syslog: Collecting messages using the IETF syslog protocol (syslog() driver)
The syslog() driver can receive messages from the network using the standard IETF-syslog protocol (as described in RFC-5424, RFC-5425 and RFC-5426). UDP, TCP, and TLS-encrypted TCP can all be used to transport the messages.
NOTE: The syslog() driver can also receive BSD-syslog-formatted messages (described in RFC-3164, see BSD-syslog or legacy-syslog messages if they are sent using the IETF-syslog protocol.
In syslog-ng OSE versions 3.1 and earlier, the syslog() driver could handle only messages in the IETF-syslog (RFC-5424) format.
For the list of available optional parameters, see syslog() source options.
Declaration
syslog(ip() port() transport() options());
Example: Using the syslog() driver
TCP source listening on the localhost on port 1999.
source s_syslog { syslog(ip(127.0.0.1) port(1999) transport("tcp")); };
UDP source with defaults.
source s_udp { syslog( transport("udp")); };
Encrypted source where the client is also authenticated. For details on the encryption settings, see TLS options.
source s_syslog_tls{
syslog(
ip(10.100.20.40)
transport("tls")
tls(
peer-verify(required-trusted)
ca-dir('/opt/syslog-ng/etc/syslog-ng/keys/ca.d/')
key-file('/opt/syslog-ng/etc/syslog-ng/keys/server_privatekey.pem')
cert-file('/opt/syslog-ng/etc/syslog-ng/keys/server_certificate.pem')
)
);
};
CAUTION: When receiving messages using the UDP protocol, increase the size of the UDP receive buffer on the receiver host
(that is, the syslog-ng OSE server or relay receiving the messages).Note that on certain platforms, for example, on Red Hat Enterprise Linux 5, even low message load (~200 messages per second) can result in message loss, unless the so-rcvbuf() option of the source is increased. In this cases, you will need to increase the net.core.rmem_max parameter of the host (for example, to 1024000), but do not modify net.core.rmem_default parameter.
As a general rule, increase the so-rcvbuf() so that the buffer size in kilobytes is higher than the rate of incoming messages per second.
For example, to receive 2000 messages per second, set the so-rcvbuf() at least to 2 097 152 bytes.