6.14. syslog: Collecting messages using the IETF syslog protocol (syslog() driver)

The syslog() driver can receive messages from the network using the standard IETF-syslog protocol (as described in RFC5424-26). UDP, TCP, and TLS-encrypted TCP can all be used to transport the messages.

Note

The syslog() driver can also receive BSD-syslog-formatted messages (described in RFC 3164, see Section 2.8.1, BSD-syslog or legacy-syslog messages) if they are sent using the IETF-syslog protocol.

In syslog-ng OSE versions 3.1 and earlier, the syslog() driver could handle only messages in the IETF-syslog (RFC 5424-26) format.

For the list of available optional parameters, see Section 6.14.1, syslog() source options.

Declaration: 

syslog(ip() port() transport() options());
Example 6.32. Using the syslog() driver

TCP source listening on the localhost on port 1999.

source s_syslog { syslog(ip(127.0.0.1) port(1999) transport("tcp")); };

UDP source with defaults.

source s_udp { syslog( transport("udp")); };

Encrypted source where the client is also authenticated. For details on the encryption settings, see Section 10.4, TLS options.

source s_syslog_tls{ syslog(
    ip(10.100.20.40)
    transport("tls")
    tls(
    peer-verify(required-trusted)
    ca-dir('/opt/syslog-ng/etc/syslog-ng/keys/ca.d/')
    key-file('/opt/syslog-ng/etc/syslog-ng/keys/server_privatekey.pem')
    cert-file('/opt/syslog-ng/etc/syslog-ng/keys/server_certificate.pem')
    )
    );};
Warning

When receiving messages using the UDP protocol, increase the size of the UDP receive buffer on the receiver host (that is, the syslog-ng OSE server or relay receiving the messages). Note that on certain platforms, for example, on Red Hat Enterprise Linux 5, even low message load (~200 messages per second) can result in message loss, unless the so-rcvbuf() option of the source is increased. In such cases, you will need to increase the net.core.rmem_max parameter of the host (for example, to 1024000), but do not modify net.core.rmem_default parameter.

As a general rule, increase the so-rcvbuf() so that the buffer size in kilobytes is higher than the rate of incoming messages per second. For example, to receive 2000 messages per second, set the so-rcvbuf() at least to 2 097 152 bytes.