Syslog — Forward MideyeServer Logs to Syslog Servers

MideyeServer can forward log events to syslog servers for centralized log collection, correlation with other system logs, and integration with SIEM (Security Information and Event Management) platforms.

---

Quickstart — send logs to syslog in 2 minutes

Getting syslog forwarding to work requires two pieces in logback.xml. This is the most common source of confusion — adding only one of the two will not work:

1. The appender — defines where and how to send logs (server address, port, format)
2. A logger reference — tells Logback to actually use the appender for matching log events

Think of it like a mailbox and a mail carrier: the appender is the mailbox (it knows the destination), but without the logger reference nothing will ever put mail into it.

Copy both blocks into your logback.xml, adjust syslogHost, save, and logs will start flowing within 60 seconds (Logback auto-reloads the file):

logback.xml — add both blocks

<!-- 1) APPENDER — defines the syslog destination -->
<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>syslog.example.com</syslogHost>   <!-- ← change this -->
    <facility>LOCAL0</facility>
    <port>514</port>
    <suffixPattern>mideyeserver %d{ISO8601,UTC} %p [%t] %c{0} - %m%n</suffixPattern>
</appender>

<!-- 2) LOGGER REFERENCE — connects the appender to the log stream -->
<root level="WARN">
    <appender-ref ref="SYSLOG" />
</root>

Both parts are required

Without the <appender>, Logback has nowhere to send logs. Without the <appender-ref> inside a <root> or <logger>, the appender exists but is never activated — no logs will be forwarded. You must have both.

For the full configuration file path on your platform, see Overview.

---

Approaches to syslog integration

This page covers three approaches, from simplest to most robust:

Method	Transport	Reliability	Complexity	Best for
Logback SyslogAppender	UDP only	Standard	Low	Simple local syslog
rsyslog imfile	TCP, TLS, RELP	High	Medium	Production deployments
syslog-ng file source	TCP, TLS	High	Medium	Existing syslog-ng setups

Recommended approach

For production environments, use rsyslog imfile or syslog-ng file source to tail the log files. This approach:

• Survives MideyeServer restarts (logs aren’t lost)
• Supports TCP and TLS encryption
• Decouples log forwarding from application lifecycle
• Provides better reliability and buffering

---

Logback SyslogAppender

MideyeServer’s logback.xml includes a commented-out SyslogAppender configuration. This is the simplest option for local or UDP-based syslog forwarding.

Limitations

• UDP only — no TCP or TLS support
• No buffering — logs may be lost during restarts or network issues
• Fire-and-forget — no delivery confirmation

Configuration

1. Edit logback.xml

   Location: See Overview for platform-specific paths.

2. Uncomment the SYSLOG appender

   Find this section near the end of the file and remove the comment markers:

   logback.xml

   <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
       <syslogHost>localhost</syslogHost>
       <facility>LOCAL0</facility>
       <port>514</port>
       <suffixPattern>java %d{ISO8601,UTC} %p %t %c %M - %m%n</suffixPattern>
   </appender>

3. Customize settings

   Parameter	Description	Default	Recommendation
   syslogHost	Hostname or IP of syslog server	localhost	Use remote server IP for centralized logging
   port	UDP port	514	Standard syslog port (may require firewall rules)
   facility	Syslog facility code	LOCAL0	Use LOCAL0–LOCAL7 for application logs
   suffixPattern	Log message format	ISO8601 timestamp + log details	Customize to match your syslog parser

   Example for remote server:

   logback.xml

   <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
       <syslogHost>syslog.example.com</syslogHost>
       <facility>LOCAL6</facility>
       <port>514</port>
       <suffixPattern>mideyeserver %d{ISO8601,UTC} %p [%t] %c{0} - %m%n</suffixPattern>
   </appender>

4. Attach appender to root logger

   Uncomment and customize the root logger configuration for syslog:

   logback.xml

   <!-- Send WARN and higher to syslog -->
   <root level="WARN">
       <appender-ref ref="SYSLOG" />
   </root>

   Or attach to a specific logger for selective forwarding:

   logback.xml

   <!-- Send only MideyeServer errors to syslog -->
   <logger name="com.mideye.mideyeserver" level="ERROR" additivity="false">
       <appender-ref ref="SYSLOG"/>
   </logger>

5. Save and verify

   Changes take effect automatically within 60 seconds. Check your syslog server to confirm messages are arriving.

Common facilities

Facility	Numeric Code	Typical Use
USER	1	User-level messages (default)
LOCAL0	16	Local use 0 (custom applications)
LOCAL1	17	Local use 1
LOCAL2	18	Local use 2
LOCAL3	19	Local use 3
LOCAL4	20	Local use 4
LOCAL5	21	Local use 5
LOCAL6	22	Local use 6
LOCAL7	23	Local use 7

Note

LOCAL0 through LOCAL7 are reserved for custom application use and are recommended for MideyeServer to avoid conflicts with system services.

---

rsyslog imfile module (recommended)

The imfile module allows rsyslog to tail log files and forward them to remote syslog servers with TCP, TLS, and reliable message queuing.

Prerequisites

• rsyslog installed on the MideyeServer host (typically included in Linux distributions)
• rsyslog with imfile module (standard in rsyslog 8.0+)

Configuration

1. Create rsyslog configuration file

   sudo nano /etc/rsyslog.d/30-mideyeserver.conf

2. Add imfile configuration

   /etc/rsyslog.d/30-mideyeserver.conf

   # Load imfile module (if not already loaded)
   module(load="imfile" PollingInterval="10")
   
   # MideyeServer main log
   input(type="imfile"
         File="/opt/mideyeserver6/log/mideyeserver.log"
         Tag="mideyeserver"
         Severity="info"
         Facility="local6"
         reopenOnTruncate="on")
   
   # MideyeServer error log
   input(type="imfile"
         File="/opt/mideyeserver6/log/mideyeserver.error"
         Tag="mideyeserver-error"
         Severity="error"
         Facility="local6"
         reopenOnTruncate="on")
   
   # Forward to remote syslog server (TCP)
   if $syslogtag contains 'mideyeserver' then @@syslog.example.com:514

   Caution

   Update the file paths to match your platform. See Overview → Log file locations for the correct path on your system.

3. Choose forwarding protocol

   Protocol	Syntax	Description
   UDP	@server:514	Fire-and-forget, fast, may lose messages
   TCP	@@server:514	Reliable, confirms delivery
   TCP with TLS	@@server:6514	Encrypted, requires TLS setup
   RELP	:omrelp:server:2514	Reliable Event Logging Protocol

   Example: TCP forwarding

   if $syslogtag contains 'mideyeserver' then @@syslog.example.com:514

   Example: TLS forwarding

   # TLS configuration (add before the forwarding rule)
   $DefaultNetstreamDriver gtls
   $DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-bundle.crt
   $ActionSendStreamDriverMode 1
   $ActionSendStreamDriverAuthMode x509/name
   $ActionSendStreamDriverPermittedPeer syslog.example.com
   
   # Forward over TLS
   if $syslogtag contains 'mideyeserver' then @@syslog.example.com:6514

4. Test configuration syntax

   sudo rsyslogd -N1

   Look for errors related to your configuration file.

5. Restart rsyslog

   sudo systemctl restart rsyslog
   sudo systemctl status rsyslog

6. Verify forwarding

   Check your remote syslog server to confirm MideyeServer logs are arriving with the mideyeserver tag.

Advanced: local filtering before forwarding

Filter log events before sending to reduce network traffic:

/etc/rsyslog.d/30-mideyeserver.conf

# Forward only ERROR and WARN messages
if $syslogtag contains 'mideyeserver' and ($syslogseverity <= 4) then @@syslog.example.com:514

# Forward INFO and higher
if $syslogtag contains 'mideyeserver' and ($syslogseverity <= 6) then @@syslog.example.com:514

Syslog severity mapping:

Priority	Severity	Numeric
Emergency	emerg	0
Alert	alert	1
Critical	crit	2
Error	err	3
Warning	warning	4
Notice	notice	5
Informational	info	6
Debug	debug	7

Advanced: queue configuration for reliability

Add message queuing to handle network outages:

/etc/rsyslog.d/30-mideyeserver.conf

# Create a disk-assisted queue for reliable forwarding
$ActionQueueType LinkedList
$ActionQueueFileName mideyeserver_queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueTimeoutEnqueue 0
$ActionResumeRetryCount -1

# Forward with queue
if $syslogtag contains 'mideyeserver' then @@syslog.example.com:514

---

syslog-ng file source

If you use syslog-ng instead of rsyslog, configure a file source to tail MideyeServer logs.

Configuration

1. Create syslog-ng configuration file

   sudo nano /etc/syslog-ng/conf.d/mideyeserver.conf

2. Add file source and destination

   /etc/syslog-ng/conf.d/mideyeserver.conf

   # Source: tail MideyeServer log files
   source s_mideyeserver {
       file("/opt/mideyeserver6/log/mideyeserver.log"
            follow-freq(1)
            flags(no-parse)
            program-override("mideyeserver"));
   };
   
   source s_mideyeserver_error {
       file("/opt/mideyeserver6/log/mideyeserver.error"
            follow-freq(1)
            flags(no-parse)
            program-override("mideyeserver-error"));
   };
   
   # Destination: remote syslog server (TCP)
   destination d_remote_syslog {
       syslog("syslog.example.com"
              transport("tcp")
              port(514));
   };
   
   # Log path: connect source to destination
   log {
       source(s_mideyeserver);
       source(s_mideyeserver_error);
       destination(d_remote_syslog);
   };

   Caution

   Update the file paths to match your platform. See Overview → Log file locations for the correct path on your system.

3. TCP with TLS

   /etc/syslog-ng/conf.d/mideyeserver.conf

   destination d_remote_syslog_tls {
       syslog("syslog.example.com"
              transport("tls")
              port(6514)
              tls(ca-dir("/etc/ssl/certs")
                  peer-verify(required-trusted)));
   };
   
   log {
       source(s_mideyeserver);
       destination(d_remote_syslog_tls);
   };

4. Test and restart

   # Test configuration
   sudo syslog-ng -s
   
   # Restart syslog-ng
   sudo systemctl restart syslog-ng
   sudo systemctl status syslog-ng

---

Verifying syslog forwarding

On the MideyeServer host

1. Generate a test log message

   Use the Log Configuration page to temporarily lower the log level to INFO or DEBUG, or trigger an event (e.g., failed authentication attempt).

2. Check local syslog

   Debian / Ubuntu

   sudo tail -f /var/log/syslog | grep mideyeserver

   RHEL / Rocky

   sudo tail -f /var/log/messages | grep mideyeserver

On the remote syslog server

1. Watch incoming logs

   sudo tail -f /var/log/syslog | grep mideyeserver

2. Check for network connectivity

   # Test UDP syslog port
   nc -vu syslog.example.com 514
   
   # Test TCP syslog port
   nc -v syslog.example.com 514

---

Troubleshooting

Logs not appearing on remote server

Check network connectivity:

ping syslog.example.com
telnet syslog.example.com 514

Check firewall rules:

# Allow outbound UDP/TCP 514
sudo firewall-cmd --add-port=514/udp --permanent
sudo firewall-cmd --add-port=514/tcp --permanent
sudo firewall-cmd --reload

Check rsyslog/syslog-ng status:

sudo systemctl status rsyslog
sudo journalctl -u rsyslog -n 50

Enable debug logging in rsyslog:

/etc/rsyslog.d/30-mideyeserver.conf

$DebugLevel 2
$DebugFile /var/log/rsyslog-debug.log

Logback SyslogAppender not working

Check for XML syntax errors:

# Look for Logback errors in STDOUT
sudo journalctl -u mideyeserver6 | grep -i logback

Verify syslog host is reachable:

nc -u syslog.example.com 514 <<< "test message"

Check local syslog for clues:

sudo tail -f /var/log/syslog

imfile module not loading

Verify module is available:

rsyslogd -v | grep imfile

Load module explicitly in rsyslog.conf:

/etc/rsyslog.conf

module(load="imfile")

---

Related documentation

• Overview: Log file locations and paths per platform
• Log Levels: Configure what gets logged before forwarding
• Log Aggregators: Alternative to syslog for centralized logging
• Console & journald: Forward systemd journal to syslog