Syslog & Log Management

Overview

DNS Science provides enterprise-grade syslog and log management at a fraction of the cost of traditional SIEM platforms. Our platform offers automatic IOC correlation, CEF export for Splunk, threat intelligence integration, and intelligent storage tiering to minimize costs while maximizing security insights.

🚀 Why DNS Science Log Management?

45x Cheaper than Splunk Cloud ($0.10/GB vs $4.50/GB)
5 Free Syslog Ports with 1GB storage each (5GB total)
Automatic IOC Correlation against 2M+ threat indicators
CEF Format Export for 30-40% faster Splunk ingestion
Smart Storage Tiering reduces long-term costs by 82%

Pricing & Plans

🆓 Free Tier

5 syslog ports
1GB per port (5GB total)
30-day retention
UDP/TCP/TLS support
CEF export included
IOC correlation

💼 Professional

$29/mo

20 syslog ports
50GB total storage
90-day retention
All Free tier features
SIEM integrations
Email alerts

🏢 Enterprise

$99/mo

100 syslog ports
250GB total storage
1-year retention
All Pro features
Custom integrations
Priority support

⭐ Enterprise Plus

$299/mo

Unlimited ports
1TB total storage
2-year retention
All Enterprise features
Dedicated support
Custom SLA

Storage Add-Ons

Retention Period	Price per GB/month	Use Case
0-30 days (Hot)	$0.10/GB	Active investigation, real-time analytics
31-90 days (Warm)	$0.05/GB	Recent incident review, compliance
91-365 days (Cool)	$0.02/GB	Quarterly audits, trend analysis
1+ years (Archive)	$0.01/GB	Long-term compliance, legal holds

💡 Smart Storage Tiering: Logs automatically move to cheaper storage tiers as they age, reducing costs by up to 82% while keeping recent data instantly searchable.

Getting Started

1. Create Your First Syslog Port

All accounts include 5 free syslog ports with 1GB storage each.

POST /api/v2/syslog/ports/create

curl -X POST "https://www.dnsscience.io/api/v2/syslog/ports/create" \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "port_name": "firewall-logs",
    "protocol": "tcp",
    "tls_enabled": true,
    "storage_limit_gb": 1,
    "retention_days": 30
  }'

Response

{
  "port_id": 12345,
  "port_number": 51400,
  "port_name": "firewall-logs",
  "protocol": "tcp",
  "tls_enabled": true,
  "storage_limit_gb": 1.0,
  "retention_days": 30,
  "endpoint": "syslog.dnsscience.io:51400",
  "status": "active"
}

2. Configure Your Systems

Point your devices/applications to send logs to the assigned port.

rsyslog Configuration

# /etc/rsyslog.d/50-dnsscience.conf

# TCP syslog
*.* @@syslog.dnsscience.io:51400

# TCP with TLS (recommended)
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-bundle.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
*.* @@syslog.dnsscience.io:51400

syslog-ng Configuration

# /etc/syslog-ng/conf.d/dnsscience.conf

destination d_dnsscience {
    network("syslog.dnsscience.io"
        port(51400)
        transport("tls")
        tls(
            ca-dir("/etc/ssl/certs")
            peer-verify(required-trusted)
        )
    );
};

log {
    source(s_src);
    destination(d_dnsscience);
};

Python Logging

import logging
import logging.handlers

# Create syslog handler
handler = logging.handlers.SysLogHandler(
    address=('syslog.dnsscience.io', 51400),
    socktype=socket.SOCK_STREAM  # TCP
)

# Set format (CEF recommended)
formatter = logging.Formatter(
    'CEF:0|MyApp|AppName|1.0|%(name)s|%(levelname)s|%(message)s'
)
handler.setFormatter(formatter)

# Add to logger
logger = logging.getLogger()
logger.addHandler(handler)
logger.setLevel(logging.INFO)

# Log events
logger.info("Application started", extra={'user': 'admin'})

CEF Format Export

Common Event Format (CEF) provides 30-40% faster ingestion in Splunk and better field extraction.

Enable CEF Export

POST /api/v2/syslog/export/splunk

{
  "syslog_port_id": 12345,
  "connector_type": "splunk_hec",
  "format": "cef",
  "config": {
    "hec_url": "https://splunk.example.com:8088",
    "hec_token": "your-hec-token",
    "index": "main",
    "sourcetype": "dnsscience:cef"
  }
}

CEF Event Example

CEF:0|DNS Science|DNS Security Platform|2.0|DNS-001|High-Risk Domain Query|8|
src=192.168.1.100 spt=54321 dst=8.8.8.8 dpt=53 dvchost=ns1.dnsscience.io
request=malware.evil.com qtype=A reason=IOC Match cn1=85 cn1Label=ThreatScore
cs1=C2 Server cs1Label=ThreatType cs2=known-bad-domains cs2Label=IOCSource

🎯 CEF Benefits:

Native field extraction in Splunk/ArcSight
30-40% reduction in parsing overhead
Faster search performance
Better event correlation
Industry-standard format

IOC Correlation

All logs are automatically correlated against 2M+ threat indicators including domains, IPs, hashes, and URLs.

View IOC Matches

GET /api/v2/syslog/ioc/matches?port_id={port_id}&hours={hours}

curl "https://www.dnsscience.io/api/v2/syslog/ioc/matches?port_id=12345&hours=24" \
  -H "X-API-Key: YOUR_API_KEY"

Response

{
  "port_id": 12345,
  "time_range": "24 hours",
  "total_matches": 42,
  "matches": [
    {
      "matched_at": "2025-11-24T10:30:00Z",
      "indicator": "malicious-domain.com",
      "ioc_type": "domain",
      "confidence": 95,
      "severity": "high",
      "threat_type": "C2 Server",
      "source": "AlienVault OTX",
      "log_entry": "DNS query for malicious-domain.com from 192.168.1.50",
      "action_taken": "alerted"
    }
  ]
}

SIEM Integrations

Splunk HEC

{
  "connector_type": "splunk_hec",
  "format": "cef",
  "config": {
    "hec_url": "https://splunk.company.com:8088",
    "hec_token": "YOUR-HEC-TOKEN",
    "index": "security",
    "sourcetype": "dnsscience:cef",
    "verify_ssl": true
  }
}

Elasticsearch

{
  "connector_type": "elasticsearch",
  "format": "json",
  "config": {
    "hosts": ["https://elastic.company.com:9200"],
    "index": "logs-dnsscience",
    "api_key": "YOUR-API-KEY"
  }
}

AWS S3

{
  "connector_type": "s3",
  "format": "json",
  "config": {
    "bucket": "company-security-logs",
    "prefix": "dnsscience/",
    "region": "us-east-1",
    "compression": "gzip"
  }
}

Port Management API

List All Ports

GET /api/v2/syslog/ports

Get Port Details

GET /api/v2/syslog/ports/{port_id}

Update Port Configuration

POST /api/v2/syslog/ports/{port_id}/update

View Port Usage

GET /api/v2/syslog/ports/{port_id}/usage

{
  "port_id": 12345,
  "storage_used_gb": 0.847,
  "storage_limit_gb": 1.0,
  "usage_percentage": 84.7,
  "logs_received_24h": 145820,
  "bytes_received_24h": 89234567,
  "oldest_log": "2025-10-25T00:00:00Z",
  "newest_log": "2025-11-24T14:30:00Z"
}

Delete Port

DELETE /api/v2/syslog/ports/{port_id}

⚠️ Warning: Deleting a port will permanently remove all associated logs. This action cannot be undone.

Storage & Retention

Automatic Tiering

Logs are automatically moved to cost-effective storage tiers based on age:

Age	Storage Tier	Cost	Search Speed
0-30 days	Hot (S3 Standard)	$0.023/GB	Instant
31-90 days	Warm (Glacier Instant)	$0.004/GB	Instant
91-365 days	Cool (Glacier Flexible)	$0.0036/GB	3-5 hours
1+ years	Archive (Deep Archive)	$0.00099/GB	12-48 hours

💰 Cost Savings: Automatic tiering reduces storage costs by up to 82% compared to keeping all logs in hot storage, while maintaining full searchability for recent data.

Security & Compliance

Encryption

In Transit: TLS 1.3 encryption for all syslog connections
At Rest: AES-256 encryption for all stored logs
API: HTTPS only with API key authentication

Compliance

SOC 2 Type II: Annual audits
GDPR: Data residency options
HIPAA: Available for Enterprise+ tiers
PCI-DSS: Log retention and protection

Monitoring & Alerts

Configure Alerts

POST /api/v2/syslog/alerts/create

{
  "port_id": 12345,
  "alert_name": "Storage Threshold Alert",
  "alert_type": "storage_threshold",
  "threshold": 80,
  "notification_channels": ["email", "slack"],
  "email": "admin@company.com",
  "slack_webhook": "https://hooks.slack.com/..."
}

Alert Types

Storage Threshold: Alert when storage usage exceeds percentage
IOC Match: Alert on threat indicator correlation
Ingestion Rate: Alert on sudden changes in log volume
Service Disruption: Alert when no logs received for X minutes

Best Practices

1. Use TLS Encryption

Always enable TLS for syslog connections to protect sensitive log data in transit.

2. Structured Logging

Use CEF or JSON format for better parsing and field extraction.

3. Tag Your Ports

Use descriptive names like "firewall-logs", "app-logs", "security-events" for easy identification.

4. Monitor Storage Usage

Set up alerts at 80% storage threshold to avoid log loss.

5. Leverage IOC Correlation

Regularly review IOC matches to identify potential threats in your environment.

Support

Need help? Contact our support team:

Email: support@dnsscience.io
Documentation: https://www.dnsscience.io/docs
API Reference: https://www.dnsscience.io/api-docs
Status: https://status.dnsscience.io

🚀 Ready to get started?
Create your free account and get 5 syslog ports with 1GB storage each (5GB total) - no credit card required!