Collect logs from Syslog and send them anywhere

A simple guide to collect logs from Syslog and send them anywhere in just a few minutes.
type: tutorialdomain: sourcessource: syslog

Logs are an essential part of observing any service; without them you are flying blind. But collecting and analyzing them can be a real challenge -- especially at scale. Not only do you need to solve the basic task of collecting your logs, but you must do it in a reliable, performant, and robust manner. Nothing is more frustrating than having your logs pipeline fall on it's face during an outage, or even worse, disrupt more important services!

Fear not! In this guide we'll show you how to send collect logs from Syslog and send them anywhere and build a logs pipeline that will be the backbone of your observability strategy.

Background

What is Syslog?

Syslog stands for System Logging Protocol and is a standard protocol used to send system log or event messages to a specific server, called a syslog server. It is primarily used to collect various device logs from several different machines in a central location for monitoring and review.

Strategy

How This Guide Works

We'll be using Vector to accomplish this task. Vector is a popular open-source utility for building observability pipelines. It's written in Rust, making it lightweight, ultra-fast and highly reliable. And we'll be deploying Vector as a service.

The service deployment strategy treats Vector like a separate service. It is designed to receive data from an upstream source and fan-out to one or more destinations. For this guide, Vector will receive data from Syslog via Vector's syslog source. The following diagram demonstrates how it works.

Vector Service Deployment StrategyVector service deployment strategy
1. Vector receives data from Syslog
Vector will accept log data over the Syslog protocol via TCP, UDP, or Unix sockets.
2. Vector processes data
Vector parses, transforms, and enriches data.
3. Vector fans-out data
Vector receives data from another upstream Vector instance.

What We'll Accomplish

To be clear, here's everything we'll accomplish in this short guide:

  • Accept log data over the Syslog protocol via TCP, UDP, or Unix sockets.
    • Automatically parse Syslog 3164 and 5424 formats.
  • Send your logs to one or more destinations
  • All in just a few minutes!

Tutorial

  1. Install Vector

    curl --proto '=https' --tlsv1.2 -sSf https://sh.vector.dev | sh
    explain this command

    Or choose your preferred method.

  2. Configure Vector

    Where do you want to send your data?
    Console
    cat <<-VECTORCFG > vector.toml
    [sources.in]
    address = "0.0.0.0:514" # required, required when mode = "tcp" or mode = "udp"
    mode = "tcp" # required
    path = "/path/to/socket" # required, required when mode = "unix"
    type = "syslog" # required
    [sinks.out]
    # Encoding
    encoding.codec = "json" # required
    # General
    inputs = ["in"] # required
    type = "console" # required
    VECTORCFG
    explain this command
  3. Start Vector

    vector --config vector.toml

    That's it! Simple and to the point. Hit ctrl+c to exit.

Next Steps

Vector is powerful utility and we're just scratching the surface in this guide. Here are a few pages we recommend that demonstrate the power and flexibility of Vector:

Vector Github repo 4k
Vector is free and open-source!
Vector getting started series
Go from zero to production in under 10 minutes!
Vector documentation
Thoughtful, detailed docs that respect your time.