syslog-receiver

$npx mdskill add automateyournetwork/netclaw/syslog-receiver

Receives and queries syslog messages from network devices via UDP.

  • Monitors real-time network events and historical logs for troubleshooting.
  • Uses UDP to listen for RFC 5424 and RFC 3164 formatted syslog messages.
  • Filters and aggregates logs by severity, facility, hostname, or content.
  • Provides query results and statistics through dedicated tools and APIs.

SKILL.md

.github/skills/syslog-receiverView on GitHub ↗
---
name: syslog-receiver
description: "Receive and query syslog messages from network devices via UDP."
version: 1.0.0
license: Apache-2.0
author: netclaw
tags: []
---

# Syslog Receiver Skill

Receive and query syslog messages from network devices via UDP.

## Skill ID

`syslog-receiver`

## Description

This skill enables NetClaw to receive syslog messages from network devices (routers, switches, firewalls) and query the collected data. It supports both RFC 5424 (modern) and RFC 3164 (BSD/Cisco) syslog formats.

## When to Use

- Monitoring network device events in real-time
- Investigating incidents by querying historical syslog data
- Aggregating logs from multiple network devices
- Filtering messages by severity, facility, hostname, or content
- Analyzing error patterns across the network

## Required MCP Server

`syslog-mcp`

## Available Tools

| Tool | Purpose |
|------|---------|
| `syslog_start_receiver` | Start listening for syslog messages |
| `syslog_stop_receiver` | Stop the receiver |
| `syslog_get_status` | Check receiver status and statistics |
| `syslog_query` | Search messages with filters |
| `syslog_get_message` | Get full details of a specific message |
| `syslog_get_severity_counts` | Get message counts by severity |

## Example Workflows

### Start Monitoring

```
1. Use syslog_start_receiver with port 10514
2. Configure network devices to send syslog to this port
3. Use syslog_get_status to verify messages are being received
```

### Investigate Errors

```
1. Use syslog_query with severity_max=3 to find ERROR and above
2. Filter by hostname or source_ip if investigating specific device
3. Use message_contains to search for specific keywords
4. Use syslog_get_message for full details of interesting entries
```

### Daily Summary

```
1. Use syslog_get_severity_counts to see distribution
2. Focus on CRITICAL, ERROR, WARNING counts
3. Query high-severity messages for details
```

## Sample Prompts

- "Start the syslog receiver on port 10514"
- "Show me all error messages from the last hour"
- "How many critical alerts have we received today?"
- "Find all syslog messages containing 'interface down'"
- "What's the syslog receiver status?"
- "Query syslog for messages from 192.168.1.1"

## Configuration

The syslog-mcp server is configured via environment variables:

- `SYSLOG_PORT`: UDP listening port (default: 514)
- `SYSLOG_BIND_ADDRESS`: Bind address (default: 0.0.0.0)
- `SYSLOG_RETENTION_HOURS`: Message retention (default: 24)
- `SYSLOG_RATE_LIMIT`: Max messages/second (default: 1000)
- `SYSLOG_DEDUP_WINDOW`: Dedup window in seconds (default: 5)

## Limitations

- In-memory storage only (data lost on restart)
- Single instance per port
- No persistent storage or export
- UDP only (no TCP syslog support)

## Related Skills

- `snmptrap-receiver` - SNMP trap collection
- `ipfix-receiver` - Flow data collection
- `gnmi-telemetry` - Streaming telemetry

More from automateyournetwork/netclaw

SkillDescription
aap-automationRed Hat Ansible Automation Platform — inventory management, job template execution, project SCM sync, ad-hoc commands, host management, Galaxy content discovery. Use when automating infrastructure with Ansible, running playbooks, managing inventories, or searching for Ansible collections and roles.
aap-edaEvent-Driven Ansible (EDA) — activation lifecycle, rulebook management, decision environments, event stream monitoring. Use when managing event-driven automation triggers, enabling/disabling activations, or reviewing EDA rulebooks.
aap-lintansible-lint playbook and role validation — syntax checking, best practice enforcement, project-wide analysis, rule filtering. Use when validating Ansible playbooks, checking code quality, or enforcing automation best practices before deployment.
aci-change-deploySafe ACI policy change deployment - ServiceNow CR lifecycle, pre/post-change fault baselines, APIC policy application, automatic rollback on fault delta, and GAIT audit trail. Use when deploying ACI policy changes, creating tenants or EPGs, pushing config to APIC, or running a change window with rollback protection.
aci-fabric-auditComprehensive Cisco ACI fabric health audit - node status, tenant/VRF/BD/EPG policy review, contract analysis, fault triage, and endpoint learning verification. Use when auditing ACI fabric health, checking for faults, reviewing tenant policies, or running pre/post-change baselines on APIC.
arista-cvpArista CloudVision Portal (CVP) automation via REST API — device inventory, events, connectivity monitoring, tag management (4 tools). Use when managing Arista devices, checking CloudVision events, monitoring network connectivity probes, or tagging devices in CVP.
aruba-cx-configView and manage Aruba CX switch configurations, perform ISSU upgrades, and firmware operations
aruba-cx-interfacesMonitor Aruba CX switch interface status, LLDP neighbors, and optical transceiver health
aruba-cx-switchingView and manage Aruba CX switch VLANs and MAC address tables for Layer 2 operations
aruba-cx-systemDiscover Aruba CX switch system information, firmware versions, and VSF topology