Syslog
Synopsis
Creates a Syslog server that accepts log messages over UDP or TCP connections. Supports both plain and TLS-encrypted connections, with configurable framing and buffering options.
Schema
- id: <numeric>
name: <string>
description: <string>
type: syslog
tags: <string[]>
pipelines: <pipeline[]>
status: <boolean>
properties:
protocol: <string>
address: <string>
port: <numeric>
framing: <string>
line_delimiter: <string>
max_connections: <numeric>
timeout: <numeric>
tls:
status: <boolean>
cert_name: <string>
key_name: <string>
reuse: <boolean>
workers: <numeric>
buffer_size: <numeric>
max_message_size: <numeric>
flush_interval: <numeric>
batch_size: <numeric>
queue:
interval: <numeric>
forwarding:
- address: <string>
port: <numeric>
type: <string>
Configuration
The following are the minimum requirements to define the device.
Device
| Field | Required | Default | Description |
|---|---|---|---|
id | Y | Unique identifier | |
name | Y | Device name | |
description | N | - | Optional description |
type | Y | Must be syslog | |
tags | N | - | Optional tags |
pipelines | N | - | Optional pre-processor pipelines |
status | N | true | Enable/disable the device |
Protocol
| Field | Required | Default | Description |
|---|---|---|---|
protocol | N | "udp" | Transport protocol (udp or tcp) |
address | N | "0.0.0.0" | Listen address |
port | Y | Listen port |
TCP
The following are only applicable when protocol is set to tcp.
| Field | Required | Default | Description |
|---|---|---|---|
framing | N | "delimiter" | Framing mode for TCP (delimiter or octet) |
line_delimiter | N | "\\n" | Line separator for TCP delimiter framing |
TLS
The following are only applicable when protocol is set to tcp.
| Field | Required | Default | Description |
|---|---|---|---|
tls.status | N | false | Enable TLS encryption |
tls.cert_name | Y | TLS certificate file path (required if TLS enabled) | |
tls.key_name | Y | TLS private key file path (required if TLS enabled) |
The TLS certificate and key files must be placed in the service root directory.
Advanced Configuration
To enhance performance and achieve better data handling, the following settings are used.
Performance Tuning
| Field | Required | Default | Description |
|---|---|---|---|
reuse | N | true | Enable socket address reuse |
workers | N | <dynamic> | Number of worker processes when reuse enabled |
max_connections | N | 10000 | Maximum concurrent TCP connections |
max_message_size | N | 20971520 | Maximum message size in bytes (20MB) |
timeout | N | 300 | Connection timeout in seconds |
buffer_size | N | 9000 | Network read buffer size in bytes |
Message Buffering
| Field | Required | Default | Description |
|---|---|---|---|
flush_interval | N | 1 | Message flush interval in seconds |
batch_size | N | 1000 | Number of messages to batch before flushing |
queue.interval | N | 1 | Queue processing interval in seconds |
Message Forwarding
| Field | Required | Default | Description |
|---|---|---|---|
forwarding[].address | Y | Forward destination address | |
forwarding[].port | N | 514 | Forward destination port |
forwarding[].type | N | "udp" | Forward protocol (udp or tcp) |
Examples
The following are commonly used configuration types.
Basic
A basic configuration can be created easily using "udp" for protocol and "0.0.0.0" for address.
Creating a simple UDP syslog server... | |
Checkpoint
The basic UDP Server can be configured to use a checkpoint pre-processing pipeline. This is a pre-processing pipeline that extracts Checkpoint firewall logs from syslog messages:
Creating a simple UDP syslog server with checkpoint... | |
If the device is a Checkpoint firewall, this pipeline will parse the logs and extract relevant fields for further processing. Otherwise, the pipeline will have no effect on the incoming messages.
High-Volume
Performance of a UDP server can be enhanced Volumes using multiple workers, a larger buffer size, a larger batch size, and adjusted flush intervals.
Optimizing for high message volumes... | |
The worker count will be automatically capped at the maximum number of physical cores available on the system.
Framing
For a TCP server with custom message framing, use a custom frame delimiter, connection limits, and an idle timeout:
TCP server with custom message framing... | |
When using TCP with delimiter framing, ensure the line_delimiter matches the client side.
Security
Security can be enhanced using TLS encryption, multiple forward destinations, and mixed protocols:
Securing the server forwarding the messages... | |
Forwarding
For message forwarding use network devices with single syslog output. This can also be implemented on legacy systems that need multiple destinations. The messages can be fanned out to different analysis tools.
Forwarding acts as a message replicator, sending exact copies of incoming messages to all configured destinations unmodified. This is particularly useful for network devices that can only send syslog data to a single destination.
The messages are forwarded exactly as received to the UDP server on port 514, and the TCP server on ports 1514 and 6514.
Forwarding incoming messages to multiple destinations... | |
When using TCP forwarding, ensure the destination servers can handle the connection load as each connection is persistent.