HAProxy config tutorials

Syslog forwarding

On this page

Available since

  • HAProxy 2.3
  • HAProxy Enterprise 2.3r1
  • HAProxy ALOHA 13.0

Forwarding vs load balancing

This page describes how to forward Syslog messages to a single, remote server. If instead you would like to load balance messages to multiple servers, see Syslog.

The load balancer can receive Syslog log messages, buffering them in memory for short-term storage, before forwarding them to a remote log server. It thereby acts as a collection point for logs originating on the network until it relays them to a destination log server. This allows you to scale out your logging infrastructure, rather than having all devices send logs directly to the log server.

Receive, buffer, and forward Syslog messages Jump to heading

You can recieve incoming Syslog messages over UDP, TCP, or both by adding a log-forward section to your configuration. The dgram-bind directive is used for recieving UDP log messages, and the bind directive is used for recieving TCP log messages.

haproxy
log-forward syslog
  # Listen on UDP port 514 for incoming UDP log messages
  dgram-bind 0.0.0.0:514
  # Listen on TCP port 514 for incoming TCP log messages
  bind 0.0.0.0:514
haproxy
log-forward syslog
  # Listen on UDP port 514 for incoming UDP log messages
  dgram-bind 0.0.0.0:514
  # Listen on TCP port 514 for incoming TCP log messages
  bind 0.0.0.0:514

You have the option to forward Syslog messages over UDP or TCP; we don’t recommend implementing both options at the same time because you will forward duplicate log messages.

Forward logs with the UDP protocol Jump to heading

Add the log directive to forward Syslog messages over UDP. Replace <your_syslog_server_ip_address> with your Syslog server’s IP address.

haproxy
log-forward syslog
  # Listen on UDP port 514 for incoming UDP messages
  dgram-bind 0.0.0.0:514
  # Listen on TCP port 514 for incoming TCP messages
  bind 0.0.0.0:514
  # Forward outgoing messages with UDP
  log <your_server_ip_address>:514 local0
haproxy
log-forward syslog
  # Listen on UDP port 514 for incoming UDP messages
  dgram-bind 0.0.0.0:514
  # Listen on TCP port 514 for incoming TCP messages
  bind 0.0.0.0:514
  # Forward outgoing messages with UDP
  log <your_server_ip_address>:514 local0

Forward logs with the TCP protocol Jump to heading

  1. In the log-forward section, add the log directive to place logs into a ring buffer.

    haproxy
    log-forward syslog
      # Listen on TCP port 514
      bind 0.0.0.0:514
      
      # Listen on UDP port 514
      dgram-bind 0.0.0.0:514
      
      log ring@logbuffer local0
    haproxy
    log-forward syslog
      # Listen on TCP port 514
      bind 0.0.0.0:514
      
      # Listen on UDP port 514
      dgram-bind 0.0.0.0:514
      
      log ring@logbuffer local0

  2. Add a ring section to buffer messages until they can be sent to the remote Syslog server. It’s best to add only one server to a ring section. You can create multiple ring sections with one server each. Replace <your_syslog_server_ip_address> with your Syslog server’s IP address.

    haproxy
    log-forward syslog
      # Listen on TCP port 514
      bind 0.0.0.0:514
      
      # Listen on UDP port 514
      dgram-bind 0.0.0.0:514
      
      log ring@logbuffer local0
    ring logbuffer
      description "buffer for logs"
      format rfc5424
      maxlen 1500
      size 65536
      timeout connect 10s
      timeout server 20s
      
      # Sends outgoing messages via TCP
      server logserver <your_syslog_server_ip_address>:514
    haproxy
    log-forward syslog
      # Listen on TCP port 514
      bind 0.0.0.0:514
      
      # Listen on UDP port 514
      dgram-bind 0.0.0.0:514
      
      log ring@logbuffer local0
    ring logbuffer
      description "buffer for logs"
      format rfc5424
      maxlen 1500
      size 65536
      timeout connect 10s
      timeout server 20s
      
      # Sends outgoing messages via TCP
      server logserver <your_syslog_server_ip_address>:514

Standardize the Syslog protocol Jump to heading

In the log-forward section, you can translate incoming messages to a standardized Syslog protocol, such as the RFC 5424 format, regardless of the Syslog format in which they were received. Add the format argument to the log directive:

haproxy
log-forward syslog
  # Listen on TCP port 514
  bind 0.0.0.0:514
  
  # Listen on UDP port 514
  dgram-bind 0.0.0.0:514
  
  log ring@logbuffer format rfc5424 local0
haproxy
log-forward syslog
  # Listen on TCP port 514
  bind 0.0.0.0:514
  
  # Listen on UDP port 514
  dgram-bind 0.0.0.0:514
  
  log ring@logbuffer format rfc5424 local0

Forward HAProxy logs Jump to heading

In addition to forwarding Syslog log messages from other network devices, you can also use a ring section to forward HAProxy logs over TCP. Otherwise, HAProxy sends its logs over UDP via the log directive in the global section.

Below is the traditional way to send HAProxy logs to a remote Syslog server over UDP:

haproxy
global
  log 192.168.1.100 local0
defaults
  log global
haproxy
global
  log 192.168.1.100 local0
defaults
  log global

Replace <your_syslog_server_ip_address> with your Syslog server’s IP address and send them over TCP instead:

haproxy
global
  log ring@logbuffer local0
defaults
  log global
ring logbuffer
  description "buffer for logs"
  format rfc5424
  maxlen 1500
  size 65536
  timeout connect 10s
  timeout server 20s
     
  # Sends outgoing messages via TCP
  server logserver <your_syslog_server_ip_address>:514
haproxy
global
  log ring@logbuffer local0
defaults
  log global
ring logbuffer
  description "buffer for logs"
  format rfc5424
  maxlen 1500
  size 65536
  timeout connect 10s
  timeout server 20s
     
  # Sends outgoing messages via TCP
  server logserver <your_syslog_server_ip_address>:514

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?

Previous page Server-side encryption Next page Traffic policing
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences