Sending via traditional syslog

This article describes how to send log data to a Devo relay using syslog. While earlier versions of the standard protocol, and MacOS X implementations, only support UDP protocol for transport, later versions also support TCP. Since UDP lacks congestion control mechanisms, we recommend enabling TCP for all syslog transmissions in order to prevent possible data loss during transmission.

Configuration

To send all of the system's log data over UDP, open the /etc/syslog.conf file and add the following line to the end of the file. In the example below, replace DEVO-RELAY and PORT with the server name and port of the Devo relay. To view a list of active relays, go to Administration → Relays in the Devo web application.

*.*	@DEVO-RELAY:PORT

If the syslog version supports TCP, then open the /etc/syslog.conf file and add the following line to the end of the file.

*.*	@@DEVO-RELAY:PORT

Now restart syslog-ng:

/etc/init.d/syslog restart

Use the logger command to send test messages. 

$ logger "Hello from an unsecure and simple log source1"
$ logger "Hello from an unsecure and simple log source2"
$ logger "Hello from an unsecure and simple log source3"
$ logger "Hello from an unsecure and simple log source4"
$ logger "Hello from an unsecure and simple log source5"

In the Devo web application, go to Data Search, locate the box.unix table and make sure that the logger messages appear in the table.

If the system has SELinux enabled in enforcing mode (run the getenforce command to check the status), it may be necessary to add exceptions to the SELinux policy. See SELinux policy for more information.

Limitations of syslog

  • Syslog does not support the labeling of the log events sent to Devo. Therefore, to label the log events, forward them to a port on the relay with rules designed to correctly tag the events.
  • In some systems, it only allows sending via UPD (e.g. Mac OS X).
  • It does not support the secure sending via SSL/TLS in a native way. 

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US