Syslog Forwarding

Logentries supports both TCP and UDP syslog forwarding. See below for details on configuring the different versions of syslog with logentries.

• rsyslog
• Syslogd
• syslog-ng
• Snare (Windows)

Syslog uses a TCP/UDP connection for log forwarding. In order to securely identify your log entries, Logentries provides two identification methods:

• Token-based input (recommended) allows you append a unique identifier (token) to each log entry. Syslog then sends logs to api.logentries.com on a common port number 10000 (20000 for SSL/TLS encryption). The token identifies all your log entries. It requires support for templates in your syslog implementation.
• Plain TCP input registers your IP address and port number to identify your logs and is supported by most syslog implementations. Disadvantage of this approach is locking to a single IP address which can be inconvenient for systems behind dynamic NAT.

---

Syslog Version

Determine which variant of syslog you run with the following command:

ps aux|grep syslog

The most commonly used syslog implementations in modern Linux systems are rsyslog and syslog-ng.

---

Syslog Troubleshooting

The most common pitfall during syslog configuration is to not restart the daemon after the configuration change. If you have restarted the syslog daemon without error being reported, check that the logs are actually sent to Logentries. You can do that simply using the tcpdump command. Run as root (sudo):

tcpdump -s 1514 -X dst api.logentries.com

This command will print in an (almost) human-readable format all packets sent to api.logentries.com. If there are no packets displayed, then something is wrong with the syslog configuration. If you don’t have tcpdump installed, please install the package of the same name.