Friday, 13 June 2025

๐Ÿš€ Building a High-Performance Python Syslog Server with Daily Log Rotation and Emergency Telegram Alerts

In this post, we’ll walk through building a high-performance, multi-threaded syslog server in Python that:

  • Listens on multiple UDP ports (like 514 and 1514)

  • Stores logs in daily-rotated SQLite databases

  • Detects critical syslog messages and sends real-time Telegram alerts

  • Handles tens of thousands of messages in queue without data loss

This system is ideal for network engineers and sysadmins managing OLTs, routers, or any syslog-capable devices.







๐Ÿ”ง What It Does

  • Accepts syslog messages over UDP

  • Stores them in a SQLite DB (separate file per day)

  • Creates per-device tables (based on source IP)

  • Triggers alerts for keywords like pon deregister, reset, rogue, etc.

  • Sends alerts to a Telegram group/bot

  • Uses Python’s threading and queue for concurrency and performance

๐Ÿง  Tech Stack

  • Python 3

  • socket for UDP communication

  • sqlite3 for local, fast storage

  • requests for Telegram alerts

  • threading and queue for parallel log handling

๐Ÿ“ฆ Code Features

1. UDP Listener

Each port (514, 1514) runs in its own thread, decoding incoming messages and forwarding them into log_queue.

2. Queue-Based Log Writing

Log entries are pushed into log_queue (max 50,000). A separate log_writer thread reads from this queue and writes to SQLite in batches of 100 entries to optimize performance.

3. Daily Database Rotation

The log writer monitors the date and creates a new DB file per day:

When the date changes, the current DB connection is closed and a new one is opened automatically — no scheduler required.

4. Per-IP Table Creation

Logs are grouped into tables based on the device IP and date:

This avoids a massive flat table and speeds up filtering by device.

5. Real-time Telegram Alerts

When critical patterns are detected in the message content, an alert is pushed to alert_queue, which a separate thread sends to Telegram using:

๐Ÿ›ก️ Keywords Triggering Alerts

These common OLT/network events are monitored:

  • "pon deregister"

  • "olt power up", "olt power down"

  • "reset", "reboot", "rogue"

  • "mac flapp", "loopback"

  • "device port updown" and others

You can customize or expand this list easily in the code.

๐Ÿงช Performance Tips

  • Use Queue(maxsize=50000) to buffer bursts of traffic

  • Process logs in batches to reduce DB writes

  • SO_RCVBUF of 16MB prevents dropped UDP packets

  • Use check_same_thread=False when accessing SQLite from threads

  • Separate alert and log writers prevent blocking

๐Ÿ“‚ Files Created

  • syslog_YYYYMMDD.db — one per day

  • Inside each DB: tables like logs_192_168_1_1_20250613

SQLite also creates temporary -wal and -shm files for performance, which is expected behavior.

๐Ÿš€ Running the Server

Download

Donwload the server file and just click. It will run the server.

It starts:

  • UDP listeners on 514, 1514

  • Log writer and alert threads

  • Waits for Ctrl+C to shut down gracefully

at
Labels: , , , , , , , , , , ,

No comments:

Post a Comment

Thanks for your valuable feedback.

Subscribe to: Post Comments (Atom)

Building a Radius Server with Web GUI for Login Mikrotik Routers

  Building a Powerful RADIUS Server with FreeRADIUS and Django for MikroTik Devices If you're managing MikroTik routers and network acc...