Log management involves collecting, storing, and analyzing log data from network devices, servers, and security systems. CompTIA Network+ N10-009 tests syslog, event log types, SIEM systems, and how logging supports security investigations and troubleshooting. Logs are the primary evidence for both network incidents and compliance audits.
Practice this topic
Syslog is the standard protocol for network device log collection. Devices (routers, switches, firewalls) send log messages to a central syslog server using UDP port 514 (or TCP 514/6514 for reliable/encrypted syslog). Log messages include: timestamp, hostname, facility (source category), severity level, and message text.
Syslog severity levels (0–7): 0=Emergency (system unusable), 1=Alert (immediate action needed), 2=Critical, 3=Error, 4=Warning, 5=Notice (significant but normal), 6=Informational, 7=Debug (very verbose). Mnemonic: 'Every Awful Crisis Eventually Worsens Nightly Internally Downward.' Lower number = higher severity. Configure devices to log at appropriate severity — avoid Debug in production (too much data).
Local logging: devices store logs in local memory/flash — lost on reboot. Remote syslog: sends logs to a dedicated syslog server for persistence and aggregation. Syslog servers: rsyslog, syslog-ng (Linux), Kiwi Syslog (Windows). Central logging enables correlation — seeing events from multiple devices in one place.
SIEM (Security Information and Event Management): collects logs from diverse sources (network devices, servers, endpoints, applications, cloud services), normalizes the data, and correlates events across sources to detect security incidents. SIEM provides: real-time alerting on security events, historical search for forensic investigation, compliance reporting, and dashboards.
SIEM examples: Splunk, IBM QRadar, Microsoft Sentinel (cloud), Elastic SIEM (open source). SIEM correlation: if a firewall blocks a connection AND the endpoint generates an AV alert within seconds from the same source, the SIEM correlates these into a single incident alert — pattern recognition across multiple log sources.
Log retention: how long logs are kept. Compliance regulations specify minimum retention — PCI DSS requires 12 months (3 months immediately accessible), HIPAA requires 6 years. Security investigations often need logs from weeks or months ago. Plan storage accordingly — high-volume devices can generate gigabytes of logs per day.
Log integrity: logs are only useful as evidence if they haven't been tampered with. Use write-once storage, WORM (Write Once Read Many) media, or cryptographic hashing to ensure log integrity. Centralized logging also removes attacker access to local logs — an attacker who compromises a device cannot easily delete centralized logs.
Local device logging is sufficient for security investigations
Local logs are lost on reboot, have limited storage, and can be deleted by an attacker who compromises the device. Centralized syslog is essential for persistent, tamper-resistant logging
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
Which syslog severity level should be used to log messages that require immediate attention to prevent system failure?
Explanation: Syslog Level 1 (Alert) means 'action must be taken immediately' — used for conditions that require immediate administrator attention to prevent failure. Level 0 (Emergency) means the system is completely unusable (the most severe). Level 4 (Warning) is for conditions that might cause problems. Level 7 (Debug) is extremely verbose diagnostic information.
A syslog server passively collects and stores log messages from network devices — it provides storage and basic search. A SIEM actively analyzes logs from multiple sources, correlates events across them, generates alerts for security incidents, and produces compliance reports. SIEM is the intelligence layer built on top of log collection. Most enterprise deployments use both: syslog servers for device log collection, SIEM for analysis.
Try free Log Management practice questions with explanations, topic links and progress tracking.