Guides

Using Collectors

Collectors establish collection points for data to be sent to.

Suggest Edits

Types of Collectors

There are two types of collectors:

  • The SaaS instance has a cloud collector
  • virtual collector extends the collection points to local environments

The next pages will address how to install the collectors. Usually, collectors are used to move local syslog audit data into the Fluency system. When sending syslog, the collector acts as the terminating point.

About Syslog

Syslog is a standard protocol used for sending and receiving log messages in a network. It's commonly used in Unix-like operating systems, network devices, and applications to collect and centralize logs for monitoring, troubleshooting, and analysis.

In essence, syslog works by allowing various devices and applications to send log messages to a centralized syslog server or a syslog collector. These messages typically contain information about events, errors, warnings, or other significant occurrences within the system or application.

Syslog messages usually consist of a timestamp, the hostname or IP address of the sending device, a facility code indicating the type of program or service that generated the message, a severity level indicating the importance of the message, and the actual log message itself.

Syslog servers can store these messages locally or forward them to other systems or services for further processing, analysis, or archival. It provides a standardized way for different components of a system to communicate their status and activities, which is invaluable for system administrators and IT professionals in managing and troubleshooting complex networks and systems.

  • UDP/514: This is the traditional default port for syslog communication. Syslog messages are typically transmitted over UDP (User Datagram Protocol) on port 514. It's widely supported and used in many syslog implementations. However, being a well-known port, it can be a target for attacks or misuse if not properly secured.
  • TCP/6514: Similar to UDP/6514, TCP port 6514 is used for secure syslog communication over TLS or SSL encryption. It provides a more secure way to transmit syslog messages over TCP connections, protecting them from eavesdropping and tampering. Also, TCP offers the benefits such as reliable delivery and ordering of syslog messages. When sending data over the internet, this is the preferred syslog option.
  • TCP/514: This is less common but still a valid option for syslog communication. While UDP is the traditional choice, TCP offers the benefits such as reliable delivery and ordering of syslog messages. However, TCP port 514 is not as widely used as UDP 514.

In summary, UDP port 514 is the standard port for syslog communication, while UDP port 6514 is used for secure syslog transmissions over encrypted connections. It is preferred to use UDP/6514. UDP/514 is for legacy systems that do not have the 6514 option. In these cases, use a local collector to avoid sending sensitive data over the internet in the clear.


Updated 7 months ago