Our users and readers probably noticed a few months back that we added the ingestion of SNMP Syslogs and Traps to our platform via NMS.
Today we are bringing new enhancements to that Syslog functionality. But before we dig into those, let's do a quick recap of what was already available.

Setting up Syslog on a Network Device

First order of business when you want to add Syslog observability to your Kentik setup is to deploy our Universal Agent and enable the syslog capability on it. Deploying Universal Agent is trivial and all that's needed is to enable the Syslog Server capability during the final steps of the deployment process, as pictured below:

For an already deployed agent, the capability can be installed/enabled on the fly as depicted below from the Settings > Universal Agent agent list.

Once this is done, all you need to do is configure your network devices to send Syslog records to this agent. If necessary, you can also configure the listening IP and ports on the syslog capability.
Provided your device is NMS enabled, the Kentik cluster will ingest Syslog records from the device via the Universal Agent's syslog capability.

How can I access Syslog data for analysis? (part 1)

All ingested syslog data is enriched with a sum of attributes and immediately stored in our universal telemetry datastore, making it ready for analysis.
Syslogs (as well as SNMP Traps) correspond to a new broad type of Telemetry available in our platform called Events. We intend to add additional event types in the near future, so stay tuned!

Once ingested, new Metrics and Dimensions choices (both Group By and Filter) will be available in Data Explorer, as depicted below - allowing for very granular event type queries.

Here's an example of a Data Explorer query displaying syslog volumes per device and per severity over time.

Additionally, the new Events View tab on the data table will appear for users to display a complete list (unaggregated) of all the Syslog messages captured in this time window for filter defined in the query.

Of course, all of these visualizations are available to a bunch of extra useful capabilities such as

• Saved Views
• Dashboards
• Filter Based Dimensions
• Generate One Chart per Series

So what's new with Syslog? (part 2)

As of today, we're adding a few niceties, this is where it all becomes interesting. The keen eye will have noticed that the Infrastructure > Devices inventory screen includes a new filter in the NMS Status section - this filter now allows users to narrow the device list down to those that we are seeing Syslog entries for.

...but the real deal is that starting today a new Syslogs tab appears on the Infrastructure > Device > device details screen: let's say you are doing your rounds on a device, eyeballing it's metrics in the overview tab - you see a spike on CPU on the overview spark line and want to check if error reported by syslog has happened that may explain it, here's what it looks like when you click on the Syslog tab. Now users can easily search for specific syslog entries on this device of any Severity within any Time Range.

What does the future hold?

As mentioned earlier, we are just getting started on Events. They will soon play an important role in our unified observability stack, being additionally available to our recently released AI Advisor: when clicking on the top right Ask button on a Device Details page to summon the agent, it will already have the recently Syslogs for the device as part of its context.

As a fast follow-up, we will be soon adding SNMP Traps as a similar additional tab in the Device Details screen.

Later this year, we will be opening up amazing possibilities to query together Traffic (Flow), NMS (SNMP/ST), Events (syslogs, traps & more) and Performance (Synthetics) together in a cohesive set of visualizations - so stay tuned as things are just about to become interesting!