# syslog: Collect messages using the IETF-syslog protocol The `syslog()` driver can receive messages from the network using the standard IETF-syslog protocol (as described in RFC5424-26). UDP, TCP, and TLS-encrypted TCP can all be used to transport the messages. Note The `syslog()` driver can also receive BSD-syslog-formatted messages (described in RFC 3164, see [BSD-syslog or legacy-syslog messages](../../docs/axosyslog-core/chapter-concepts/concepts-message-structure/concepts-message-bsdsyslog/index.md)) if they are sent using the IETF-syslog protocol. In AxoSyslog versions 3.1 and earlier, the `syslog()` driver could handle only messages in the IETF-syslog (RFC 5424-26) format. Starting with version 4.10, AxoSyslog can automatically detect RFC6587-style octet-count based framing. For details, see the [transport option](../../docs/axosyslog-core/chapter-sources/source-syslog/reference-source-syslog-chapter/index.md#transport). For the list of available optional parameters, see [syslog() source options](../../docs/axosyslog-core/chapter-sources/source-syslog/reference-source-syslog-chapter/index.md). ## Declaration: ``` syslog(ip() port() transport() options()); ``` ## Example: Using the syslog() driver TCP source listening on the localhost on port 1999. ``` source s_syslog { syslog(ip(127.0.0.1) port(1999) transport("tcp")); }; ``` UDP source with defaults. ``` source s_udp { syslog( transport("udp")); }; ``` Encrypted source where the client is also authenticated. For details on the encryption settings, see [TLS options](../../docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/index.md). ``` source s_syslog_tls{ syslog( ip(10.100.20.40) transport("tls") tls( peer-verify(required-trusted) ca-dir('/opt/syslog-ng/etc/syslog-ng/keys/ca.d/') key-file('/opt/syslog-ng/etc/syslog-ng/keys/server_privatekey.pem') cert-file('/opt/syslog-ng/etc/syslog-ng/keys/server_certificate.pem') ) ); }; ``` Warning When receiving messages using the UDP protocol, increase the size of the UDP receive buffer on the receiver host (that is, the AxoSyslog server or relay receiving the messages). Note that on certain platforms, for example, on Red Hat Enterprise Linux 5, even low message load (~200 messages per second) can result in message loss, unless the `so-rcvbuf()` option of the source is increased. In this cases, you will need to increase the `net.core.rmem_max` parameter of the host (for example, to `1024000`), but do not modify `net.core.rmem_default` parameter. As a general rule, increase the `so-rcvbuf()` so that the buffer size in kilobytes is higher than the rate of incoming messages per second. For example, to receive 2000 messages per second, set the `so-rcvbuf()` at least to `2 097 152` bytes. * * * [syslog() source options](../../docs/axosyslog-core/chapter-sources/source-syslog/reference-source-syslog-chapter/index.md) Last modified February 15, 2025: [Documents transport(auto) (102680e)]()