Syslog Integration
Native syslog receiver for RFC 3164 and RFC 5424 log formats over TCP and UDP. Parse structured fields, apply AI anomaly detection, and correlate syslog events with metrics and traces.
How It Works
Point Syslog to TigerOps
Configure your syslog daemon (rsyslog, syslog-ng, or journald) to forward to the TigerOps syslog endpoint. Supports TCP port 514, UDP port 514, and TLS TCP port 6514.
Select RFC Format
TigerOps auto-detects RFC 3164 (BSD syslog) and RFC 5424 (IETF syslog) framing. Structured data elements in RFC 5424 are extracted as searchable fields automatically.
Enrich with Parsing Rules
Add grok or regex parsing rules for your application message payloads within the syslog MSG field. TigerOps extracts fields like request_id, user_id, and status_code for fast filtering.
Set Severity-Based Alerts
Configure alert policies by facility, severity, or parsed field values. TigerOps can page on-call when error-rate spikes using AI baseline thresholds rather than static counts.
What You Get Out of the Box
RFC 3164 & RFC 5424 Parsing
Full compliance with both syslog RFCs. TigerOps parses priority (facility + severity), timestamp, hostname, app-name, procid, msgid, and structured-data elements natively.
TCP, UDP, and TLS Transport
Accept syslog over UDP (port 514), TCP with octet-counting framing (port 514), and TLS-encrypted TCP (port 6514). Mutual TLS client certificate auth is also supported.
Structured Data Element Extraction
RFC 5424 SD-ELEMENT key-value pairs are automatically extracted as indexed fields. Query [timeQuality tzKnown="1"] or custom SD-IDs directly without grok parsing.
Facility and Severity Filtering
Filter and route log streams by syslog facility (kern, mail, daemon, auth) and severity (emerg, alert, crit, err, warning, notice, info, debug) in real time.
AI Anomaly Detection on Error Rates
TigerOps learns per-host and per-application error message rates. Alerts fire when error rates deviate from learned baselines — catching subtle issues that threshold rules miss.
Cross-Signal Correlation
Correlate syslog error bursts with host CPU spikes, disk I/O saturation, or application trace error rates. TigerOps links log events to metric anomalies automatically.
rsyslog Forwarding to TigerOps
Forward syslog messages over TLS TCP from rsyslog to TigerOps.
# Forward all syslog to TigerOps via TLS TCP (RFC 5424)
# rsyslog 8.x and later
# Load TLS transport module
module(load="imtcp")
module(load="omfwd")
# Use RFC 5424 format
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
# TLS forwarding to TigerOps syslog endpoint
action(
type="omfwd"
Target="ingest.atatus.net"
Port="6514"
Protocol="tcp"
TCP_Framing="octet-counted"
# TLS settings
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="ingest.atatus.net"
# Queue for reliability
queue.type="linkedList"
queue.size="10000"
queue.discardMark="9750"
queue.highWaterMark="8000"
queue.filename="tigerops-fwd"
queue.saveOnShutdown="on"
action.resumeRetryCount="-1"
)
# API key authentication via SD-ELEMENT (RFC 5424 structured data)
template(name="TigerOpsFormat" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% [auth@123456 token=\"${TIGEROPS_API_KEY}\"] %MSG%\n"
)Common Questions
Does TigerOps support both RFC 3164 and RFC 5424 simultaneously?
Yes. TigerOps auto-detects the syslog format per message. You can mix RFC 3164 and RFC 5424 sources on the same endpoint, and TigerOps normalizes both into a unified log schema for consistent querying.
Is UDP syslog reliable enough for production log collection?
UDP is fire-and-forget and can lose messages under network congestion. For production workloads, we recommend TCP with octet-counting framing. TigerOps supports both — use UDP for high-volume, low-criticality sources and TCP for application error logs.
How do I secure syslog transport to TigerOps?
Use TLS TCP (port 6514) with the TigerOps CA certificate. Optionally enable mutual TLS with a client certificate issued by your internal PKI. API key authentication is also supported via the SD-ELEMENT auth@tigerops token field.
Can TigerOps parse custom application log formats inside the MSG field?
Yes. Define grok, regex, or JSON parsing rules in TigerOps that apply to the syslog MSG field. Extracted fields become indexed and searchable alongside the native syslog header fields.
What is the maximum syslog message size TigerOps accepts?
RFC 5424 specifies a minimum of 480 bytes; TigerOps accepts messages up to 64 KB. For TCP transport with octet-counting framing, message sizes up to 1 MB are supported for applications that embed structured JSON payloads in syslog.
Give Your Syslog Streams Structured Search and AI Alerting
Native RFC 3164 and RFC 5424 ingestion. No agents required — just point your syslog daemon at TigerOps.