syslog: Collecting messages using the IETF syslog protocol (syslog() driver)

The syslog() driver can receive messages from the network using the standard IETF-syslog protocol (as described in RFC-5424, RFC-5425 and RFC-5426). UDP, TCP, and TLS-encrypted TCP can all be used to transport the messages.

NOTE: The syslog() driver can also receive BSD-syslog-formatted messages (described in RFC-3164, see BSD-syslog or legacy-syslog messages if they are sent using the IETF-syslog protocol.

In syslog-ng OSE versions 3.1 and earlier, the syslog() driver could handle only messages in the IETF-syslog (RFC-5424) format.

For the list of available optional parameters, see syslog() source options.

Declaration

syslog(ip() port() transport() options());

Example: Using the syslog() driver

TCP source listening on the localhost on port 1999.

source s_syslog { syslog(ip(127.0.0.1) port(1999) transport("tcp")); };

UDP source with defaults.

source s_udp { syslog( transport("udp")); };

Encrypted source where the client is also authenticated. For details on the encryption settings, see TLS options.

source s_syslog_tls{ 
    syslog(
        ip(10.100.20.40)
        transport("tls")
        tls(
            peer-verify(required-trusted)
            ca-dir('/opt/syslog-ng/etc/syslog-ng/keys/ca.d/')
            key-file('/opt/syslog-ng/etc/syslog-ng/keys/server_privatekey.pem')
            cert-file('/opt/syslog-ng/etc/syslog-ng/keys/server_certificate.pem')
        )
    );
};

CAUTION: When receiving messages using the UDP protocol, increase the size of the UDP receive buffer on the receiver host
(that is, the syslog-ng OSE server or relay receiving the messages).

Note that on certain platforms, for example, on Red Hat Enterprise Linux 5, even low message load (~200 messages per second) can result in message loss, unless the so-rcvbuf() option of the source is increased. In this cases, you will need to increase the net.core.rmem_max parameter of the host (for example, to 1024000), but do not modify net.core.rmem_default parameter.

As a general rule, increase the so-rcvbuf() so that the buffer size in kilobytes is higher than the rate of incoming messages per second.
For example, to receive 2000 messages per second, set the so-rcvbuf() at least to 2 097 152 bytes.