HAProxy config tutorials

Syslog forwarding

Available since

  • HAProxy 2.3
  • HAProxy Enterprise 2.3r1
  • HAProxy ALOHA 13.0

Forwarding vs load balancing

This page describes how to forward Syslog messages to a single, remote server. If instead you would like to load balance messages to multiple servers, see Syslog.

The load balancer can receive Syslog log messages, buffering them in memory for short-term storage, before forwarding them to a remote log server. It thereby acts as a collection point for logs originating on the network until it relays them to a destination log server. This allows you to scale out your logging infrastructure, rather than having all devices send logs directly to the log server.

Receive, buffer, and forward Syslog messages Jump to heading

You can receive incoming Syslog messages over UDP, TCP, or both by adding a log-forward section to your configuration. The dgram-bind directive is used for receiving UDP log messages, and the bind directive is used for receiving TCP log messages.

haproxy
log-forward syslog
# Listen on UDP port 514 for incoming UDP log messages
dgram-bind 0.0.0.0:514
# Listen on TCP port 514 for incoming TCP log messages
bind 0.0.0.0:514
haproxy
log-forward syslog
# Listen on UDP port 514 for incoming UDP log messages
dgram-bind 0.0.0.0:514
# Listen on TCP port 514 for incoming TCP log messages
bind 0.0.0.0:514

You have the option to forward Syslog messages over UDP or TCP; we don’t recommend implementing both options at the same time because you will forward duplicate log messages.

Forward logs with the UDP protocol Jump to heading

Add the log directive to forward Syslog messages over UDP. Replace <your_syslog_server_ip_address> with your Syslog server’s IP address.

haproxy
log-forward syslog
# Listen on UDP port 514 for incoming UDP messages
dgram-bind 0.0.0.0:514
# Listen on TCP port 514 for incoming TCP messages
bind 0.0.0.0:514
# Forward outgoing messages with UDP
log <your_server_ip_address>:514 local0
haproxy
log-forward syslog
# Listen on UDP port 514 for incoming UDP messages
dgram-bind 0.0.0.0:514
# Listen on TCP port 514 for incoming TCP messages
bind 0.0.0.0:514
# Forward outgoing messages with UDP
log <your_server_ip_address>:514 local0

Forward logs with the TCP protocol Jump to heading

  1. In the log-forward section, add the log directive to place logs into a ring buffer.

    haproxy
    log-forward syslog
    # Listen on TCP port 514
    bind 0.0.0.0:514
    # Listen on UDP port 514
    dgram-bind 0.0.0.0:514
    log ring@logbuffer local0
    haproxy
    log-forward syslog
    # Listen on TCP port 514
    bind 0.0.0.0:514
    # Listen on UDP port 514
    dgram-bind 0.0.0.0:514
    log ring@logbuffer local0
  2. Add a ring section to buffer messages until they can be sent to the remote Syslog server. It’s best to add only one server to a ring section. You can create multiple ring sections with one server each. Replace <your_syslog_server_ip_address> with your Syslog server’s IP address.

    haproxy
    log-forward syslog
    # Listen on TCP port 514
    bind 0.0.0.0:514
    # Listen on UDP port 514
    dgram-bind 0.0.0.0:514
    log ring@logbuffer local0
    ring logbuffer
    description "buffer for logs"
    format rfc5424
    maxlen 1500
    size 65536
    timeout connect 10s
    timeout server 20s
    # Sends outgoing messages via TCP
    server logserver <your_syslog_server_ip_address>:514
    haproxy
    log-forward syslog
    # Listen on TCP port 514
    bind 0.0.0.0:514
    # Listen on UDP port 514
    dgram-bind 0.0.0.0:514
    log ring@logbuffer local0
    ring logbuffer
    description "buffer for logs"
    format rfc5424
    maxlen 1500
    size 65536
    timeout connect 10s
    timeout server 20s
    # Sends outgoing messages via TCP
    server logserver <your_syslog_server_ip_address>:514

Standardize the Syslog protocol Jump to heading

In the log-forward section, you can translate incoming messages to a standardized Syslog protocol, such as the RFC 5424 format, regardless of the Syslog format in which they were received. Add the format argument to the log directive:

haproxy
log-forward syslog
# Listen on TCP port 514
bind 0.0.0.0:514
# Listen on UDP port 514
dgram-bind 0.0.0.0:514
log ring@logbuffer format rfc5424 local0
haproxy
log-forward syslog
# Listen on TCP port 514
bind 0.0.0.0:514
# Listen on UDP port 514
dgram-bind 0.0.0.0:514
log ring@logbuffer format rfc5424 local0

Forward HAProxy logs Jump to heading

In addition to forwarding Syslog log messages from other network devices, you can also use a ring section to forward HAProxy logs over TCP. Otherwise, HAProxy sends its logs over UDP via the log directive in the global section.

Below is the traditional way to send HAProxy logs to a remote Syslog server over UDP:

haproxy
global
log 192.168.1.100 local0
defaults
log global
haproxy
global
log 192.168.1.100 local0
defaults
log global

Replace <your_syslog_server_ip_address> with your Syslog server’s IP address and send them over TCP instead:

haproxy
global
log ring@logbuffer local0
defaults
log global
ring logbuffer
description "buffer for logs"
format rfc5424
maxlen 1500
size 65536
timeout connect 10s
timeout server 20s
# Sends outgoing messages via TCP
server logserver <your_syslog_server_ip_address>:514
haproxy
global
log ring@logbuffer local0
defaults
log global
ring logbuffer
description "buffer for logs"
format rfc5424
maxlen 1500
size 65536
timeout connect 10s
timeout server 20s
# Sends outgoing messages via TCP
server logserver <your_syslog_server_ip_address>:514

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?