The syslog-ng 3.0 Administrator Guide

Document version: Thirteenth
Release date: September 23, 2010
Latest version available at the BalaBit Documentation Page

3.3.6. Collecting messages from remote hosts using the BSD syslog protocol

The tcp(), tcp6(), udp(), udp6() drivers can receive messages from the network using the TCP and UDP networking protocols. The tcp6() and udp6() drivers use the IPv6 network protocol, while tcp() and udp() use IPv4.

UDP is a simple datagram oriented protocol, which provides "best effort service" to transfer messages between hosts. It may lose messages, and no attempt is made at the protocol level to retransmit such lost messages. The BSD-syslog protocol traditionally uses UDP.

TCP provides connection-oriented service, which basically means that the path of the messages is flow-controlled. Along this path, each message is acknowledged, and retransmission is done for lost packets. Generally it is safer to use TCP, because lost connections can be detected, and no messages get lost, assuming that the TCP connection does not break. When a TCP connection is broken the 'in-transit' messages that were sent by syslog-ng but not yet received on the other side are lost. (Basically these messages are still sitting in the socket buffer of the sending host and syslog-ng has no information about the fate of these messages).

The tcp() and udp() drivers do not have any required parameters. By default they bind to the 0.0.0.0:514 address, which means that syslog-ng will listen on all available interfaces, port 514. To limit accepted connections to only one interface, use the localip() parameter as described below. For the list of available optional parameters, see Section 8.1.7, “tcp(), tcp6(), udp() and udp6()”.

Declaration:
                tcp([options]);
                udp([options]);
[Note] Note

The tcp port 514 is reserved for use with rshell, so select a different port if syslog-ng and rshell is used at the same time.

If you specify a multicast bind address to udp() and udp6(), syslog-ng will automatically join the necessary multicast group. TCP does not support multicasting.

The syslog-ng Premium Edition application supports TLS (Transport Layer Security, also known as SSL) for the tcp() and tcp6() drivers. See the TLS-specific options below and Section 3.13, “Encrypting log messages with TLS” for details. For the list of available optional parameters, see Section 8.1.5, “sun-streams() driver”.

[Example] Example 3.14. Using the udp() and tcp() drivers

A simple udp() source with default settings.

source s_udp { udp(); };# An UDP source with default settings.

A TCP source listening on the localhost interface, with a limited number of connections allowed.

source s_tcp { tcp(ip(127.0.0.1) port(1999) max-connections(10)); };

A TCP source listening on a TLS-encrypted channel.

source s_tcp { tcp(ip(127.0.0.1) port(1999) 
                   tls(peer-verify('required-trusted') 
                       key_file('/opt/syslog-ng/etc/syslog-ng/syslog-ng.key') 
                   cert_file('/opt/syslog-ng/etc/syslog-ng/syslog-ng.crt'))); 
};

A TCP source listening for messages using the IETF-syslog message format. Note that for transferring IETF-syslog messages, generally you are recommended to use the syslog() driver on both the client and the server, as it uses both the IETF-syslog message format and the protocol. See Section 3.3.5, “Collecting messages using the IETF syslog protocol” for details.

source s_tcp_syslog { tcp(ip(127.0.0.1) port(1999) flags(syslog-protocol) ); };
Prev  Up  Next
3.3.5. Collecting messages using the IETF syslog protocol  Home | Contents  3.3.7. Collecting messages from UNIX domain sockets

© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com