Logentries supports both TCP and UDP syslog forwarding. See below for details on configuring the different versions of syslog with logentries.
- Token-based input (recommended) allows you append a unique identifier (token) to each log entry. Syslog then sends logs to
api.logentries.comon a common port number
20000for SSL/TLS encryption). The token identifies all your log entries. It requires support for templates in your syslog implementation.
- Plain TCP input registers your IP address and port number to identify your logs and is supported by most syslog implementations. Disadvantage of this approach is locking to a single IP address which can be inconvenient for systems behind dynamic NAT.
Syslog VersionDetermine which variant of syslog you run with the following command:
ps aux|grep syslogThe most commonly used syslog implementations in modern Linux systems are rsyslog and syslog-ng.
Syslog TroubleshootingThe most common pitfall during syslog configuration is to not restart the daemon after the configuration change. If you have restarted the syslog daemon without error being reported, check that the logs are actually sent to Logentries. You can do that simply using the
tcpdumpcommand. Run as root (sudo):
tcpdump -s 1514 -X dst api.logentries.comThis command will print in an (almost) human-readable format all packets sent to
api.logentries.com. If there are no packets displayed, then something is wrong with the syslog configuration. If you don’t have
tcpdumpinstalled, please install the package of the same name.