Syslog

Every network device — switches, firewalls, access points, servers — generates log messages: interface state changes, authentication events, configuration changes, error conditions. Syslog is the protocol that forwards these messages from the device to a central log collector or SIEM.

Without centralized logging, event data lives only on the device that generated it, rotates off when storage fills, and is often the first thing overwritten if a device is compromised. Centralized syslog creates an immutable audit trail.

Each message carries a category and a severity level, so a collector can filter and route messages — surfacing critical errors while archiving routine noise.

The original protocol sends messages in plaintext with no encryption or guaranteed delivery; modern variants add encryption for security-sensitive environments.

For any organization with managed switches and firewalls, enabling syslog to a central collector (even a simple one like Graylog or a SIEM) is a baseline security practice. When an incident occurs, you need those logs to exist and to not have been on the device that was compromised.