Home / Documentation / Forwarding / Syslog/TLS Forwarding

Syslog/TLS forwarding

Use this path when you already have rsyslog or similar syslog-based infrastructure and want to forward into logging24 without switching to the native Linux binary or the l24 CLI.

When to use this

  • You already operate centralized syslog forwarding.
  • You need infrastructure-level forwarding from appliances or existing rsyslog estates.
  • You want to keep syslog/TLS as the transport layer.

Overview

The syslog receiver expects a stable external identifier inside the forwarded message format. That identifier is then associated with a logging24 write-token configuration in the web UI.

1. Generate an identifier

Generate a unique identifier in the expected d.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx shape: 

od -vAn -N16 -tx1 < /dev/urandom | \
awk '{ gsub (" ", "", $0); print }' | \
cut -c 1-8,9-13,14-17,18-21,22-33 --output-delimiter "-" | \
awk '$0="d."$0'

2. Create the matching write token

  1. Create a write token in the logging24 web UI.
  2. Select the external-ID mode used for syslog-style forwarding.
  3. Enter the generated identifier as the external identifier.
  4. Set prefixes for later search scoping.

3. Configure rsyslog

Create a dedicated rsyslog config such as /etc/rsyslog.d/99-l24.conf : 

template(name="l24Stream0" type="string"
  string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% d.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx %APP-NAME% %PROCID% %MSGID% - %msg%\n")

*.* action(
  type="omfwd"
  protocol="tcp"
  tcp_framing="octet-counted"
  StreamDriver="gtls"
  StreamDriverMode="1"
  StreamAuthMode="anon"
  target="ingest.logging24.com"
  port="9100"
  template="l24Stream0"
)

Replace the sample identifier with the one you generated.

4. Restart rsyslog 

systemctl restart rsyslogd

Config details

tcp_framing="octet-counted" Use octet-counted framing rather than legacy line-based syslog framing.
StreamDriver="gtls" Enables TLS transport.
StreamDriverMode="1" Puts rsyslog into TLS client mode for this action.
StreamAuthMode="anon" Uses anonymous TLS auth in this receiver model.

Troubleshooting

  • Verify the generated identifier exactly matches the external identifier configured in logging24.
  • Check rsyslog status with systemctl status rsyslog or systemctl status rsyslogd , depending on your distribution.
  • Inspect rsyslog logs with journalctl -u rsyslog -f .
  • Check network reachability to ingest.logging24.com:9100 .

Related links