server 2016

Because Microsoft SNMP does not support SNMP v3, a third-party agent is required. The recommended Free/Open-Source SNMP v3 Agent is Net- SNMP as it is widely used in enterprise environments. It supports:

  • SNMP v1
  • SNMP v2c
  • SNMP v3
  • SHA authentication
  • AES encryption

Install Net-SNMP on Windows

Step 1 — Download Net-SNMP

Download the Windows build from the official project or a trusted enterprise repository. Install to: C:\usr. The directory matters as Net-SNMP uses UNIX-style directory structures even on Windows.

Step 2 — Locate snmpd.conf for SNMPv3

Typical location: C:\usr\etc\snmp\snmpd.conf

Step 3 — Configure Secure SNMP v3 User

Example configuration:

createUser snmpv3user SHA "StrongAuthPassword123!" AES "StrongPrivacyPassword123!"
rouser snmpv3user authPriv

Why This Matters: this configuration provides the recommended production configuration:

Feature Purpose
SHA Authentication integrity
AES Encryption
authPriv Authentication + privacy

Restrict SNMP v3 Access to the NMS

Step 4 — Restrict Source Access

Add:

agentAddress udp:161
com2sec notConfigUser 10.1.1.1/32 examplestring

For stricter VACM controls:

view all included .1 80
access notConfigGroup "" any noauth exact all none none

Why This Matters: access control reduces the risk of unauthorised polling attempts.

Configure Windows Firewall for SNMP v3

Step 5 — Allow UDP/161 from NMS Only

New-NetFirewallRule `
-DisplayName "Allow SNMP v3 from NMS" `
-Direction Inbound `
-Protocol UDP `
-LocalPort 161 `
-RemoteAddress 10.1.1.1 `
-Action Allow

Start the Net-SNMP Service

Step 6 — Start SNMP Service

Start-Service snmpd

Set startup type:

Set-Service snmpd -StartupType Automatic

Verify SNMP v3

Test Using snmpwalk

snmpwalk -v3 \
-u snmpv3user \
-l authPriv \
-a SHA \
-A StrongAuthPassword123! \
-x AES \
-X StrongPrivacyPassword123! \
10.1.1.10 system

Why This Matters: this validates:

  • authentication
  • encryption
  • VACM permissions
  • UDP connectivity

Troubleshooting SNMP v3

Problem: Unknown User Name

Cause: user not created correctly

Check:

createUser line exists

Restart service afterward.

Problem: Decryption Errors

Cause: AES password mismatch

Verify:

--X privacy password
-AES enabled on NMS

Problem: Unsupported Security Level

Cause: NMS configured for authNoPriv instead of authPriv

Ensure both sides match.

Operational Hardening Best Practices

1. Prefer SNMP v3 Whenever Possible

SNMP v3 should always be the production standard. Use SNMP v1/v2c only for legacy devices or temporary compatibility.

2. Never Use Default Community Strings

Avoid: public, private or manager and use complex strings instead. In production, use long randomised values and password vault storage.

3. Restrict SNMP to Specific Hosts

Always restrict access to 10.1.1.1. Never allow any host or entire subnets unless required.

4. Use Read-Only Access

Monitoring systems rarely need write access. Read-write SNMP dramatically increases risk.

5. Limit Firewall Exposure

Allow only UDP/161 from the NMS. Block all other sources.

6. Monitor SNMP Logs

Review:

  • Windows Event Viewer
  • Net-SNMP logs
  • Firewall logs

Look for:

  • authentication failures
  • scanning activity
  • unexpected polling sources

Recommended Enterprise Deployment Strategy

Environment Recommendation
Legacy monitoring only SNMP v2c with strict ACLs
Modern secure environment SNMP v3 authPriv
High-security environment SNMP v3 only
Internet exposed systems Avoid SNMP entirely

Receiving SNMP

This guide explains how to configure Windows Server 2016 as a Network Management System (NMS) that:

  1. Securely polls approximately 1,000 devices
  2. Receives SNMP traps
  3. Receives INFORM messages where supported
  4. Supports SNMP v1, v2c, and v3
  5. Uses Net-SNMP tools for testing and troubleshooting
  6. Includes operational hardening and scale optimisation

When acting as an NMS, the Windows Server performs two separate SNMP functions:

Function Direction
Polling devices Outbound UDP/161
Receiving traps/informs Inbound UDP/162

For a production deployment monitoring 1,000 devices, the recommended architecture is:

Component Recommendation
SNMP polling SNMP v3 where possible
Legacy support SNMP v2c only where required
SNMP v1 Avoid unless absolutely necessary
Trap reception Centralised trap listener
Polling intervals Staggered
Network Dedicated management VLAN
Firewalling Restrict SNMP traffic to known subnets

Part 1 — Install SNMP Components

There are two distinct requirements:

  • Windows SNMP Service used for local SNMP agent functionality
  • Net-SNMP Tools used for polling, testing, trap reception and SNMP v3 support

Install Windows SNMP Service

GUI Installation

Navigate to: Server Manager → Manage → Add Roles and Features
Select: SNMP Service
Optional: SNMP WMI Provider

PowerShell Installation

Install-WindowsFeature -Name SNMP-Service -IncludeManagementTools

Verify:

Get-WindowsFeature SNMP*

Why This Matters: The Windows SNMP service allows:

  • local monitoring of the NMS itself
  • interoperability with legacy tools
  • trap forwarding integration in some environments

Install Net-SNMP

Use: the Net-SNMP Official Website

<https://www.net-snmp.org/>

Install to C:\usr. The Net-SNMP toolkit includes:

Tool Purpose
snmpwalk Poll devices
snmpget Query single OIDs
snmptrap Send test traps
snmptrapd Receive traps
snmpbulkwalk Efficient large polling

Part 2 — Configure the Windows SNMP Agent

Even though this server acts primarily as an NMS, it should still expose a local SNMP agent for monitoring.

Configure SNMP v1/v2c Agent

Step 1 — Open SNMP Service Properties

Open services.msc
Locate: SNMP Service
Right-click → Properties.

Step 2 — Configure Community String

Under the Security tab:

Remove: public and private

Add:

Community Rights
examplestring READ ONLY

Why This Matters: default community strings are heavily targeted by attackers. READ ONLY prevents configuration modification via SNMP.

Step 3 — Restrict Allowed Hosts

Select:

Accept SNMP packets from these hosts
Add trusted management subnet examples:
10.1.1.0/24

Why This Matters: restricting source IPs reduces unauthorised polling risk. This is mandatory in enterprise deployments.

Step 4 — Restart SNMP Service

Restart-Service SNMP

Part 3 — Configure Windows Firewall

The NMS must carry out the below functions:

Function Port
Poll devices UDP/161 outbound
Receive traps UDP/162 inbound

Configure Inbound Trap Rules

Allow SNMP Traps
New-NetFirewallRule `
-DisplayName "Allow SNMP Traps" `
-Direction Inbound `
-Protocol UDP `
-LocalPort 162 `
-RemoteAddress 10.1.1.0/24 `
-Action Allow

Configure Outbound Polling Rules

Allow SNMP Polling
New-NetFirewallRule `
-DisplayName "Allow Outbound SNMP Polling" `
-Direction Outbound `
-Protocol UDP `
-RemotePort 161 `
-RemoteAddress 10.1.1.0/24 `
-Action Allow

Why This Matters: many engineers forget outbound firewall filtering but without outbound UDP/161, polling fails silently.

Part 4 — Polling Workflow

The NMS performs the below polling flow:

  • NMS → UDP/161 → Device
  • Device → UDP response → NMS

For SNMP v3: authentication and encryption occur before data exchange

Some recommended polling intervals for 1000+ Devices

Device Type Recommended Interval
Core routers/switches 60 seconds
Access switches 300 seconds
Servers 300 seconds
Printers 900 seconds
Environmental sensors 300-600 seconds

Why This Matters: Over polling creates:

  • unnecessary CPU load
  • UDP packet drops
  • delayed trap processing

Scale optimisation for 1000 devices

1. Use SNMP BULK Operations

Prefer snmpbulkwalk instead of repeated snmpget. Why This Matters: bulk retrieval dramatically reduces:

  • packets per second
  • CPU usage
  • polling latency

2. Stagger Polling Windows

Avoid polling all devices simultaneously. Recommended to distribute polling across 60-second windows. Why This Matters: simultaneous polling bursts can overwhelm:

  • NIC queues
  • UDP buffers
  • firewall state tables

3. Separate Trap Processing from Polling

If possible dedicate separate services/processes and prioritise trap listener responsiveness. Why This Matters: trap storms can delay polling while polling spikes can drop traps.

4. Use Dedicated Management NICs

For large environments to isolate SNMP traffic from production workloads

5. Avoid Excessive OID Polling

Do not poll unless operationally required:

  • unnecessary interface counters
  • full routing tables
  • large ARP tables
  • massive environmental datasets

Part 5 — Configure SNMP v3 Polling

The Microsoft SNMP service does not support SNMP v3 so Net-SNMP tools is used to handle SNMPv3 polling. Below is an example shared SNMP v3 profile:

Setting Value
Username snmpv3user
Security Level authPriv
Authentication SHA
Privacy AES128

Below is a SNMP v3 polling example using snmpwalk from the Net-SNMP toolset:

snmpwalk -v3 \
-u snmpv3user \
-l authPriv \
-a SHA \
-A AuthPassword123! \
-x AES \
-X PrivacyPassword123! \
10.1.1.50 system

Why This Matters: This validates:

  • SNMP v3 authentication
  • encryption
  • UDP connectivity
  • firewall access

Below is an efficient SNMP v3 polling example using snmpbulkwalk:

snmpbulkwalk -v3 \
-u snmpv3user \
-l authPriv \
-a SHA \
-A AuthPassword123! \
-x AES \
-X PrivacyPassword123! \
10.1.1.50 ifDescr

Why This Matters: bulk polling is essential at enterprise scale.

Part 6 — Configure Trap Reception

Devices send unsolicited notifications (traps) in this order: Device → UDP/162 → NMS. INFORM messages differ because the NMS acknowledges receipt.

Step 1 — Configure Net-SNMP Trap Receiver using snmptrapd.conf

File location C:\usr\etc\snmp\snmptrapd.conf

Example:

authCommunity log,execute,net examplestring
createUser snmpv3user SHA "AuthPassword123!" AES "PrivacyPassword123!"
authUser log,execute,net snmpv3user

Why This Matters: this authorises:

  • SNMP v2c trap processing
  • SNMP v3 trap processing
  • without exposing unrestricted access.

Step 2 — Start snmptrapd

Start-Process "C:\usr\bin\snmptrapd.exe"

Step 3 — Verify Listening Port

netstat -ano | findstr :162

Expected:

UDP    0.0.0.0:162

Part 7 — Test Trap Reception

Send Test SNMP v2c Trap

snmptrap -v2c -c examplestring 10.1.1.1 '' coldStart

Send Test SNMP v3 Trap

snmptrap -v3 \
-u snmpv3user \
-l authPriv \
-a SHA \
-A AuthPassword123! \
-x AES \
-X PrivacyPassword123! \
10.1.1.1 '' coldStart

Why This Matters: trap testing validates:

  • firewall rules
  • UDP/162 access
  • SNMP v3 credentials
  • listener functionality

Part 8 — Troubleshooting

Verify UDP Ports

netstat -ano | findstr :161
netstat -ano | findstr :162

Test Connectivity

Test-NetConnection 10.1.1.50 -Port 161

Note: UDP testing is limited in PowerShell.

SNMP v1/v2c Polling Debug

snmpwalk -d -v2c -c examplestring 10.1.1.50 system

SNMP v3 Debugging

snmpwalk -DALL -v3 \
-u snmpv3user \
-l authPriv \
-a SHA \
-A AuthPassword123! \
-x AES \
-X PrivacyPassword123! \
10.1.1.50 system

Why This Matters: verbose debugging helps identify:

  • engine ID mismatches
  • authentication failures
  • packet parsing problems

Common SNMP v3 Problems

Problem: Unknown Engine ID

Cause:

  • Device engine ID changed
  • Cached engine IDs invalid

Fix:

  • clear cached SNMP v3 data
  • rediscover device

Problem: Not in Time Window

Cause: clock drift between NMS and device

Fix: synchronise using NTP

Why This Matters: SNMP v3 uses time synchronisation to prevent replay attacks.

Problem: Authentication Failure

Cause:

  • incorrect SHA password
  • username mismatch

Verify:

  • security level
  • authentication protocol

Problem: Decryption Errors

Cause: incorrect AES privacy password

Verify: AES enabled on both sides

Problem: Traps Not Received

Possible causes:

Cause Description
Firewall blocking UDP/162 Most common
Wrong trap destination Device misconfigured
Trap daemon stopped snmptrapd not running
VLAN ACLs Management network filtering
INFORM acknowledgment failures NMS not responding

Problem: High CPU During Polling

Common causes:

  • Polling too frequently
  • Excessive OID requests
  • Polling all devices simultaneously
  • Large SNMP tables

Fixes:

  • Increase polling intervals
  • Use bulk polling
  • Reduce monitored OIDs
  • Stagger polling windows

Part 9 — Enterprise Hardening Recommendations

1. Prefer SNMP v3 Wherever Possible

SNMP v3 provides:

  • authentication
  • integrity
  • encryption

SNMP v1/v2c does not.

2. Restrict Management VLAN Access

Only management hosts should access:

  • UDP/161
  • UDP/162

3. Use Read-Only Access

Avoid SNMP write access unless operationally necessary.

4. Limit Trap Sources

Restrict UDP/162 inbound access to known management subnets.

5. Monitor Trap Storms

Excessive traps can:

  • overwhelm the NMS
  • cause dropped packets
  • increase CPU usage

So use filtering where possible.

6. Use INFORM Messages for Critical Alerts

INFORM messages provide delivery acknowledgment. Use them for:

  • HA failures
  • UPS alerts
  • environmental alarms
  • core network failures

Syslog

Transmitting Syslog

This guide explains how to securely configure Syslog forwarding on Windows Server 2016 using the free and widely deployed NXLog Community Edition agent. The guide includes:

  1. UDP Syslog forwarding
  2. TCP Syslog forwarding
  3. TLS encrypted Syslog forwarding
  4. Windows Firewall logging
  5. Security and System event forwarding
  6. Noise reduction and filtering
  7. Log retention and rotation
  8. Verification and troubleshooting
  9. Operational hardening practices

1. Design Overview

Environment component Value
Windows Server Windows Server 2016
Syslog Server/NMS 10.1.1.1
IP version IPv4 only
Deployment type Enterprise production
Logging agent NXLog Community Edition
Event Logs Forwarded Security and System
Event Severity Warnings and Errors
Firewall Windows Defender
Transport options UDP, TCP and TLS

2. Why NXLog?

Windows does not natively send Syslog messages in the same way Linux systems do. NXLog is commonly used because it:

  1. Converts Windows Event Logs into Syslog format
  2. Supports UDP, TCP and TLS
  3. Has filtering capabilities
  4. Uses low system resources
  5. Is widely deployed in enterprise environments

3. Recommended Production Architecture

Priority Protocol Use case
Best TLS Production secure environments
Good TCP Internal trusted networks
Avoid if possible UDP Legacy compatibility only

Verify Connectivity

Open PowerShell:

Test-NetConnection 10.1.1.1 -Port 514

This confirms:

  • The Syslog server is reachable
  • Routing works
  • Firewalls are not blocking traffic

5. Install NXLog

Step 1 — Download NXLog

Download NXLog Community Edition

Step 2 — Install NXLog

Run the installer with administrative privileges.

Default installation path C:\Program Files\nxlog

Administrative privileges are required because NXLog:

  • Reads Windows Event Logs
  • Runs as a Windows service
  • Accesses firewall log files

6. Configure Windows Firewall Logging

Step 1 — Enable Firewall Logging

Open PowerShell as Administrator:

Set-NetFirewallProfile `
    -Profile Domain,Public,Private `
    -LogBlocked True `
    -LogAllowed True `
    -LogFileName '%systemroot%\system32\LogFiles\Firewall\pfirewall.log' `
    -LogMaxSizeKilobytes 32767

This enables:

  • Logging of blocked traffic
  • Logging of allowed traffic
  • Centralised firewall logging
  • A larger maximum log size

Firewall logs are important for:

  • Threat detection
  • Troubleshooting
  • Security investigations

7. Create a Backup of the NXLog Configuration

Step 1 — Backup Existing Configuration

Copy-Item `
"C:\Program Files\nxlog\conf\nxlog.conf" `
"C:\Program Files\nxlog\conf\nxlog.conf.bak"

Always back up production configurations before modification. This allows:

  • Fast rollback
  • Easier troubleshooting
  • Safer change management

8. Hardened NXLog Configuration

Main configuration file C:\Program Files\nxlog\conf\nxlog.conf

9. Configure Common Event Collection

Replace the contents of nxlog.conf with the following baseline.

10. Hardened Base Configuration

define ROOT C:\Program Files\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module xm_syslog
</Extension>

<Extension json>
    Module xm_json
</Extension>

<Input eventlog>
    Module im_msvistalog

    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="System">
                    *[System[(Level=2 or Level=3)]]
                </Select>

                <Select Path="Security">
                    *[System[(Level=2 or Level=3)]]
                </Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

<Input firewall>
    Module im_file
    File "C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log"
    SavePos TRUE
    ReadFromLast TRUE
    PollInterval 5
</Input>

Event Filtering (Level=2 or Level=3) means:

Level Meaning
2 Error
3 Warning

This significantly reduces noise and performance impact.

Why Filter Logs?

Without filtering:

  • Excessive disk usage occurs
  • Network bandwidth increases
  • SIEM ingestion costs increase
  • Important events become harder to identify

11. Configure UDP Syslog

Add This Output Block

<Output udp_out>
    Module om_udp
    Host 10.1.1.1
    Port 514
    Exec to_syslog_bsd();
</Output>

<Route udp_route>
    Path eventlog, firewall => udp_out
</Route>

UDP Syslog:

  • Is fast
  • Uses minimal overhead
  • Does not guarantee delivery

Use only for:

  • Legacy collectors
  • Low security environments
  • Non critical telemetry

12. Configure TCP Syslog

Replace UDP Output With TCP

<Output tcp_out>
    Module om_tcp
    Host 10.1.1.1
    Port 514
    Exec to_syslog_bsd();
</Output>

<Route tcp_route>
    Path eventlog, firewall => tcp_out
</Route>

TCP improves reliability because:

  • Sessions are established
  • Packets are acknowledged
  • Delivery failures are detected

TCP is preferred over UDP in enterprise networks.

13. Configure TLS Encrypted Syslog (Recommended)

Without TLS:

  • Logs travel unencrypted
  • Credentials and security events may be exposed
  • Attackers can tamper with logs

TLS provides:

  • Encryption
  • Integrity
  • Authentication

Step 1 — Create Certificate Directory

New-Item `
-ItemType Directory `
-Path "C:\Program Files\nxlog\cert" `
-Force

Step 2 — Copy Certificates

Place inside C:\Program Files\nxlog\cert:

File Purpose
client-cert.pem Client certificate
client-key.pem Private key
ca.pem Trusted CA

Step 3 — Configure TLS Output

<Output tls_out>
    Module om_ssl

    Host 10.1.1.1
    Port 6514

    CAFile %ROOT%\cert\ca.pem
    CertFile %ROOT%\cert\client-cert.pem
    CertKeyFile %ROOT%\cert\client-key.pem

    AllowUntrusted FALSE

    Exec to_syslog_bsd();
</Output>

<Route tls_route>
    Path eventlog, firewall => tls_out
</Route>

Port 6514 is the standard Syslog-over-TLS port. AllowUntrusted FALSE prevents:

  • Rogue collectors
  • Man-in-the-middle attacks
  • Invalid certificates

Never disable this in production.

14. Configure Windows Firewall Rules

UDP Rule

New-NetFirewallRule `
-DisplayName "Syslog UDP Outbound" `
-Direction Outbound `
-Protocol UDP `
-RemoteAddress 10.1.1.1 `
-RemotePort 514 `
-Action Allow

TCP Rule

New-NetFirewallRule `
-DisplayName "Syslog TCP Outbound" `
-Direction Outbound `
-Protocol TCP `
-RemoteAddress 10.1.1.1 `
-RemotePort 514 `
-Action Allow

TLS Rule

New-NetFirewallRule `
-DisplayName "Syslog TLS Outbound" `
-Direction Outbound `
-Protocol TCP `
-RemoteAddress 10.1.1.1 `
-RemotePort 6514 `
-Action Allow

Restricting firewall rules to:

  • A single destination IP
  • Specific ports
  • Outbound only

Reduces attack surface.

15. Configure Windows Event Log Retention

Increase Security Log Size

wevtutil sl Security /ms:268435456

Increase System Log Size

wevtutil sl System /ms:134217728

These commands configure:

Log Size
Security 256 MB
System 128 MB

Larger logs reduce the chance of overwriting events during outages.

16. Configure Log Rotation

NXLog automatically rotates its own logs. Verify Rotation Settings

Check C:\Program Files\nxlog\data

Monitor:

  • nxlog.log
  • Cache files
  • Spool files

Operational Best Practice is to implement:

  • Daily log archival
  • Centralised SIEM retention
  • 30–90 day hot retention
  • 1 year cold archival if required

17. Configure Time Synchronisation

Time synchronisation matters because incorrect timestamps make:

  • Incident response difficult
  • Correlation unreliable
  • Forensics inaccurate

Configure NTP

w32tm /config /manualpeerlist:"pool.ntp.org" /syncfromflags:manual /update
Restart-Service w32time

Verify Time Sync

w32tm /query /status

18. Start NXLog Service

Restart Service

Restart-Service nxlog

Verify Service Status

Get-Service nxlog

The service should show:

Status : Running

If not:

  • Configuration syntax may be invalid
  • Certificates may be missing
  • Ports may be blocked

19. Verification and Testing

Test 1 — Generate a Failed Login Event

runas /user:fakeuser cmd

This creates:

  • Security log failures
  • Authentication warning events

These should appear on the Syslog server.

Test 2 — Generate Firewall Events

Attempt a blocked connection. For example:

Test-NetConnection 10.1.1.1 -Port 9999

Test 3 — Verify Port Connectivity

UDP

Test-NetConnection 10.1.1.1 -Port 514 -Udp

TCP

Test-NetConnection 10.1.1.1 -Port 514

TLS

Test-NetConnection 10.1.1.1 -Port 6514

20. Troubleshooting

NXLog will not start so check the log file C:\Program Files\nxlog\data\nxlog.log

Common causes include:

Problem Cause
Invalid config Syntax error
TLS failure Bad certificate
No logs forwarded Firewall block
Missing firewall logs Logging disabled

Validate NXLog Configuration

& "C:\Program Files\nxlog\nxlog.exe" -v

21. Enterprise hardening recommended production settings

Setting Recommendation
Protocol TLS
Port 6514
Firewall scope Restrict to NMS only
Event filtering Warning and Errors only
Time sync Mandatory
Certificate validation Enabled
Log storage Centralised
Local Admin access Restricted

22. Noise reduction best practices

Avoid Collecting:

  • Informational events
  • Debug logs
  • Excessive audit success events
  • Forward Only useful logs where a documented action will be taken

Recommended:

  • Errors
  • Warnings
  • Authentication failures
  • Service failures
  • Firewall drops

23. Recommended production configuration summary

Component Recommendation
Agent NXLog
Transport TLS
Syslog port 6514
Filtering Warnings and Errors
Firewall logging Enabled
Retention 30-90 days
Rotation Enabled
Time sync NTP
Encryption TLS required

Receiving Syslog

This guide explains how to configure Windows Server 2016 as a hardened centralised Syslog server using NXLog Community Edition. The server will:

  1. Receive Syslog messages from infrastructure devices
  2. Support UDP, TCP and TLS Syslog
  3. Store logs locally for long term retention
  4. Rotate and compress logs daily
  5. Restrict trusted Syslog senders
  6. Protect against log flooding
  7. Monitor service health
  8. Provide searchable local logs
  9. Use enterprise baseline hardening

1. Assumed environment overview

Component Value
Operating system Windows Server 2016
Deployment type Dedicated syslog server
Event volume Medium
Infrastructure devices Mixed vendor environment
IP version IPv4 only
Syslog protocols UDP, TCP and TLS
TLS certificates Self signed
Storage Local disk
Log rotation Daily
Compression Enabled
Syslog software NXLog community edition

2. Recommended Architecture

Protocol Ports Purpose
UDP syslog 514 Legacy devices
TCP syslog 514 Reliable syslog
TLS syslog 6514 Secure encrypted syslog

Separating transport protocols:

  • Simplifies troubleshooting
  • Improves security visibility
  • Helps identify unsupported devices
  • Prevents protocol conflicts

3. Install NXLog

Step 1 — Download NXLog

Download NXLog Community Edition

Step 2 — Install NXLog

Run the installer as Administrator. Default installation path C:\Program Files\nxlog. NXLog provides:

  • Syslog listeners
  • Log parsing
  • TLS support
  • Log rotation
  • File writing
  • Filtering

Windows Server cannot natively act as a full Syslog server without additional software.

4. Create Dedicated Log Storage

Create Log Directory Structure. Open PowerShell as Administrator:

New-Item -ItemType Directory -Path "D:\Syslog" -Force
New-Item -ItemType Directory -Path "D:\Syslog\UDP" -Force
New-Item -ItemType Directory -Path "D:\Syslog\TCP" -Force
New-Item -ItemType Directory -Path "D:\Syslog\TLS" -Force
New-Item -ItemType Directory -Path "D:\Syslog\Archive" -Force

Separating logs by protocol:

  • Simplifies investigations
  • Improves organisation
  • Makes troubleshooting easier

Using a dedicated drive:

  • Prevents operating system disk exhaustion
  • Improves performance
  • Reduces risk during log floods

5. Harden NTFS Permissions

Restrict Log Folder Access

icacls D:\Syslog /inheritance:r
icacls D:\Syslog /grant Administrators:F
icacls D:\Syslog /grant SYSTEM:F

This prevents:

  • Unauthorised access
  • Log tampering
  • Accidental deletion

Least privilege is critical on logging servers.

6. Create Self Signed TLS Certificates

Step 1 — Create Certificate Folder

New-Item `
-ItemType Directory `
-Path "C:\Program Files\nxlog\cert" `
-Force

Step 2 — Create Self Signed Certificate

New-SelfSignedCertificate `
-Type SSLServerAuthentication `
-Subject "CN=syslog-server" `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-CertStoreLocation Cert:\LocalMachine\My

This creates:

  • A TLS certificate
  • 4096 bit encryption
  • SHA256 hashing

TLS encrypts Syslog traffic and prevents interception.

Step 3 — Export Certificate

Open certlm.msc
-Export:
-Certificate
-Private key
-Base-64 format
Save into C:\Program Files\nxlog\cert. Example filenames:
-server-cert.pem
-server-key.pem
-ca.pem

7. Configure Windows Firewall

Without firewall restrictions:

  • Rogue devices can send logs
  • Attackers can flood the server
  • Storage can be exhausted

Step 1 — Remove Broad Syslog Rules

Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*Syslog*"} | Remove-NetFirewallRule

Step 2 — Create restricted UDP rule. Replace example IPs with real device subnets.

New-NetFirewallRule `
-DisplayName "Syslog UDP Inbound" `
-Direction Inbound `
-Protocol UDP `
-LocalPort 514 `
-RemoteAddress 10.1.1.0/24,10.2.2.0/24 `
-Action Allow

Step 3 — Create restricted TCP rule

New-NetFirewallRule `
-DisplayName "Syslog TCP Inbound" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 514 `
-RemoteAddress 10.1.1.0/24,10.2.2.0/24 `
-Action Allow

Step 4 — Create restricted TLS rule

New-NetFirewallRule `
-DisplayName "Syslog TLS Inbound" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 6514 `
-RemoteAddress 10.1.1.0/24,10.2.2.0/24 `
-Action Allow

Restricting source addresses:

  • Blocks unauthorised devices
  • Reduces attack surface
  • Helps prevent log flooding

8. Configure NXLog

Main configuration file C:\Program Files\nxlog\conf\nxlog.conf
Backup original configuration first.
Copy-Item `
"C:\Program Files\nxlog\conf\nxlog.conf" `
"C:\Program Files\nxlog\conf\nxlog.conf.bak"

9. Hardened Enterprise NXLog Configuration

Replace the configuration with the following.

Full Hardened NXLog Configuration

define ROOT C:\Program Files\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module xm_syslog
</Extension>

<Extension fileop>
    Module xm_fileop
</Extension>

# =========================
# UDP SYSLOG INPUT
# =========================

<Input udp_in>
    Module im_udp
    Host 0.0.0.0
    Port 514

    Exec if $raw_event =~ /(.{4096,})/ drop();
</Input>

# =========================
# TCP SYSLOG INPUT
# =========================

<Input tcp_in>
    Module im_tcp
    Host 0.0.0.0
    Port 514

    Exec if $raw_event =~ /(.{4096,})/ drop();
</Input>

# =========================
# TLS SYSLOG INPUT
# =========================

<Input tls_in>
    Module im_ssl
    Host 0.0.0.0
    Port 6514

    CertFile %ROOT%\cert\server-cert.pem
    CertKeyFile %ROOT%\cert\server-key.pem
    CAFile %ROOT%\cert\ca.pem

    AllowUntrusted FALSE

    Exec if $raw_event =~ /(.{4096,})/ drop();
</Input>

# =========================
# UDP OUTPUT FILE
# =========================

<Output udp_file>
    Module om_file
    File "D:\\Syslog\\UDP\\udp-%Y-%m-%d.log"

    CreateDir TRUE
</Output>

# =========================
# TCP OUTPUT FILE
# =========================

<Output tcp_file>
    Module om_file
    File "D:\\Syslog\\TCP\\tcp-%Y-%m-%d.log"

    CreateDir TRUE
</Output>

# =========================
# TLS OUTPUT FILE
# =========================

<Output tls_file>
    Module om_file
    File "D:\\Syslog\\TLS\\tls-%Y-%m-%d.log"

    CreateDir TRUE
</Output>

# =========================
# ROUTES
# =========================

<Route udp_route>
    Path udp_in => udp_file
</Route>

<Route tcp_route>
    Path tcp_in => tcp_file
</Route>

<Route tls_route>
    Path tls_in => tls_file
</Route>

10. Explanation of Hardening Features

Log Flood Protection

Exec if $raw_event =~ /(.{4096,})/ drop();

Drops oversized log entries. This protects against:

  • Malformed packets
  • Log flooding
  • Storage exhaustion

Daily Log Rotation

udp-%Y-%m-%d.log

Creates daily logs automatically. Benefits:

  • Easier archival
  • Faster searching
  • Reduced corruption risk
  • Protocol separation

Separate folders allow:

  • Easier troubleshooting
  • Better auditing
  • Device capability analysis

11. Configure Log Compression

Step 1 — Create Compression Script

Create the below script C:\Scripts\Compress-Syslog.ps1

$source = "D:\Syslog"
$archive = "D:\Syslog\Archive"

Get-ChildItem $source -Recurse -Filter *.log |
Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-1)} |
ForEach-Object {

    Compress-Archive `
    -Path $_.FullName `
    -DestinationPath "$archive\$($_.BaseName).zip"

    Remove-Item $_.FullName
}

This script:

  • Compresses logs older than 1 day
  • Reduces storage usage
  • Maintains searchable archives

Step 2 — Schedule Compression Task

Open taskschd.msc
Create task:
Setting Value
Trigger Daily
Run as SYSTEM
Program powershell.exe
Arguments -ExecutionPolicy Bypass -File C:\Scripts\Compress-Syslog.ps1

12. Configure NXLog Service Monitoring

Step 1 — Create Monitoring Script

Create the below script C:\Scripts\Monitor-NXLog.ps1

$service = Get-Service nxlog

if ($service.Status -ne "Running") {

    Restart-Service nxlog

    Write-EventLog `
    -LogName Application `
    -Source "Windows PowerShell" `
    -EntryType Error `
    -EventId 1001 `
    -Message "NXLog service restarted automatically."
}

This script:

  • Detects NXLog failure
  • Restarts the service automatically
  • Creates an event log alert

Step 2 — Schedule Monitoring Task

Run every 5 minutes.

13. Alert When Syslog Stops Arriving

Step 1 — Create Monitoring Script

Create the below script C:\Scripts\Monitor-SyslogFlow.ps1

$latest = Get-ChildItem D:\Syslog\UDP\*.log |
Sort-Object LastWriteTime -Descending |
Select-Object -First 1

if ($latest.LastWriteTime -lt (Get-Date).AddMinutes(-15)) {

    Write-EventLog `
    -LogName Application `
    -Source "Windows PowerShell" `
    -EntryType Warning `
    -EventId 2001 `
    -Message "No recent Syslog activity detected."
}

This script detects:

  • Network outages
  • Device failures
  • Logging interruptions
  • NXLog processing failures

14. Configure Least Privilege

Component Recommended setting
Local Administrators Restricted
RDP access Limited
Firewall Allowlisted
Internet access Restricted
Antivirus exclusions NXLog folders only

This matters because Syslog servers often contain:

  • Authentication failures
  • Security alerts
  • Firewall events
  • Infrastructure diagnostics

Compromised logging servers create major visibility gaps.

15. Verification and Testing

Step 1 — Verify Listening Ports

netstat -ano | findstr 514

Verify TLS:

netstat -ano | findstr 6514

You should see:

Port Protocol
514 UDP
514 TCP
6514 TCP

Step 2 — Verify NXLog Service

Get-Service nxlog

Expected:

Status : Running

Step 3 — Verify Log Creation

Check D:\Syslog

You should see:

  • UDP logs
  • TCP logs
  • TLS logs

Step 4 — Verify Firewall Rules

Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*Syslog*"}

16. Troubleshooting

NXLog Will Not Start

Check NXLog Logs C:\Program Files\nxlog\data\nxlog.log

Validate Configuration Syntax

& "C:\Program Files\nxlog\nxlog.exe" -v

Common Problems include:

Problem Cause
No logs received Blocked by firewall
TLS failure Invalid certificate
Service crash Syntax error
High disk usage Flooding or no compression
Empty logs Devices misconfigured

17. Operational enterprise best practices

Setting Recommendation
Preferred protocol TLS
Legacy support UDP
Reliable support TCP
Log rotation Daily
Compression Enabled
Source restrictions Mandatory
Dedicated storage volume Recommended
Monitoring scripts Enabled
Least priviledge Enforced

18. Recommended security best practices

  • Use TLS whenever supported
  • Restrict allowed source IPs
  • Disable unused protocols if possible
  • Rotate logs daily
  • Compress archives
  • Monitor storage usage
  • Monitor NXLog service health
  • Prevent oversized Syslog messages
  • Restrict administrative access
  • Back up configuration files regularly

19. Final Production Recommendation

For enterprise production environments:

  • Use TLS on port 6514 whenever devices support it
  • Use TCP for reliable legacy compatibility
  • Use UDP only where unavoidable
  • Separate logs by protocol
  • Restrict inbound Syslog sources
  • Rotate and compress logs daily
  • Monitor NXLog continuously
  • Protect against log flooding
  • Store logs on dedicated storage

Linux Servers

SNMP

Transmitting SNMP

Hardened SNMP Configuration Guide for Ubuntu 22.04 Using Net-SNMP. This guide provides production focused configuration procedures for:

  1. SNMP v1
  2. SNMP v2c
  3. SNMP v3 (authPriv using SHA and AES128)
  4. SNMP traps
  5. Validation and troubleshooting

Platform: Ubuntu Server 22.04 using Net-SNMP and Server management IP is 10.1.1.50

Monitoring station: 10.1.1.1, IPv4 only and SNMP bound only to the management interface/IP

Replace all example values with your production values.

1. Base Preparation (Required for All Versions)

These steps apply to SNMP v1, v2c and v3.

Step 1 — Install Net-SNMP Packages

sudo apt update
sudo apt install -y snmp snmpd

This installs:

  • snmpd — the SNMP daemon
  • snmp — SNMP client utilities such as snmpwalk, snmpget and snmptrap

These tools are required for operational validation and troubleshooting.

Step 2 — Identify the Management Interface

ip addr

Identify:

  • The management interface name
  • The IPv4 management address

Example:

Interface: ens192
IP address: 10.1.1.50

The SNMP daemon will later bind only to this IP address to reduce exposure.

Step 3 — Back Up the Default Configuration

sudo cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak

Always preserve the vendor default configuration before modifying production services.

Step 4 — Restrict File Permissions

sudo chown root:root /etc/snmp/snmpd.conf
sudo chmod 600 /etc/snmp/snmpd.conf

SNMP configuration files may contain:

  • Community strings
  • SNMP v3 credentials
  • Trap destinations

Restricting permissions prevents credential exposure.

Step 5 — Configure Local Firewall Rules

Ubuntu 22.04 commonly uses either:

  • ufw
  • iptables
  • nftables

The examples below use ufw.

sudo ufw allow from 10.1.1.1 to any port 161 proto udp
sudo ufw allow from 10.1.1.1 to any port 162 proto udp

This restricts SNMP polling and traps to the NMS only. No other hosts can communicate with the SNMP service.

2. Hardened SNMP v1 Configuration (Legacy Only)

SNMP v1 should only be used for legacy interoperability. Example SNMP v1 Polling Configuration:

Step 1 — Replace the Default Configuration

sudo nano /etc/snmp/snmpd.conf

Configuration

########################################################################
# SYSTEM INFORMATION
########################################################################

sysLocation    Data Centre Rack A
sysContact     Network Operations
sysName        ubuntu-server-01

########################################################################
# AGENT BINDING
########################################################################

agentAddress udp:10.1.1.50:161

########################################################################
# ACCESS CONTROL
########################################################################

com2sec readonlyv1 10.1.1.1/32 LEGACY-V1-RO

group MyROGroup v1 readonlyv1

view AllView included .1 80

access MyROGroup "" any noauth exact AllView none none

########################################################################
# PERFORMANCE AND SECURITY
########################################################################

dontLogTCPWrappersConnects yes

########################################################################
# TRAPS
########################################################################

trapsink 10.1.1.1 LEGACY-V1-RO
authtrapenable 1

Key hardening controls:

  • Binds only to 10.1.1.50
  • Only allows polling from 10.1.1.1
  • Uses read-only access
  • Disables unnecessary logging noise
  • Enables authentication failure traps

Step 2 — Restart the SNMP Service

systemd

sudo systemctl restart snmpd
sudo systemctl enable snmpd

or SysV Init

sudo service snmpd restart
sudo update-rc.d snmpd defaults

This:

  • Applies the configuration
  • Ensures SNMP starts after reboot

Step 3 — Validate the Service

sudo systemctl status snmpd

Confirm:

  • Service state is active (running)
  • No startup errors are present

Step 4 — Validate from the NMS

snmpwalk -v1 -c LEGACY-V1-RO 10.1.1.50 system

This confirms:

  • UDP/161 reachability
  • SNMP authentication
  • Read-only access functionality

3. Hardened SNMP v2c Configuration (Legacy Only)

SNMP v2c remains common operationally but still uses plaintext community strings.

Example SNMP v2c Polling Configuration:

Step 1 — Replace the Configuration

sudo nano /etc/snmp/snmpd.conf

Configuration

########################################################################
# SYSTEM INFORMATION
########################################################################

sysLocation    Data Centre Rack A
sysContact     Network Operations
sysName        ubuntu-server-01

########################################################################
# AGENT BINDING
########################################################################

agentAddress udp:10.1.1.50:161

########################################################################
# ACCESS CONTROL
########################################################################

com2sec readonlyv2 10.1.1.1/32 S3cure-V2C-Read0nly

group MyROGroup v2c readonlyv2

view AllView included .1 80

access MyROGroup "" any noauth exact AllView none none

########################################################################
# SECURITY HARDENING
########################################################################

dontLogTCPWrappersConnects yes

########################################################################
# TRAPS
########################################################################

trap2sink 10.1.1.1 S3cure-V2C-Read0nly
authtrapenable 1

This configuration:

  • Restricts access to one NMS
  • Uses a non default complex community string
  • Limits access to read-only
  • Enables SNMP v2 traps

Step 2 — Restart the Service

systemd

sudo systemctl restart snmpd

or SysV Init

sudo service snmpd restart

Step 3 — Validate the Configuration

snmpwalk -v2c -c S3cure-V2C-Read0nly 10.1.1.50 system

This validates:

  • SNMP v2c authentication
  • SNMP object retrieval
  • ACL restrictions

4. Hardened SNMP v3 Configuration (Recommended)

SNMP v3 with authPriv should be the production standard. This guide uses:

  • Authentication: SHA
  • Encryption: AES128
  • SNMP v3 Polling Configuration

Step 1 — Stop the SNMP Service

systemd

sudo systemctl stop snmpd

or SysV Init

sudo service snmpd stop

The SNMP v3 user creation utility requires the daemon to be stopped.

Step 2 — Remove Existing Persistent Configuration

sudo rm -f /var/lib/snmp/snmpd.conf

Net-SNMP stores SNMP v3 user credentials in a persistent file. Removing stale entries prevents:

  • Duplicate engine IDs
  • User conflicts
  • Credential mismatches

Step 3 — Create the SNMP v3 User

sudo net-snmp-create-v3-user \
-ro \
-a SHA \
-A "Str0ngAuthPassw0rd!" \
-x AES \
-X "Str0ngPrivPassw0rd!" \
snmpv3user

This creates:

  • Read-only user
  • SHA authentication
  • AES128 encryption

The credentials are automatically written securely to /var/lib/snmp/snmpd.conf

Step 4 — Configure the Main SNMP Daemon

sudo nano /etc/snmp/snmpd.conf

Configuration

########################################################################
# SYSTEM INFORMATION
########################################################################

sysLocation    Data Centre Rack A
sysContact     Network Operations
sysName        ubuntu-server-01

########################################################################
# AGENT BINDING
########################################################################

agentAddress udp:10.1.1.50:161

########################################################################
# ACCESS CONTROL
########################################################################

view AllView included .1 80

rouser snmpv3user authPriv -V AllView

########################################################################
# SECURITY HARDENING
########################################################################

dontLogTCPWrappersConnects yes

########################################################################
# TRAPS
########################################################################

createUser trapuser SHA "TrapAuthPass123!" AES "TrapPrivPass123!"
trapsess -v 3 \
-u trapuser \
-l authPriv \
-a SHA -A "TrapAuthPass123!" \
-x AES -X "TrapPrivPass123!" \
10.1.1.1

authtrapenable 1

Key security controls:

  • Only encrypted/authenticated SNMP v3 access
  • No plaintext community strings
  • Restricts users to authenticated encrypted sessions
  • Sends encrypted SNMP v3 traps

Step 5 — Restart the Service

systemd

sudo systemctl restart snmpd
sudo systemctl enable snmpd

or SysV Init

sudo service snmpd restart
sudo update-rc.d snmpd defaults

Step 6 — Validate SNMP v3 Polling

snmpwalk -v3 \
-u snmpv3user \
-l authPriv \
-a SHA -A "Str0ngAuthPassw0rd!" \
-x AES -X "Str0ngPrivPassw0rd!" \
10.1.1.50 system

This validates:

  • Authentication
  • Encryption
  • SNMP v3 user access
  • SNMP object retrieval

5. Hardened Trap Configuration

The following traps are operationally useful with minimal performance impact:

  • Cold start
  • Warm start
  • Authentication failures
  • Link up/down events

Step 1 — Enable Useful Trap Modules

sudo nano /etc/default/snmpd
Configuration:
SNMPDOPTS='-LSwd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf'

This disables unnecessary modules while keeping the daemon lightweight.

Step 2 — Enable Interface Monitoring

sudo nano /etc/snmp/snmpd.conf
Add
linkUpDownNotifications yes

This enables:

  • Interface up/down traps
  • Basic operational visibility

These traps are lightweight and useful for monitoring.

Step 3 — Restart the Service

systemd

sudo systemctl restart snmpd

or SysV Init

sudo service snmpd restart

6. Manual Trap Testing

SNMP v2c Trap Test

snmptrap -v2c \
-c S3cure-V2C-Read0nly \
10.1.1.1 '' \
SNMPv2-MIB::coldStart

This sends a manual coldStart trap to the NMS.

SNMP v3 Trap Test

snmptrap -v3 \
-u trapuser \
-l authPriv \
-a SHA -A "TrapAuthPass123!" \
-x AES -X "TrapPrivPass123!" \
10.1.1.1 '' \
SNMPv2-MIB::coldStart

This validates:

  • SNMP v3 trap authentication
  • Encryption
  • NMS trap reception

7. Validation Procedures

Verify Listening Socket

sudo ss -lunp | grep 161

Expected Result

udp UNCONN 0 0 10.1.1.50:161

Confirms:

  • SNMP listens only on the management IP
  • IPv6 listeners are absent

Verify Firewall Rules

sudo ufw status numbered

Confirm only 10.1.1.1 can access UDP/161 and UDP/162

Verify SNMP v3 User Creation

sudo grep createUser /var/lib/snmp/snmpd.conf

Confirms persistent SNMP v3 credentials exist

Review Service Logs

systemd Journal

sudo journalctl -u snmpd
sudo tail -f /var/log/syslog

Useful for:

  • Authentication failures
  • Binding errors
  • Trap issues
  • Startup problems

8. Troubleshooting

Problem — SNMP Timeout

Checks

sudo systemctl status snmpd
sudo ss -lunp | grep 161
sudo ufw status

Common Causes:

  • Firewall blocking UDP/161
  • Incorrect bind IP
  • Wrong community string
  • Incorrect SNMP v3 credentials

Problem — Authentication Failure Traps

Usually indicates:

  • Incorrect community string
  • Incorrect SNMP v3 credentials
  • Unauthorised polling source

Verification:

sudo journalctl -u snmpd | grep -i auth

Problem — SNMP v3 User does not work

Check Persistent File:
sudo cat /var/lib/snmp/snmpd.conf

Common Causes:

  • User created before deleting old persistent file
  • Password mismatch
  • Incorrect security level

Problem — Traps Not Received

Validate UDP/162 reachability from the Linux Server

nc -vu 10.1.1.1 162

Capture packets on the Linux Server

sudo tcpdump -n udp port 162

Confirms:

  • Traps are transmitted
  • Traffic reaches the network

9. Production Hardening Recommendations

  • Use SNMP v3 only wherever possible
  • Never use default community strings
  • Restrict SNMP to management interfaces
  • Restrict access to the NMS only
  • Disable IPv6 listeners unless using IPv6
  • Use read-only access unless writes are operationally required
  • Rotate SNMP v3 credentials periodically
  • Monitor authentication failure traps
  • Back up SNMP configurations securely
  • Restrict file permissions on all SNMP configuration files

10. Final Verification Checklist

Post production deployment verify:

  • SNMP listens only on the management IP
  • Only 10.1.1.1 can poll
  • SNMP v3 authPriv works successfully
  • Traps are received by the NMS
  • Firewall rules are enforced
  • No IPv6 listeners exist
  • Configuration files are permission restricted
  • Service survives reboot

Receiving SNMP

Hardened SNMP manager and agent configuration guide for Ubuntu 22.04 using Net-SNMP as both NMS and SNMP agent. This guide configures the Ubuntu server as:

  1. A SNMP Network Management System (NMS)
  2. A SNMP trap receiver
  3. A SNMP polling system
  4. A SNMP monitored host itself

The guide covers:

  1. SNMP v1
  2. SNMP v2c
  3. SNMP v3 authPriv (SHA + AES128)
  4. SNMP polling
  5. SNMP traps
  6. Trap logging
  7. Service hardening
  8. Scaling guidance
  9. Troubleshooting
  10. Validation procedures

Network Assumptions:

Function IP address
Management inferface 10.1.1.50
SNMP polling/trap interface 10.1.1.1

Design assumptions:

  • SSH and administrative management use 10.1.1.50
  • All SNMP polling and trap traffic uses 10.1.1.1
  • IPv4 only
  • Approximately 500 monitored devices
  • Read-only polling only
  • Shared SNMP v3 credentials across monitored devices
  • Raw trap logging only

1. Unified Hardened Baseline

This section applies to all SNMP versions.

Step 1 — Install Required Packages

sudo apt update
sudo apt install -y \
snmp \
snmpd \
snmptrapd \
libsnmp-base \
libsnmp-dev

Installed components:

Package Purpose
snmpd Local SNMP agent
snmptrapd SNMP trap receiver
snmp Polling and testing utilities
libsnmp-* Net-SNMP runtime libraries

Step 2 — Identify Interfaces

ip addr

Confirm:

  • 10.1.1.50 exists for administrative management
  • 10.1.1.1 exists for SNMP traffic

The SNMP services will bind only to 10.1.1.1. This reduces exposure and simplifies firewall policy enforcement.

Step 3 — Back Up Default Configurations

sudo cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
sudo cp /etc/snmp/snmptrapd.conf /etc/snmp/snmptrapd.conf.bak

Always make a note of any vendor defaults before changing them in production.

Step 4 — Harden File Permissions

sudo chown root:root /etc/snmp/snmpd.conf
sudo chmod 600 /etc/snmp/snmpd.conf
sudo chown root:root /etc/snmp/snmptrapd.conf
sudo chmod 600 /etc/snmp/snmptrapd.conf

SNMP configuration files contain:

  • Community strings
  • SNMP v3 credentials
  • Trap receiver settings

Restricting access prevents credential disclosure.

Step 5 — Configure UFW Firewall Rules

sudo ufw default deny incoming
sudo ufw allow from 10.1.1.50 to any port 22 proto tcp
sudo ufw allow to 10.1.1.1 port 161 proto udp
sudo ufw allow to 10.1.1.1 port 162 proto udp
sudo ufw enable

This permits:

  • SSH management on 10.1.1.50
  • SNMP polling on UDP/161
  • Trap reception on UDP/162

The SNMP services remain isolated to the SNMP interface.

Step 6 — Create Persistent Trap Log Directory

sudo mkdir -p /var/log/snmp
sudo touch /var/log/snmp/snmptrapd.log
sudo chown Debian-snmp:Debian-snmp /var/log/snmp/snmptrapd.log

Creates persistent storage for:

  • Raw traps
  • Authentication failures
  • Operational events

Step 7 — Configure AppArmor Awareness

sudo aa-status

Ubuntu commonly protects SNMP services using AppArmor. If custom paths are used later then the AppArmor profiles may require updates. Default paths used in this guide generally avoid AppArmor conflicts.

Step 8 — Configure Service Hardening

Create systemd Override Directory

sudo mkdir -p /etc/systemd/system/snmpd.service.d
sudo mkdir -p /etc/systemd/system/snmptrapd.service.d

Harden snmpd Service

sudo nano /etc/systemd/system/snmpd.service.d/override.conf

Configuration:

[Service]
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_UNIX
ReadWritePaths=/var/lib/snmp

Harden snmptrapd Service

sudo nano /etc/systemd/system/snmptrapd.service.d/override.conf

Configuration:

[Service]
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_UNIX
ReadWritePaths=/var/log/snmp

Reload system

sudo systemctl daemon-reload

These controls reduce daemon attack surface by:

  • Restricting filesystem access
  • Preventing privilege escalation
  • Restricting network families
  • Limiting writable paths

2. Hardened SNMP v1 Configuration (Legacy Only)

Step 1 — Configure snmpd

sudo nano /etc/snmp/snmpd.conf

Configuration:

########################################################################
# SYSTEM INFORMATION
########################################################################

sysLocation    GENERIC-DATACENTRE
sysContact     NOC
sysName        GENERIC-NMS

########################################################################
# BIND ONLY TO SNMP INTERFACE
########################################################################

agentAddress udp:10.1.1.1:161

########################################################################
# ACCESS CONTROL
########################################################################

com2sec readonlyv1 default LEGACY-V1-RO

group MyROGroup v1 readonlyv1

view AllView included .1 80

access MyROGroup "" any noauth exact AllView none none

########################################################################
# SECURITY
########################################################################

dontLogTCPWrappersConnects yes

########################################################################
# TRAPS
########################################################################

trapsink 10.1.1.1 LEGACY-V1-RO

authtrapenable 1

linkUpDownNotifications yes

This configuration:

  • Restricts SNMP to the SNMP interface
  • Uses read-only access
  • Enables operationally useful traps
  • Enables self monitoring capability

Step 2 — Configure snmptrapd

sudo nano /etc/snmp/snmptrapd.conf

Configuration:

########################################################################
# LISTENING ADDRESS
########################################################################

snmpTrapdAddr udp:10.1.1.1:162

########################################################################
# LOGGING
########################################################################

logOption f /var/log/snmp/snmptrapd.log

########################################################################
# ACCESS CONTROL
########################################################################

authCommunity log,execute,net LEGACY-V1-RO

########################################################################
# AUTHENTICATION FAILURE LOGGING
########################################################################

ignoreAuthFailure no

This:

  • Receives SNMP v1 traps
  • Logs raw traps persistently
  • Logs authentication failures

Step 3 — Start Services

systemd

sudo systemctl enable snmpd snmptrapd
sudo systemctl restart snmpd snmptrapd

or SysV Init

sudo update-rc.d snmpd defaults
sudo update-rc.d snmptrapd defaults
sudo service snmpd restart
sudo service snmptrapd restart

Step 4 — Validate Local Polling

snmpwalk -v1 -c LEGACY-V1-RO 10.1.1.1 system

Confirms:

  • Local polling works
  • SNMP daemon is operational
  • Interface binding is correct

Step 5 — Test Trap Reception

snmptrap -v1 \
-c LEGACY-V1-RO \
10.1.1.1 \
ENTERPRISE-MIB::netSnmpExampleHeartbeatNotification

Verify Log:

sudo tail -f /var/log/snmp/snmptrapd.log

3. Hardened SNMP v2c Configuration (Legacy Only)

Step 1 — Configure snmpd

Configuration:

agentAddress udp:10.1.1.1:161

com2sec readonlyv2 default S3cure-V2C-R0

group MyROGroup v2c readonlyv2

view AllView included .1 80

access MyROGroup "" any noauth exact AllView none none

trap2sink 10.1.1.1 S3cure-V2C-R0

authtrapenable 1

linkUpDownNotifications yes

This:

  • Enables SNMP v2c polling
  • Enables SNMP v2 traps
  • Maintains read-only operation

Step 2 — Configure snmptrapd

Configuration:

snmpTrapdAddr udp:10.1.1.1:162

logOption f /var/log/snmp/snmptrapd.log

authCommunity log,execute,net S3cure-V2C-R0

ignoreAuthFailure no

Step 3 — Restart Services

systemd

sudo systemctl restart snmpd snmptrapd

or SysV Init

sudo service snmpd restart
sudo service snmptrapd restart

Step 4 — Validate Polling

snmpwalk -v2c -c S3cure-V2C-R0 10.1.1.1 system

Step 5 — Validate Trap Reception

snmptrap -v2c \
-c S3cure-V2C-R0 \
10.1.1.1 '' \
SNMPv2-MIB::coldStart

4. Hardened SNMP v3 Configuration (Recommended)

Step 1 — Stop Services

systemd

sudo systemctl stop snmpd snmptrapd

or SysV Init

sudo service snmpd stop
sudo service snmptrapd stop

Step 2 — Remove Old Persistent Files

sudo rm -f /var/lib/snmp/snmpd.conf
sudo rm -f /var/lib/snmp/snmptrapd.conf

Step 3 — Create SNMP v3 User

sudo net-snmp-create-v3-user \
-ro \
-a SHA \
-A "GENERIC-AUTH-PASSWORD" \
-x AES \
-X "GENERIC-PRIV-PASSWORD" \
GENERIC-SNMPV3-USER

Creates:

  • Read-only user
  • SHA authentication
  • AES128 encryption

Step 4 — Configure snmpd

Configuration:

agentAddress udp:10.1.1.1:161

view AllView included .1 80

rouser GENERIC-SNMPV3-USER authPriv -V AllView

createUser trapuser SHA "TRAP-AUTH-PASSWORD" AES "TRAP-PRIV-PASSWORD"

trapsess -v 3 \
-u trapuser \
-l authPriv \
-a SHA -A "TRAP-AUTH-PASSWORD" \
-x AES -X "TRAP-PRIV-PASSWORD" \
10.1.1.1

authtrapenable 1

linkUpDownNotifications yes

Step 5 — Configure snmptrapd

Configuration:

snmpTrapdAddr udp:10.1.1.1:162

logOption f /var/log/snmp/snmptrapd.log

createUser trapuser SHA "TRAP-AUTH-PASSWORD" AES "TRAP-PRIV-PASSWORD"

authUser log,execute,net trapuser

ignoreAuthFailure no

This:

  • Accepts encrypted SNMP v3 traps
  • Logs raw traps
  • Logs authentication failures

Step 6 — Start Services

systemd

sudo systemctl enable snmpd snmptrapd
sudo systemctl restart snmpd snmptrapd

or SysV Init

sudo update-rc.d snmpd defaults
sudo update-rc.d snmptrapd defaults
sudo service snmpd restart
sudo service snmptrapd restart

Step 7 — Validate SNMP v3 Polling

snmpwalk -v3 \
-u GENERIC-SNMPV3-USER \
-l authPriv \
-a SHA -A "GENERIC-AUTH-PASSWORD" \
-x AES -X "GENERIC-PRIV-PASSWORD" \
10.1.1.1 system

Step 8 — Validate SNMP v3 Trap Reception

snmptrap -v3 \
-u trapuser \
-l authPriv \
-a SHA -A "TRAP-AUTH-PASSWORD" \
-x AES -X "TRAP-PRIV-PASSWORD" \
10.1.1.1 '' \
SNMPv2-MIB::coldStart

5. Polling Scale and Performance Guidance

For approximately 500 devices, some recommended polling timeouts:

SNMP v1/v2c

snmpwalk -t 2 -r 1

SNMP v3

snmpwalk -t 3 -r 1

Where the parameters mean the below:

Flag Value
-t Timeout in seconds
-r Retries

These values reduce:

  • an excessive queue building up
  • polling overlap
  • long running failures

Polling Rate Limiting Guidance

It is recommended to do the following:

  • Poll in batches
  • Avoid polling all devices simultaneously
  • Stagger polling windows

The recommended maximum is 50–75 simultaneous SNMP requests.

Resource Monitoring Guidance

Monitor:

  • CPU utilisation
  • UDP socket drops
  • Disk I/O for trap logs
  • SNMP queue delays

A useful command is:

netstat -su

6. Validation Procedures

Verify Listening Sockets

sudo ss -lunp | grep -E '161|162'

Expected:

udp UNCONN 0 0 10.1.1.1:161
udp UNCONN 0 0 10.1.1.1:162

Verify Trap Logging

sudo tail -f /var/log/snmp/snmptrapd.log

Verify Firewall Rules

sudo ufw status numbered

Verify Service Status

systemd

sudo systemctl status snmpd
sudo systemctl status snmptrapd

or SysV Init

sudo service snmpd status
sudo service snmptrapd status

7. Debugging Procedures

Run snmpd in Foreground Debug Mode.

sudo systemctl stop snmpd
sudo snmpd -f -Lo -DALL

Useful for:

  • startup issues
  • access control failures

SNMP v3 problems

Run snmptrapd in Debug Mode

sudo systemctl stop snmptrapd
sudo snmptrapd -f -Lo -DALL

Packet Capture Troubleshooting.

Polling:

sudo tcpdump -n udp port 161

Traps:

sudo tcpdump -n udp port 162

8. Common Problems

Problem — SNMP Timeout

Checks:

sudo ss -lunp | grep 161
sudo ufw status
sudo systemctl status snmpd

Common Causes:

  • Firewall blocking UDP/161
  • Incorrect community string
  • Incorrect SNMP v3 credentials
  • Wrong bind interface

Problem — Traps Not Logged

Checks:

sudo systemctl status snmptrapd
sudo tail -f /var/log/snmp/snmptrapd.log

Common Causes:

  • UDP/162 blocked
  • snmptrapd not bound correctly
  • Authentication failure
  • Incorrect trap version

Problem — SNMP v3 Authentication Failure

Verify Persistent Users:

sudo cat /var/lib/snmp/snmpd.conf

Common Causes:

  • Wrong authentication password
  • Wrong privacy password
  • Incorrect security level
  • Engine ID mismatch

9. Production Hardening Recommendations

  1. Prefer SNMP v3 authPriv wherever possible
  2. Treat SNMP v1/v2c as temporary legacy support only
  3. Restrict SNMP to dedicated interfaces
  4. Restrict UDP/161 and UDP/162 using firewalls
  5. Use read-only access unless write is operationally required
  6. Monitor authentication failures
  7. Rotate SNMP v3 credentials periodically
  8. Avoid excessive debug logging in production
  9. Monitor trap log growth
  10. Back up SNMP configuration securely
  11. Keep Net-SNMP packages updated

Syslog

Transmitting Syslog

This guide explains how to configure secure and operationally resilient Syslog forwarding on Ubuntu 22.04:

  1. Ubuntu Server 22.04
  2. using rsyslog
  3. forwarding logs to the NMS at 10.1.1.1

using:

  1. UDP
  2. TCP
  3. TLS

with:

  1. local log retention
  2. persistent forwarding queues
  3. firewall configuration using ufw
  4. hardened log rotation
  5. verification and troubleshooting procedures

The server will ONLY forward logs and NOT receive inbound Syslog

1. Understanding Syslog Transport Methods

Before configuring Syslog, it is important to understand the transport options.

UDP Syslog

uses

  • protocol: UDP
  • default port: 514

Advantages:

  • Lightweight
  • Minimal overhead
  • Common on legacy devices

Disadvantages:

  • No delivery confirmation
  • Logs can be lost during congestion
  • No encryption
  • No session management

Operational use:

  • Legacy environments
  • Low security networks
  • High volume but low criticality logging

Rsyslog syntax:

@10.1.1.1:514
Single @ means UDP.

TCP Syslog uses:

  • protocol: TCP
  • default port: 514

Advantages:

  • Reliable delivery
  • Ordered transmission
  • Session based communication

Disadvantages:

  • Slightly higher overhead
  • No encryption unless TLS is added

Operational use:

  • Recommended minimum standard for production

Rsyslog syntax:

@@10.1.1.1:514
Double @@ means TCP.

TLS Syslog uses:

  • protocol: TCP with TLS encryption
  • common port: 6514

Advantages:

  • Encryption in transit
  • Authentication support
  • Protection against interception
  • Best practice for production

Disadvantages:

  • More complex setup
  • Requires certificates
  • Slightly higher CPU overhead

Operational use:

  • Enterprise production
  • Compliance driven environments
  • Security sensitive infrastructure

2. Install and Verify rsyslog

Ubuntu 22.04 normally includes rsyslog by default.

Verify Installation

sudo systemctl status rsyslog

This:

  • Confirms rsyslog is installed
  • Verifies service state
  • Confirms startup status

Expected output:

active (running)

If they are missing then install them:

sudo apt update
sudo apt install rsyslog rsyslog-gnutls -y

rsyslog is the main Syslog daemon and rsyslog-gnutls is required for TLS encryption support

3. Create a Dedicated Forwarding Configuration

Production systems should avoid editing the main rsyslog configuration directly. Instead create modular configuration files in /etc/rsyslog.d/

4. Configure Persistent Queues (Availability Requirement)

Persistent queues prevent log loss during:

  • NMS outages
  • network interruptions
  • reboot events

Create the queue directory:

sudo mkdir -p /var/spool/rsyslog

Set permissions:

sudo chown syslog:adm /var/spool/rsyslog
sudo chmod 750 /var/spool/rsyslog

This:

  • Restricts queue access
  • Prevents unauthorised reading of queued logs

5. Configure UDP Forwarding

Create the configuration file:

sudo nano /etc/rsyslog.d/10-nms-udp.conf

Add the below configuration:

# System logs
*.info;mail.none;authpriv.none;cron.none @10.1.1.1:514

# Security logs
authpriv.* @10.1.1.1:514

# Reliable queue settings
$ActionQueueType LinkedList
$ActionQueueFileName udpqueue
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
Save and exit.

Explanation of the UDP Configuration

System Logs Rule
*.info;mail.none;authpriv.none;cron.none

Meaning:

  • Forward informational and higher logs
  • Exclude mail logs, authentication logs and cron logs

This:

  • Reduces unnecessary noise
  • Security logs handled separately

Security Logs Rule

authpriv.*
Forward authentication/security logs

Examples:

  • SSH authentication
  • sudo activity
  • PAM events

Queue Configuration

$ActionQueueType LinkedList

Creates an in-memory queue.

$ActionQueueFileName udpqueue

Enables disk backed persistence.

$ActionResumeRetryCount -1

Retry forever.

$ActionQueueSaveOnShutdown on

Preserve queued logs during reboot.

6. Configure TCP Forwarding

Create:

sudo nano /etc/rsyslog.d/20-nms-tcp.conf

Add the below configuration:

# System logs
*.info;mail.none;authpriv.none;cron.none @@10.1.1.1:514

# Security logs
authpriv.* @@10.1.1.1:514

# Reliable queue settings
$ActionQueueType LinkedList
$ActionQueueFileName tcpqueue
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
TCP Configuration Differences

The ONLY syntax change is:

@@10.1.1.1:514

Double @@ enables TCP.

7. Configure TLS Syslog Forwarding

Create Certificates Directory

sudo mkdir -p /etc/rsyslog-keys
sudo chmod 700 /etc/rsyslog-keys

Copy CA Certificate

Example:

sudo cp ca-cert.pem /etc/rsyslog-keys/

Set permissions:

sudo chmod 600 /etc/rsyslog-keys/ca-cert.pem

This ensures:

  • TLS requires certificate trust validation
  • Restrictive permissions reduce exposure

Create TLS Configuration

sudo nano /etc/rsyslog.d/30-nms-tls.conf

Add the below configuration:

global(
    DefaultNetstreamDriver="gtls"
    DefaultNetstreamDriverCAFile="/etc/rsyslog-keys/ca-cert.pem"
)

# System logs
action(
    type="omfwd"
    target="10.1.1.1"
    port="6514"
    protocol="tcp"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="x509/name"
    queue.type="LinkedList"
    queue.filename="tlsqueue"
    action.resumeRetryCount="-1"
    queue.saveonshutdown="on"
)

*.info;mail.none;authpriv.none;cron.none

# Security logs
action(
    type="omfwd"
    target="10.1.1.1"
    port="6514"
    protocol="tcp"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="x509/name"
    queue.type="LinkedList"
    queue.filename="tlsqueue-auth"
    action.resumeRetryCount="-1"
    queue.saveonshutdown="on"
)

authpriv.*

8. TLS Configuration Explanation

StreamDriver
StreamDriver="gtls"

Enables TLS transport.

StreamDriverMode
StreamDriverMode="1"

Enables TLS only mode.

Authentication Mode
StreamDriverAuthMode="x509/name"

Validates certificate identity.

Port 6514

6514 is the standard port for Syslog over TLS.

9. Validate rsyslog Configuration

Always validate before restarting services.

sudo rsyslogd -N1

This command:

  • Checks syntax only
  • Prevents broken production deployments

Expected output:

rsyslogd: End of config validation run. Bye.

10. Restart rsyslog

sudo systemctl restart rsyslog

To verify:

sudo systemctl status rsyslog

11. Configure Firewall (ufw)

Because this server only forwards logs, outbound access is required but inbound Syslog is NOT required

Allow Outbound UDP Syslog:

sudo ufw allow out 514/udp

Allow Outbound TCP Syslog:

sudo ufw allow out 514/tcp

Allow Outbound TLS Syslog:

sudo ufw allow out 6514/tcp

Verify the firewall rules:

sudo ufw status numbered

This:

  • Confirms firewall policy
  • Verifies outbound ports

12. Configure Log Rotation Hardening

Ubuntu uses logrotate. Inspect the existing rsyslog rotation:

sudo nano /etc/logrotate.d/rsyslog

Some recommended hardened settings:

/var/log/syslog
/var/log/auth.log
{
    rotate 30
    daily
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
        systemctl reload rsyslog >/dev/null 2>&1 || true
    endscript
    create 0640 syslog adm
}

13. Log Rotation Explanation

rotate 30

Keeps 30 rotated logs that are useful for:

  • investigations
  • compliance
  • outage review
compress

Reduces disk usage.

delaycompress

Avoids compressing the newest rotated log immediately which can be useful during troubleshooting.

create 0640 syslog adm

Secure permissions:

  • readable by administrators
  • not world readable

14. Verify Forwarding

Verify rsyslog Service

sudo systemctl status rsyslog

Verify Listening Connections

For TCP/TLS:

ss -antp | grep rsyslog

For UDP:

ss -aunp | grep rsyslog

Verify Queue Files

ls -lh /var/spool/rsyslog

This command:

  • Confirms persistent queues exist
  • Indicates retry buffering is operational

Verify Local Log Retention

sudo tail -f /var/log/syslog

And:

sudo tail -f /var/log/auth.log

This command:

  • Confirms local logging remains enabled
  • Ensures forwarding does not replace retention

15. Troubleshooting

Validate Configuration

sudo rsyslogd -N1

Check Service Logs

sudo journalctl -u rsyslog

Useful for:

  • TLS errors
  • syntax issues
  • queue failures
  • connectivity issues

Verify Firewall Status

sudo ufw status verbose

Confirm Port Reachability

UDP:

nc -vzu 10.1.1.1 514

TCP:

nc -vz 10.1.1.1 514

TLS:

nc -vz 10.1.1.1 6514

16. Production Recommendations

For production deployments the preferred order:

  1. TLS Syslog as TLS provides confidentiality and authentication
  2. TCP Syslog as TCP provides reliability
  3. UDP Syslog as UDP provides neither

Recommended operational defaults:

  • persistent queues enabled
  • local retention enabled
  • restricted queue permissions
  • outbound only firewall rules
  • separate modular rsyslog configuration files
  • syntax validation before restart
  • compressed log rotation
  • infinite retry count for delivery resilience

Receiving Syslog

This guide explains how to deploy a hardened centralised Syslog server on Ubuntu 22.04 using rsyslog. The server will:

  1. receive Syslog from up to 500 devices
  2. support UDP Syslog, TCP Syslog and TLS Syslog
  3. retain logs locally for 90 days
  4. organise logs per host
  5. use raw IP addresses (as opposed to DNS names, which introduce a potential performance bottleneck)
  6. apply operational hardening
  7. use persistent queues
  8. apply performance tuning
  9. reduce noisy logs
  10. restrict inbound access to 10.2.1.0/24 and 10.3.1.0/24 subnets

Infrastructure assumptions:

  1. Ubuntu server has 8 vCPU, 16GB RAM and 1TB SSD RAID1
  2. medium logging volume
  3. standard enterprise environment

1. Architecture Overview

The Syslog server performs four major functions:

  1. Receives remote Syslog messages
  2. Writes logs to disk by source IP
  3. Retains logs locally for 90 days
  4. Protects against log floods, queue exhaustion, disk pressure and transport interruptions

This deployment uses:

  1. modular rsyslog configuration
  2. disk assisted queues
  3. per host storage
  4. explicit firewall rules
  5. controlled permissions
  6. transport separation

2. Install Required Packages

Update the server:

sudo apt update
sudo apt upgrade -y

Install rsyslog and TLS support:

sudo apt install rsyslog rsyslog-gnutls logrotate ufw -y

3. Verify rsyslog Service

Check service status:

sudo systemctl status rsyslog

Expected output:

active (running)

Enable startup persistence:

sudo systemctl enable rsyslog

4. Create Directory Structure

Create directories for:

  • remote logs
  • queues
  • TLS certificates
sudo mkdir -p /var/log/remote
sudo mkdir -p /var/spool/rsyslog
sudo mkdir -p /etc/rsyslog-keys

5. Configure Secure Permissions

Set ownership:

sudo chown syslog:adm /var/log/remote
sudo chown syslog:adm /var/spool/rsyslog

Set permissions:

sudo chmod 750 /var/log/remote
sudo chmod 750 /var/spool/rsyslog
sudo chmod 700 /etc/rsyslog-keys

This:

  • prevents unauthorised log access
  • restricts queue access
  • protects TLS certificate storage

6. Create Main Remote Logging Configuration

Create:

sudo nano /etc/rsyslog.d/10-remote-logging.conf

Add the configuration:

############################
# GLOBAL SETTINGS
############################

global(
    workDirectory="/var/spool/rsyslog"
    maxMessageSize="8k"
)

############################
# MODULES
############################

module(load="imudp")
module(load="imtcp")
module(load="imptcp")
module(load="gtls")

############################
# UDP LISTENER
############################

input(
    type="imudp"
    port="514"
    threads="4"
    timeRequery="500"
    batchSize="128"
)

############################
# TCP LISTENER
############################

input(
    type="imtcp"
    port="514"
    workerthreads="4"
    ratelimit.interval="0"
)

############################
# TLS LISTENER
############################

global(
    DefaultNetstreamDriver="gtls"
    DefaultNetstreamDriverCAFile="/etc/rsyslog-keys/ca-cert.pem"
)

input(
    type="imtcp"
    port="6514"
    StreamDriver.Name="gtls"
    StreamDriver.Mode="1"
    StreamDriver.AuthMode="anon"
    workerthreads="4"
)

############################
# TEMPLATES
############################

template(
    name="PerHostLogs"
    type="string"
    string="/var/log/remote/%FROMHOST-IP%/%PROGRAMNAME%.log"
)

############################
# FILTERING RULES
############################

if ($syslogseverity-text == 'debug') then {
    stop
}

if ($programname == 'snmpd') then {
    stop
}

if ($msg contains 'LINK-3-UPDOWN') then {
    stop
}

############################
# REMOTE LOG STORAGE
############################

*.* ?PerHostLogs

############################
# FILE PERMISSIONS
############################

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0750

############################
# QUEUE SETTINGS
############################

$ActionQueueType LinkedList
$ActionQueueFileName remotequeue
$ActionQueueMaxDiskSpace 20g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
Save and exit.

7. Understanding the Configuration

7.1 UDP Listener

input(
    type="imudp"
    port="514"
)

Purpose: accepts UDP Syslog traffic

Operational characteristics:

  • connectionless
  • lowest overhead
  • least reliable

Used by:

  • older switches
  • printers
  • environmental monitors

UDP Performance Tuning

threads="4"

Uses multiple processing threads. Benefits:

  • improved parallelism
  • better CPU utilisation
batchSize="128"

Processes multiple UDP packets together. Benefits:

  • reduced CPU overhead
  • improved throughput

7.2 TCP Listener

input(
    type="imtcp"
    port="514"
)

Purpose: accepts reliable TCP Syslog traffic.

Benefits:

  • guaranteed delivery
  • ordered transmission
  • improved stability

Common devices:

  • network switches, routers and firewalls
  • Linux server
  • Windows collectors

TCP Worker Threads

workerthreads="4"

TCP Worker Threads allows parallel TCP processing. This is important for:

  • burst handling
  • large numbers of simultaneous senders

7.3 TLS Listener

port="6514"

Port 6514 is the standard Syslog TLS port.

StreamDriver.Name="gtls"

TLS Driver enables encrypted transport.

StreamDriver.Mode="1"

TLS Mode enforces TLS only communication.

StreamDriver.AuthMode="anon"

TLS Authentication encrypts traffic without client certificate validation.

Enterprise note:

  • acceptable for internal enterprise logging
  • mutual certificate validation is more secure but operationally heavier

7.4 Per Host Logging

string="/var/log/remote/%FROMHOST-IP%/%PROGRAMNAME%.log"

Creates:

  • separate directories per source IP
  • separate files per application/program

Example: /var/log/remote/10.2.1.10/sshd.log

Benefits:

  • easier troubleshooting
  • scalable retention
  • simpler incident analysis

7.5 Noise Reduction Filters

if ($syslogseverity-text == 'debug')

Drop debug messages prevents excessive low value logging.

if ($programname == 'snmpd')

Drop SNMP Daemon Noise as it is often noisy in enterprise networks.

if ($msg contains 'LINK-3-UPDOWN')

Drop interface flapping spam to reduce excessive switch interface events.

7.6 Queue Engineering

$ActionQueueMaxDiskSpace 20g

Limits queue growth and prevents:

  • disk exhaustion
  • filesystem outages
$ActionQueueSaveOnShutdown on

Persistent queues preserves queue state during reboot.

8. Configure TLS Certificates

Copy the CA certificate:

sudo cp ca-cert.pem /etc/rsyslog-keys/

Set permissions:

sudo chmod 600 /etc/rsyslog-keys/ca-cert.pem

9. Configure Firewall Rules

Enable UFW:

sudo ufw enable

Allow UDP Syslog

sudo ufw allow proto udp from 10.2.1.0/24 to any port 514
sudo ufw allow proto udp from 10.3.1.0/24 to any port 514

Allow TCP Syslog

sudo ufw allow proto tcp from 10.2.1.0/24 to any port 514
sudo ufw allow proto tcp from 10.3.1.0/24 to any port 514

Allow TLS Syslog

sudo ufw allow proto tcp from 10.2.1.0/24 to any port 6514
sudo ufw allow proto tcp from 10.3.1.0/24 to any port 6514

Verify Rules

sudo ufw status numbered

10. Configure Log Rotation

Create:

sudo nano /etc/logrotate.d/remote-syslog

Add the below configuration:

/var/log/remote/*/*.log
{
    daily
    rotate 90
    compress
    delaycompress
    missingok
    notifempty
    sharedscripts
    create 0640 syslog adm

    postrotate
        systemctl reload rsyslog > /dev/null 2>&1 || true
    endscript
}

11. Understanding Log Rotation

rotate 90

Retains 90 daily archives. Matches enterprise retention requirement

compress

Reduces SSD utilisation.

delaycompress

Keeps newest rotated log readable which is very useful during investigations.

12. Validate Configuration

Always validate before restart.

sudo rsyslogd -N1

Expected output:

rsyslogd: End of config validation run. Bye.

13. Restart rsyslog

sudo systemctl restart rsyslog

Verify:

sudo systemctl status rsyslog

14. Verify Listening Ports

Check UDP:

ss -ulpn | grep 514

Check TCP:

ss -tlpn | grep 514

Check TLS:

ss -tlpn | grep 6514

15. Verify Log Creation

Check remote directories:

sudo ls -R /var/log/remote

Verify permissions:

sudo ls -l /var/log/remote

16. Verify Queue Files

sudo ls -lh /var/spool/rsyslog

17. Troubleshooting

Validate Syntax

sudo rsyslogd -N1

Check rsyslog Service Logs

sudo journalctl -u rsyslog

This is useful for:

  • TLS failures
  • listener startup failures
  • queue issues
  • permission errors

Check Firewall

sudo ufw status verbose

Verify Listening State

ss -tulpn | grep rsyslog

18. Enterprise Operational Recommendations

Recommended transport priority is:

  • TLS as TLS provides encryption
  • TCP as TCP provides reliability
  • UDP as UDP provides compatibility

A recommended device mapping:

Device type Recommended transport
Firewalls TLS
Linux servers TLS
Windows servers TCP/TLS
Network switches UDP/TCP
Printers UDP
Environmental monitors UDP

19. Final Production Characteristics

This deployment provides:

  1. centralised enterprise logging
  2. per host organisation
  3. 90 day retention
  4. encrypted logging support
  5. queue persistence
  6. SSD aware log rotation
  7. explicit firewall restrictions
  8. scalable ingestion for 500 devices
  9. operationally hardened permissions
  10. filtering of noisy events
  11. performance tuning for medium volume enterprise environments

Conclusion

This completes our foray into the world of SNMP and Syslog. Although both protocols originate in the 1980s, they are still widely used in enterprises today. Wherever possible, operationally hardened configurations have been used, together with line by line explanations of what they mean. Hopefully, the discussions around what version or transport method to use are sufficient in order to define a network monitoring architecture and to demonstrate the decisions that need to be made, in order to gain the greatest value from the network monitoring solution.

Book a Consultation

Book a consultation call to discuss your current environment and explore how a fractional engagement could improve clarity, reduce noise, and strengthen operational resilience.