Logentries supports both TCP and UDP syslog forwarding. See below for details on configuring the different versions of syslog with logentries.
Syslog uses a TCP/UDP connection for log forwarding. In order to securely identify your log entries, Logentries provides two identification methods:
- Token-based input (recommended) allows you append a unique identifier (token) to each log entry. Syslog then sends logs to
api.logentries.comon a common port number
20000for SSL/TLS encryption). The token identifies all your log entries. It requires support for templates in your syslog implementation.
- Plain TCP input registers your IP address and port number to identify your logs and is supported by most syslog implementations. Disadvantage of this approach is locking to a single IP address which can be inconvenient for systems behind dynamic NAT.
Determine which variant of syslog you run with the following command:
ps aux|grep syslog
The most common pitfall during syslog configuration is to not restart the daemon after the configuration change.
If you have restarted the syslog daemon without error being reported, check that the logs are actually sent to Logentries. You can do that simply using the
tcpdump command. Run as root (sudo):
tcpdump -s 1514 -X dst api.logentries.com
This command will print in an (almost) human-readable format all packets sent to
api.logentries.com. If there are no packets displayed, then something is wrong with the syslog configuration. If you don’t have
tcpdump installed, please install the package of the same name.