Syslog
Send syslog logs to Seq by installing Seq.Input.Syslog under Settings > Apps in Seq (Windows), or by deploying datalust/seq-input-syslog container alongside your datalust/seq container (Docker/Linux).
Ingest syslog RFC 5424 and RFC 3164 messages via UDP into Seq.
The app is packaged both as a plug-in Seq App for all platforms, and as a standalone Docker container that forwards events to Seq via its HTTP API.
Syslog is not enabled out-of-the-box, and must be enabled one of two ways:
- On Windows, the Seq.Input.Syslog app can be installed and configured
- On Docker/Linux, the
datalust/seq-input-syslogcontainer can be deployed alongside Seq
Enabling Syslog on Windows
On Windows, the Syslog input is installed into Seq as a Seq App.
Syslog input installed through Settings > Apps
1. Install the app package
In Settings > Apps, choose Install from NuGet. The app package id is Seq.Input.Syslog.
2. Start an instance of the app
From the apps screen, choose Add Instance and give the new syslog input a name.
The default settings will cause the syslog input to listen on localhost port 514. Choose a different port if required.
Select Save Changes to start the input.
3. Configure Windows Firewall
Ensure UDP port 514 (or the selected port, if you specified a different one), is allowed through Windows Firewall.
4. Log some events!
That's all there is to it. Events ingested through the input will appear in the Events stream. If the input doesn't work, check for diagnostic events raised by the input app (there is some status information shown under the app instance name).
Events ingested into Seq via the syslog input app will be shown in the Ingestion view.
Enabling syslog in Docker
For Docker, the app is deployed as a Docker container that is expected to run alongside the Seq container. The datalust/seq-input-syslog container accepts syslog messages (via UDP on port 514 by default), and forwards them to the Seq ingestion endpoint specified in the SEQ_ADDRESS environment variable.
To run the container:
$ docker run \
--rm \
-it \
-p 514:514/udp \
-e SEQ_ADDRESS=https://seq.example.com:5341 \
datalust/seq-input-syslog
The container is published on Docker Hub as datalust/seq-input-syslog.
Container configuration
A seq-input-syslog container can be configured using the following environment variables:
| Variable | Description | Default |
|---|---|---|
SEQ_ADDRESS | The address of the Seq server to forward events to | http://localhost:5341 |
SEQ_API_KEY | The API key to use | - |
SYSLOG_ADDRESS | The address to bind the syslog server to | udp://0.0.0.0:514 |
SYSLOG_ENABLE_DIAGNOSTICS | Whether to enable diagnostic logs and metrics (accepts True or False) | False |
Quick local setup with docker-compose
docker-composeThe following is an example docker-compose file that can be used to manage a local Seq container alongside seq-input-syslog in your development environment to collect log events from other containers:
version: '3'
services:
seq-input-syslog:
image: datalust/seq-input-syslog:latest
depends_on:
- seq
ports:
- "514:514/udp"
environment:
SEQ_ADDRESS: "http://seq:5341"
restart: unless-stopped
seq:
image: datalust/seq:latest
ports:
- "5341:80"
environment:
ACCEPT_EULA: Y
restart: unless-stopped
volumes:
- ./seq-data:/data
The service can be started using docker-compose up.
To collect logs from Docker's logging infrastructure, see Collecting Docker container logs.
Updated over 4 years ago