JT
JT Exams
Log inStart Free Trial
NetworkingNetwork+

Log Management for CompTIA Network+ N10-009

Log management involves collecting, storing, and analyzing log data from network devices, servers, and security systems. CompTIA Network+ N10-009 tests syslog, event log types, SIEM systems, and how logging supports security investigations and troubleshooting. Logs are the primary evidence for both network incidents and compliance audits.

7 min
3 sections · 7 exam key points
1 practice questions

Syslog

Syslog is the standard protocol for network device log collection. Devices (routers, switches, firewalls) send log messages to a central syslog server using UDP port 514 (or TCP 514/6514 for reliable/encrypted syslog). Log messages include: timestamp, hostname, facility (source category), severity level, and message text.

Syslog severity levels (0–7): 0=Emergency (system unusable), 1=Alert (immediate action needed), 2=Critical, 3=Error, 4=Warning, 5=Notice (significant but normal), 6=Informational, 7=Debug (very verbose). Mnemonic: 'Every Awful Crisis Eventually Worsens Nightly Internally Downward.' Lower number = higher severity. Configure devices to log at appropriate severity — avoid Debug in production (too much data).

Local logging: devices store logs in local memory/flash — lost on reboot. Remote syslog: sends logs to a dedicated syslog server for persistence and aggregation. Syslog servers: rsyslog, syslog-ng (Linux), Kiwi Syslog (Windows). Central logging enables correlation — seeing events from multiple devices in one place.

SIEM Systems

SIEM (Security Information and Event Management): collects logs from diverse sources (network devices, servers, endpoints, applications, cloud services), normalizes the data, and correlates events across sources to detect security incidents. SIEM provides: real-time alerting on security events, historical search for forensic investigation, compliance reporting, and dashboards.

SIEM examples: Splunk, IBM QRadar, Microsoft Sentinel (cloud), Elastic SIEM (open source). SIEM correlation: if a firewall blocks a connection AND the endpoint generates an AV alert within seconds from the same source, the SIEM correlates these into a single incident alert — pattern recognition across multiple log sources.

Log Retention and Security

Log retention: how long logs are kept. Compliance regulations specify minimum retention — PCI DSS requires 12 months (3 months immediately accessible), HIPAA requires 6 years. Security investigations often need logs from weeks or months ago. Plan storage accordingly — high-volume devices can generate gigabytes of logs per day.

Log integrity: logs are only useful as evidence if they haven't been tampered with. Use write-once storage, WORM (Write Once Read Many) media, or cryptographic hashing to ensure log integrity. Centralized logging also removes attacker access to local logs — an attacker who compromises a device cannot easily delete centralized logs.

Key exam facts — Network+

  • Syslog uses UDP 514; levels 0–7 (0=Emergency, 7=Debug); lower = more severe
  • SIEM: aggregates logs from multiple sources, correlates events, detects incidents
  • Remote syslog prevents log loss on device reboot
  • PCI DSS: 12 months log retention; HIPAA: 6 years
  • Debug syslog level: very verbose — avoid on production (performance impact)
  • Log integrity: centralized storage prevents tampering; WORM media for compliance
  • Syslog facility codes classify log source (kernel, mail, security, etc.)

Common exam traps

Local device logging is sufficient for security investigations

Local logs are lost on reboot, have limited storage, and can be deleted by an attacker who compromises the device. Centralized syslog is essential for persistent, tamper-resistant logging

Practice questions — Log Management

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.Which syslog severity level should be used to log messages that require immediate attention to prevent system failure?

A.Level 0 – Emergency
B.Level 1 – Alert
C.Level 4 – Warning
D.Level 7 – Debug

Explanation: Syslog Level 1 (Alert) means 'action must be taken immediately' — used for conditions that require immediate administrator attention to prevent failure. Level 0 (Emergency) means the system is completely unusable (the most severe). Level 4 (Warning) is for conditions that might cause problems. Level 7 (Debug) is extremely verbose diagnostic information.

Frequently asked questions — Log Management

What is the difference between SIEM and a syslog server?

A syslog server passively collects and stores log messages from network devices — it provides storage and basic search. A SIEM actively analyzes logs from multiple sources, correlates events across them, generates alerts for security incidents, and produces compliance reports. SIEM is the intelligence layer built on top of log collection. Most enterprise deployments use both: syslog servers for device log collection, SIEM for analysis.

Practice this topic

Network+practice questions

Test yourself on Log Management

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Network Monitoring

Network+

Packet Capture

Network+

Incident Response

Network+

Compliance Frameworks

Network+