Device Integration

Configure syslog forwarding from network devices, servers, and applications to Edge Delta.

  9 minute read  

This page provides configuration examples for setting up syslog forwarding from various sources to Edge Delta.

Configuring Syslog Sources

Rsyslog Configuration

Configure rsyslog to forward logs to Edge Delta:

# /etc/rsyslog.conf or /etc/rsyslog.d/edge-delta.conf

# Forward all logs to Edge Delta via UDP
*.* @<edge-delta-host>:5514

# Forward only critical logs via TCP for guaranteed delivery
*.crit @@<edge-delta-host>:6514

# Forward specific facilities
auth,authpriv.* @<edge-delta-host>:5514
kern.* @<edge-delta-host>:5514
mail.err @@<edge-delta-host>:6514

# Forward with custom template (RFC 5424)
$ActionForwardDefaultTemplate RSYSLOG_SyslogProtocol23Format
*.* @<edge-delta-host>:5514

This rsyslog configuration demonstrates different forwarding patterns for various use cases. The single @ symbol indicates UDP transport while double @@ specifies TCP. The selector syntax (facility.priority) controls which messages are forwarded—for example, *.crit sends all critical-level messages, while auth,authpriv.* sends all authentication-related logs regardless of severity. The last section enables RFC 5424 formatting using rsyslog’s built-in template for modern syslog protocol compliance.

After configuration, restart rsyslog:

sudo systemctl restart rsyslog

Syslog-ng Configuration

Configure syslog-ng to forward to Edge Delta:

# /etc/syslog-ng/syslog-ng.conf

destination d_edge_delta {
    network("<edge-delta-host>" port(5514) transport("udp"));
};

# For TCP with RFC 5424
destination d_edge_delta_tcp {
    syslog("<edge-delta-host>"
           port(6514)
           transport("tcp")
           flags(syslog-protocol));
};

log {
    source(s_src);
    destination(d_edge_delta);
};

This syslog-ng configuration creates two destination definitions for Edge Delta. The first uses the network() driver for simple UDP forwarding, while the second uses the syslog() driver with the syslog-protocol flag to enable RFC 5424 formatting over TCP. The log statement connects your existing log source (s_src) to the Edge Delta destination. You can modify the log statement to include filters or use the TCP destination instead by changing d_edge_delta to d_edge_delta_tcp.

Network Device Configuration

Cisco IOS

Configure Cisco IOS devices to forward syslog messages to Edge Delta. The logging trap command sets the minimum severity level (informational captures levels 0-6), while logging origin-id hostname ensures each message includes the device hostname for identification.

logging host <edge-delta-host> transport udp port 5514
logging trap informational
logging origin-id hostname

Juniper Junos

Configure Juniper devices to send syslog messages to Edge Delta. The first command specifies the destination host and port, the second sets the minimum severity level (any info captures all facilities at info level and above), and facility-override remaps all messages to the local0 facility for consistent processing.

set system syslog host <edge-delta-host> port 5514
set system syslog host <edge-delta-host> any info
set system syslog host <edge-delta-host> facility-override local0

FortiGate Firewall

FortiGate firewalls require RFC 6587 Octet Counting when using reliable (TCP) mode. This configuration demonstrates how to receive FortiGate logs with proper framing support.

Edge Delta Configuration:

nodes:
  - name: fortigate_syslog
    type: syslog_input
    protocol: rfc5424
    transport_protocol: tcp
    port: 514
    enable_octet_counting: true
    max_log_size: 10MiB
    location: America/New_York

FortiGate CLI Configuration:

config log syslogd setting
    set status enable
    set server "<edge-delta-host>"
    set port 514
    set mode reliable
    set facility local7
    set format rfc5424
end

The mode reliable setting triggers TCP with RFC 6587 Octet Counting. FortiGate logs include rich structured data that Edge Delta automatically parses into the structured_data field for easy downstream filtering and analysis.

Palo Alto Networks Firewall

Palo Alto Networks firewalls can send logs in both BSD (RFC 3164) and structured (RFC 5424) formats. For modern deployments, RFC 5424 is recommended.

Edge Delta Configuration:

nodes:
  - name: palo_alto_syslog
    type: syslog_input
    protocol: rfc5424
    transport_protocol: tcp
    port: 514
    max_log_size: 5MiB
    location: UTC

Palo Alto CLI Configuration:

configure
set shared log-settings syslog EdgeDelta-Server
  server EdgeDelta-Server transport TCP
  server EdgeDelta-Server server <edge-delta-host>
  server EdgeDelta-Server port 514
  server EdgeDelta-Server format IETF
  server EdgeDelta-Server facility LOG_USER
commit

The format IETF setting enables RFC 5424 structured syslog. Palo Alto logs contain detailed threat intelligence, user information, and application data in the structured data field.

Cisco ASA Firewall

Cisco ASA firewalls use traditional BSD syslog format (RFC 3164). Configure for UDP to match Cisco’s default behavior, or use TCP for guaranteed delivery of security events.

Edge Delta Configuration (UDP):

nodes:
  - name: cisco_asa_syslog
    type: syslog_input
    protocol: rfc3164
    transport_protocol: udp
    port: 514
    udp_async:
      readers: 4
      processors_count: 4
      max_queue_length: 1000
    location: America/Los_Angeles

Edge Delta Configuration (TCP for critical logs):

nodes:
  - name: cisco_asa_syslog_tcp
    type: syslog_input
    protocol: rfc3164
    transport_protocol: tcp
    port: 1514
    max_log_size: 2MiB
    location: America/Los_Angeles

Cisco ASA CLI Configuration:

logging enable
logging timestamp
logging trap informational
logging host inside <edge-delta-host> udp/514

# For TCP (use different port to avoid conflicts)
logging host inside <edge-delta-host> tcp/1514

F5 BIG-IP

F5 BIG-IP supports both RFC 3164 and RFC 5424 formats.

Edge Delta Configuration:

nodes:
  - name: f5_syslog
    type: syslog_input
    protocol: rfc5424
    transport_protocol: tcp
    port: 514
    max_log_size: 5MiB
    location: UTC

F5 TMSH Configuration:

# Create remote syslog destination
tmsh create sys syslog remote-servers add { EdgeDelta { host <edge-delta-host> remote-port 514 } }

# Configure what to log
tmsh modify sys syslog include "
destination remote_servers {
    EdgeDelta { }
}
"

Linux IPTables

Enable iptables logging and forward the resulting kernel messages to Edge Delta. The LOG target writes packet information to the kernel log with a custom prefix for easy identification. The --log-level 4 corresponds to the warning severity. After enabling iptables logging, configure rsyslog to forward these kernel warnings using the configuration shown in the rsyslog section above.

# Forward iptables logs
iptables -A INPUT -j LOG --log-prefix "iptables: " --log-level 4
# Configure rsyslog to forward kern.warning to Edge Delta

Application Integration

Python Application

Python’s built-in logging framework provides native syslog integration through the SysLogHandler class, allowing applications to send structured logs directly to Edge Delta without requiring system-level syslog configuration. This approach gives developers fine-grained control over which application events are forwarded and how they’re formatted.

import logging
import logging.handlers

# Configure syslog handler
handler = logging.handlers.SysLogHandler(
    address=('<edge-delta-host>', 5514),
    facility=logging.handlers.SysLogHandler.LOG_USER,
    socktype=socket.SOCK_DGRAM  # UDP
)

# Set format for RFC 5424
formatter = logging.Formatter('%(message)s')
handler.setFormatter(formatter)

# Add to logger
logger = logging.getLogger()
logger.addHandler(handler)
logger.setLevel(logging.INFO)

# Use in application
logger.info("Application started successfully")
logger.error("Database connection failed")

This configuration creates a syslog handler that sends messages over UDP to port 5514 using the USER facility. The formatter is kept minimal to allow the message content to be properly formatted according to syslog standards. Once configured, all log statements at INFO level and above will be automatically forwarded to Edge Delta, where they’ll be parsed and enriched with the appropriate syslog fields including timestamp, hostname, and severity based on the log level used.

Java Application (Log4j2)

Log4j2 provides enterprise-grade logging capabilities for Java applications with built-in syslog support. The Syslog appender can be configured declaratively through XML configuration files, enabling centralized log management without modifying application code. This approach is particularly valuable in microservices architectures where consistent logging across services is critical.

<!-- log4j2.xml -->
<Configuration>
  <Appenders>
    <Syslog name="EdgeDelta"
            format="RFC5424"
            host="<edge-delta-host>"
            port="5514"
            protocol="UDP"
            appName="MyApp"
            facility="USER"
            includeMDC="true">
      <PatternLayout pattern="%m"/>
    </Syslog>
  </Appenders>
  <Loggers>
    <Root level="info">
      <AppenderRef ref="EdgeDelta"/>
    </Root>
  </Loggers>
</Configuration>

This Log4j2 configuration creates a Syslog appender that formats messages according to RFC 5424 standards and sends them via UDP to Edge Delta. The includeMDC="true" setting ensures that any Mapped Diagnostic Context (MDC) data, such as request IDs or user identifiers, is included as structured data in the syslog message. The PatternLayout is kept simple to prevent double-formatting, allowing Log4j2’s syslog appender to properly structure the message with all required syslog fields.

Docker Container Logging

Docker’s logging driver architecture allows containers to send their stdout and stderr streams directly to syslog destinations without requiring any changes to the containerized application. This container-level approach ensures that all output from the application, including startup messages and uncaught exceptions, is captured and forwarded to Edge Delta.

# Configure Docker to send container logs via syslog
docker run --log-driver=syslog \
  --log-opt syslog-address=udp://<edge-delta-host>:5514 \
  --log-opt syslog-format=rfc5424 \
  --log-opt tag="{{.Name}}/{{.ID}}" \
  myapp:latest

The Docker syslog driver configuration uses RFC 5424 format for structured logging and includes container metadata through the tag template. The {{.Name}}/{{.ID}} tag format provides both the container name and a unique identifier in each log message, making it easy to correlate logs across container restarts or scaling events. This approach works seamlessly with container orchestrators like Docker Swarm or standalone Docker hosts, though Kubernetes users typically rely on the Edge Delta DaemonSet for log collection instead.

Testing Syslog Configuration

After configuring your systems, you can test the connection using these methods:

Using Logger Command

# Send test message from Linux/Unix systems
logger -n <edge-delta-host> -P 5514 -p user.info "Test message from $(hostname)"

# Test with different priorities
logger -n <edge-delta-host> -P 5514 -p user.error "Test error message"
logger -n <edge-delta-host> -P 5514 -p user.crit "Test critical message"

Using Netcat for Manual Testing

# Send RFC 5424 formatted test message via UDP
echo '<14>1 2025-09-04T12:00:00Z test-host app - - - Test connection' | nc -u -w1 <edge-delta-host> 5514

# Test TCP connection
echo '<14>1 2025-09-04T12:00:00Z test-host app - - - TCP test' | nc -w1 <edge-delta-host> 6514

Testing RFC 6587 Octet Counting

Test octet counting framing required by FortiGate:

# Manually construct octet-counted message
# Format: <byte-count><space><message>
# Message: <34>1 2025-10-06T12:00:00Z test app - - - Octet test

# Calculate length (52 bytes in this example)
MSG='<34>1 2025-10-06T12:00:00Z test app - - - Octet test'
LENGTH=${#MSG}
echo "${LENGTH} ${MSG}" | nc <edge-delta-host> 514

# Test with longer message
MSG='<34>1 2025-10-06T12:00:00Z hostname myapp 123 ID47 - This is a longer test message for octet counting validation'
LENGTH=${#MSG}
echo "${LENGTH} ${MSG}" | nc <edge-delta-host> 514

Testing RFC 5424 Structured Data

Test structured data parsing with realistic examples:

# FortiGate-style structured data
echo '<34>1 2025-10-06T12:00:00Z firewall01 fortios 5678 ID47 [fortigate@32473 vd="root" logid="0000000013" type="traffic" subtype="forward"] Traffic allowed' | nc <edge-delta-host> 514

# Cisco-style structured data
echo '<134>1 2025-10-06T12:00:00Z switch01 ios 1234 LINK-3-UPDOWN [cisco@9 interface="GigabitEthernet1/0/1" state="up"] Interface state changed' | nc <edge-delta-host> 514

# Multiple structured data elements
echo '<34>1 2025-10-06T12:00:00Z app01 myapp 999 MSG123 [origin@123 ip="10.0.0.5"][meta@123 user="john" session="abc"] User login successful' | nc <edge-delta-host> 514

Testing Multiline Logs

Test multiline log handling (TCP only):

# Java stack trace simulation
cat <<'EOF' | nc <edge-delta-host> 514
<134>Oct 6 12:00:00 appserver java: Exception in thread "main"
<134>Oct 6 12:00:00 appserver java:     at com.example.Main.main(Main.java:15)
<134>Oct 6 12:00:00 appserver java: Caused by: java.lang.NullPointerException
<134>Oct 6 12:00:00 appserver java:     at com.example.Helper.process(Helper.java:42)
EOF

Note: With proper multiline.line_start_pattern configuration, these should be assembled into a single log entry.

High-Volume Load Testing

Test async UDP performance with high message rates:

# Install hping3 for high-rate UDP testing
sudo apt-get install hping3  # Debian/Ubuntu
sudo yum install hping3       # RHEL/CentOS

# Generate high-rate UDP syslog traffic
# Adjust loop count and sleep interval for desired message rate
for i in {1..10000}; do
  echo "<134>Oct 6 12:00:00 test syslog: Load test message $i" | nc -u -w0 <edge-delta-host> 514 &
  if [ $((i % 100)) -eq 0 ]; then sleep 0.1; fi
done

# Monitor for dropped packets
watch -n 1 'netstat -su | grep "packet receive errors"'

Performance Benchmark Script

Create a simple benchmark to measure throughput:

#!/bin/bash
# syslog-benchmark.sh

HOST="<edge-delta-host>"
PORT=514
MESSAGES=10000

echo "Sending $MESSAGES messages to $HOST:$PORT"
START=$(date +%s.%N)

for i in $(seq 1 $MESSAGES); do
  echo "<134>Oct 6 12:00:00 benchmark test: Message $i" | nc -u -w0 $HOST $PORT 2>/dev/null
done

END=$(date +%s.%N)
ELAPSED=$(echo "$END - $START" | bc)
RATE=$(echo "scale=2; $MESSAGES / $ELAPSED" | bc)

echo "Sent $MESSAGES messages in $ELAPSED seconds"
echo "Average rate: $RATE messages/second"

Run the benchmark:

chmod +x syslog-benchmark.sh
./syslog-benchmark.sh

Verify Receipt

Check Edge Delta Live Capture or logs to confirm messages are being received and processed correctly. For structured data tests, verify that the structured_data field is properly populated with the key-value pairs.