Skip to content
PortsDB

Port reference

Port 514 (UDP) – Syslog

Syslog — the classic UDP transport for system and device log messages.

udpWell-knownCommonly attacked

Default state

Open on syslog collectors and SIEM ingest points. Devices send to it; it should be reachable only from trusted log sources.

Common attacks

  • Spoofed log messages forging or muddying the audit trail
  • Log injection to corrupt or evade SIEM parsing and alerts
  • Flooding the collector to drop or hide real events (DoS)
  • Cleartext interception of sensitive data in log lines

Hardening

  • Move to syslog over TLS (RFC 5425) on TCP 6514 instead of UDP 514
  • Restrict UDP 514 to known log-source IPs with firewall rules
  • Validate and sanitize incoming messages before SIEM ingest
  • Rate-limit and monitor collector load to resist flooding
  • Segment logging traffic onto a trusted management network

nmap snippet

nmap -sU -p514 --script syslog-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 514?

Port 514 is the classic transport for syslog, the standard protocol devices and servers use to ship log messages to a central collector or SIEM. Routers, firewalls, Linux hosts, and appliances forward events here so they can be stored, correlated, and alerted on. Traditional syslog runs over UDP 514 as plain, fire-and-forget text. (The legacy rsh/rshd service also historically used TCP 514.)

Why it matters for security

Logs are the evidence base for detection and forensics, so their integrity is itself a security control. UDP syslog provides none of it: messages are unauthenticated, unencrypted, and easily spoofed. An attacker on the path can forge entries to hide an intrusion, inject misleading events to mislead analysts, or flood the collector so genuine alerts are dropped. Sensitive data in log lines is also exposed to anyone sniffing the cleartext.

How it's attacked

Because UDP source addresses are trivial to spoof, an attacker sends forged log messages that pollute or rewrite the audit trail. Log injection crafts fields that break SIEM parsing or trigger false alerts, and flooding the collector causes it to drop events — masking real activity in a denial-of-service. On the wire, cleartext messages are intercepted for reconnaissance.

Hardening checklist

Replace plain UDP syslog with syslog over TLS (RFC 5425) on TCP 6514, which adds authentication, integrity, and encryption. Where UDP 514 must remain, restrict it to known log-source IPs with firewall rules, validate and sanitize messages before SIEM ingest, and rate-limit the collector to resist flooding. Keep logging on a trusted management segment. The nmap snippet above fingerprints a syslog listener on a host you are authorized to test.

Related ports

Port 601Port 6514Port 161Port 123

Frequently asked questions

Is syslog on UDP 514 secure?
No. Classic syslog over UDP 514 has no authentication, integrity, or encryption, so messages can be spoofed, altered, or read in transit. Use syslog over TLS (TCP 6514) instead.
Why does log spoofing matter?
Forged log entries can hide an intrusion, frame innocent activity, or trigger false alerts — undermining the audit trail investigators rely on after an incident.