Version: v1.6.0

Syslog Server

This module allows the Security Engine to expose a syslog server, and ingest logs directly from another syslog server (or any software that knows how to forward logs with syslog).

Only UDP is supported.

Syslog messages must conform either to RFC3164 or RFC5424, and can be up to 2048 bytes long by default (this value is configurable).

Configuration example

A basic configuration is as follows:

source: syslog
listen_addr: 127.0.0.1
listen_port: 4242
labels:
 type: syslog

Parameters

`listen_addr`

Address on which the syslog will listen. Defaults to 127.0.0.1.

`listen_port`

UDP port used by the syslog server. Defaults to 514.

`max_message_len`

Maximum length of a syslog message (including priority and facility). Defaults to 2048.

`source`

Must be syslog.

DSN and command-line

This module does not support command-line acquisition.

warning

This syslog datasource is currently intended for small setups, and is at risk of losing messages over a few hundreds events/second. To process significant amounts of logs, rely on dedicated syslog server such as rsyslog, with this server writting logs to files that Security Engine will read from. This page will be updated with further improvements of this data source.

Configuration example​

Parameters​

listen_addr​

listen_port​

max_message_len​

source​

DSN and command-line​