Syslog

The Syslog connector can receive all kinds of syslog messages. You can configure it to receive data on specific ports, but it doesn’t apply classification and enrichment to the messages (apart from standard syslog parsing).

Add new syslog connector

To create a new syslog connector, complete the following steps:

  1. Select Connectors > Create new rule. (Alternatively, you can select Add Connector > Create a connector rule on the Connectors page of an AxoRouter host.)

    Connector rules list

  2. Select Syslog.

  3. Select the template to use one of the standard syslog ports and networking protocols, for example, UDP 514 for the RFC3164 syslog protocol.

    To configure a different port, or to specify the protocol elements manually, select Custom.

    Syslog connector template

  4. Configure the connector rule.

    1. Enter a name for the connector rule into the Rule Name field.

    2. (Optional) Add labels to the connector rule. You will be able to use these labels in Flow Processing steps, for example, in the Query field of Select Messages steps.

    3. Set the Router Selector for the connector rule. The selector determines which AxoRouter instances will have a connector based on this connector rule.

      Router selectors

      • If you leave the Router Selector field empty, the rule will match every AxoRouter instance.
      • To select only a specific AxoRouter instance, set the name field with the name of the instance as selector.
      • If you set multiple fields in the selector, the connector rule will apply only to AxoRouter instances that match all elements of the selector. (There in an AND relationship between the fields.)

    4. (Optional) Enter a Suffix for the connector rule. This suffix will be used in the name of the connector instances created on the AxoRouter hosts. For example, if the name of a matching AxoRouter instance is “my-axorouter”, and the suffix of the rule is “otlp-rule”, the connector created for the AxoRouter will be named “my-axorouter-otlp-rule”.

      If the Suffix field is empty, the name of the connector rule is used instead.

    5. (Optional) Enter a description for the rule.

  5. Select the protocol to use for receiving syslog data: TCP, UDP, or TLS.

    Syslog connector settings

    When using TLS, set the paths for the certificates and keys used for the TLS-encrypted communication with the clients.

    You can use absolute paths (for example, /etc/axorouter/user-config/tls-key.pem). The key and the certificate must be in PEM format. You must manually copy these files to their place on the AxoRouter host, currently you can’t distribute them from Axoflow Console. The recommended path for certificates is anywhere under /etc/axorouter/user-config/. (If you need to use a different path, you have to append an option like -v /your/path:/your/path to the AXOROUTER_PODMAN_ARGS variable of /etc/axorouter/container.env.)

    • CA certificate path: The CA certificate that AxoRouter uses to authenticate the clients.
    • Server certificate path: The certificate that AxoRouter shows to the clients.
    • Server private key path: The private key of the server certificate.

  6. (Optional) If explicitly needed for your use case, you can configure *Framing manually. Otherwise, leave it on Auto. Enable framing (On) if the payload contains the length of the message as specified in RFC6587 3.4.1. Disable (Off) for non-transparent-framing RFC6587 3.4.2.

  7. Set the Port of the connector. The port number must be unique on the AxoRouter host. Axoflow Console will not provision a connector to an AxoRouter if it would cause a port collision, but other software on the given host may already be using the chosen port number (for example, an SSH server on TCP port 22). In this case, AxoRouter won’t be able to reload the configuration and it will indicate an error.

  8. (Optional) If you’re expecting high-volume UDP traffic on your AxoRouter instances that will have this connector, enable UDP loadbalancing by entering the number of UDP sockets to use. The maximum recommended value is the number of cores available in the AxoRouter host.

    UDP loadbalancing in AxoRouter is based on eBPF. Note that if you enable loadbalancing, messages of the same high-traffic source may be processed out of order. For details on how eBPF loadbalancing works, see the Scaling syslog to 1M EPS with eBPF blog post.

  9. (Optional) If needed for your environment, set protocol-specific connector options as needed.

    You can also modify the product and vendor labels of the connector. In that case, Axoflow will treat the incoming messages as it was received and classified as data from the specified product. This is useful if you want to send data from a specific product to a dedicated port.

    These labels and other parameters of the connector will be available under the meta.connector key as metadata for the messages received via the connector, and can be used in routing decisions and processing steps. You can check the metadata of the messages using log tapping.

    Connectors of the host

  10. Select Create.

    Axoflow automatically creates connectors on the AxoRouter hosts that match the Router Selector.

    Make sure to enable the ports you’ve configured in the connector on the firewall of the AxoRouter host, and on other firewalls between the AxoRouter host and your data sources.

Protocol-specific connector options

  • Encoding: The character set of the messages, for example, UTF-8.
  • Maximum connections: The maximum number of simultaneous connections the connector can receive.
  • Socket buffer size: The size of the socket buffer (in bytes).

TCP options

  • TCP Keepalive Time Interval: The interval (number of seconds) between subsequential keepalive probes, regardless of the traffic exchanged in the connection.
  • TCP Keepalive Probes: The number of unacknowledged probes to send before considering the connection dead.
  • TCP Keepalive Time: The interval (in seconds) between the last data packet sent and the first keepalive probe.

TLS options

For TLS, you can use the TCP-specific options, and also the following:

  • Require MTLS: If enabled, the clients sending data to the connector must have a TLS certificate, otherwise AxoRouter will reject the connection.
  • Verify client certificate: If enabled, AxoRouter verifies certificate of the client, and rejects connections with invalid certificates.

Labels

The AxoRouter syslog connector adds the following meta labels:

label value
connector.type syslog
connector.name The Name of the connector
connector.port The port number where the connector receives data