Syslog is a protocol standard that describes how log messages should be formatted and transmitted. Devices and applications can send data about status, events and diagnostics to a central server, a.k.a. Syslog server, where a listener process gathers the data sent over UDP or TCP. Syslog messages have built-in severity levels that range from an emergency to debugging purposes, providing valuable insights for network monitoring and alerting.

Telegraf Input Plugin: Syslog

Telegraf is the collection module of InfluxData’s TICK Stack time series platform (see diagram below) with its own project Telegraf in the open source community. One of the main use-cases for adopting a times series platform is network monitoring, often to deploy a centralized network monitoring platform. Gathering the data of interest is a key part of any monitoring solution. This can be done in multiple ways.

In order to facilitate the process, Telegraf was designed as a lightweight, plugin-driven collection that can run on your hosts, collecting data about your systems and applications, or it can operate remotely, scraping data via endpoints exposed by your applications.

See below TICK Stack architecture:

the architecture of the TICK Stack, including Telegraf, InfluxDB, Chronograf, and Kapacitor

Telegraf can be deployed as a syslog collector with the Telegraf Syslog plugin. Syslog messages are sent from the monitored device to the IP address of the collector. Syslog data rapidly grows in volume, therefore being able to query and analyze it in real-time and scale is fundamental. This can be done using InfluxData's TICK Stack — Telegraf, InfluxDB, Chronograf and Kapacitor.

Telegraf Syslog Plugin configuration

InfluxData supports Syslog monitoring via Telegraf Syslog Input Plugin, which allows Telegraf to ingest logs using the Syslog protocol. The Syslog Input Plugin listens for syslog messages transmitted over UDP or TCP. Syslog messages should be formatted according to RFC 5424. The IP address of the destination syslog collector must be configured on the device itself, via command-line or a conf file. Once the devices are configured, all syslog data will be sent to Telegraf. Telegraf converts the syslog messages to line protocol to be written to InfluxDB, from which data can be filtered in real-time for warnings, detecting emerging issues and rising severity before its created a disruption or impact on user.

Using Syslog with Telegraf and Chronograf

When using Syslog and Telegraf, the latter is responsible for accepting messages in syslog format and converting them to line protocol to be written to InfluxDB. It inserts all syslog messages into a measurement called syslog which is what Chronograf looks for when it is populating the log viewer with data. Since the Syslog protocol is well-defined, we know that we’ll always have certain fields and tags present in the data, which is how Chronograf knows how to format everything. The viewer has drop-down menus at the upper right for selecting the InfluxDB instance and database to use.

For more information, please check out the documentation.

Project URL   Documentation

Additional resources:

Scroll to Top