How do I forward syslog to a remote server with rsyslog?

Add a selector line to a file in /etc/rsyslog.d/, for example '*.info @10.0.0.10:514' to send everything at info and above to that host over UDP. Use a single @ for UDP and double @@ for TCP, then restart with 'sudo systemctl restart rsyslog'. The generator above writes this for you from your host, port, facility, and severity.

What is the difference between @ and @@ in rsyslog?

In the classic rsyslog selector syntax, a single @ before the target means send over UDP, and a double @@ means send over TCP. TCP is more reliable because it retransmits lost packets; UDP is lighter and is the historical default. Both typically use port 514.

How does syslog-ng forwarding differ from rsyslog?

syslog-ng uses an explicit object model instead of selector lines. You define a source, optional filters for facility and level, a network destination, and a log statement that wires them together. It is more verbose but easier to read once a config grows. The generator emits a complete source/filter/destination/log block.

How do I configure a Cisco device to send syslog?

In configuration mode, set 'logging host ' for the collector, 'logging trap ' for the minimum severity (using Cisco's keyword such as 'informational'), and optionally 'logging facility '. Add 'service timestamps log datetime msec' so messages carry precise times, then 'write memory' to save.

Should I use UDP or TCP for syslog?

Use TCP when you cannot afford to lose messages — audit and security logs especially — because it retransmits dropped packets and signals when the collector is unreachable. UDP is fine for high-volume, lower-stakes operational logging where the occasional lost line is acceptable and you want minimal overhead.

config generator

Syslog config generator

Pick a platform, point it at your collector, and choose which facility and severity to ship. The generator writes a complete, commented forwarding configuration for rsyslog, syslog-ng, or Cisco IOS that you can paste straight in.

Collector host / IPPort

Transport

FacilityMin. severity

rsyslog configuration

# /etc/rsyslog.d/60-forward.conf
# Forward *.info and higher to 10.0.0.10:514 over UDP.
# Reload after editing:  sudo systemctl restart rsyslog

# selector            target
*.info              @10.0.0.10:514

# Notes:
#   "@"  selects UDP (@ = UDP, @@ = TCP).
#   "*" is the facility ("*" = all facilities).
#   "info" matches that severity and every more-severe level.
#   Add  $ActionResumeRetryCount -1  above the rule to queue when the
#   collector is unreachable instead of dropping messages.

Guide

Forwarding syslog, three ways

Getting logs off a machine and onto a central collector is the same idea everywhere — choose what to send and where to send it — but the syntax differs by platform. The generator above covers the three you are most likely to meet. The notes below explain what each generated config is doing so you can adapt it with confidence.

rsyslog

rsyslog, the default on most modern Linux distributions, uses a compact selector syntax: a facility.severity pattern followed by a destination. Forwarding to a remote host looks like this:

*.info @10.0.0.10:514

The *.info selects every facility at severity info and above. The @ means UDP; double it to @@ for TCP. Drop the file in /etc/rsyslog.d/ with a numeric prefix like 60-forward.conf so it loads in order, then restart the service. For reliability you can raise the action resume retry count so messages queue when the collector is briefly unreachable instead of being dropped.

syslog-ng

syslog-ng takes a more explicit, object-oriented approach. Rather than one terse line, you declare named building blocks and then connect them in a log statement:

source — where messages come from, e.g. system() and internal().
filter — optional tests such as level(info..emerg) or facility(auth).
destination — a network() block with the host, transport, and port.
log — the statement that ties a source, any filters, and a destination together.

It is more typing than rsyslog for a single rule, but the structure pays off as routing grows, because each piece is named and reusable. Reload with syslog-ng-ctl reload after editing.

Cisco IOS

Network gear configures logging with a handful of logging commands entered in configuration mode. The essentials the generator emits are:

logging host <ip> — the collector to send to, optionally with a transport and port.
logging trap <level> — the minimum severity, using Cisco’s own keyword set (emergencies, alerts, critical, errors, warnings, notifications, informational, debugging).
logging facility <facility> — the facility tag to stamp on messages, often a local slot.
service timestamps log datetime msec — so each message carries a precise, millisecond timestamp.

Finish with end and write memory to persist the configuration across reboots. Cisco severity keywords line up exactly with the standard 0–7 scale — see the PRI calculator for the mapping.

Ports and transport

The traditional syslog port is 514 for both UDP and plain TCP; syslog over TLS conventionally uses 6514. UDP is the historical default and is fine for high-volume operational logs where losing the occasional packet does not matter. For anything you must not lose — audit trails, security events — prefer TCP so the transport retransmits dropped packets and tells you when the far end is down. Whichever you choose, make sure the path and any firewalls permit that port, and that the receiver is actually listening on it.

Once messages are flowing, the syslog parser is handy for confirming the collector is receiving well-formed lines, and the JSON and CEF converter helps when the next hop is a SIEM rather than a plain file.

Frequently asked questions

How do I forward syslog to a remote server with rsyslog?: Add a selector line to a file in /etc/rsyslog.d/, for example '*.info @10.0.0.10:514' to send everything at info and above to that host over UDP. Use a single @ for UDP and double @@ for TCP, then restart with 'sudo systemctl restart rsyslog'. The generator above writes this for you from your host, port, facility, and severity.
What is the difference between @ and @@ in rsyslog?: In the classic rsyslog selector syntax, a single @ before the target means send over UDP, and a double @@ means send over TCP. TCP is more reliable because it retransmits lost packets; UDP is lighter and is the historical default. Both typically use port 514.
How does syslog-ng forwarding differ from rsyslog?: syslog-ng uses an explicit object model instead of selector lines. You define a source, optional filters for facility and level, a network destination, and a log statement that wires them together. It is more verbose but easier to read once a config grows. The generator emits a complete source/filter/destination/log block.
How do I configure a Cisco device to send syslog?: In configuration mode, set 'logging host <ip>' for the collector, 'logging trap <level>' for the minimum severity (using Cisco's keyword such as 'informational'), and optionally 'logging facility <facility>'. Add 'service timestamps log datetime msec' so messages carry precise times, then 'write memory' to save.
Should I use UDP or TCP for syslog?: Use TCP when you cannot afford to lose messages — audit and security logs especially — because it retransmits dropped packets and signals when the collector is unreachable. UDP is fine for high-volume, lower-stakes operational logging where the occasional lost line is acceptable and you want minimal overhead.

More syslog tools

<msg>Syslog Parser & ViewerPaste a raw syslog line and see every field broken out and colour-coded — works with RFC 5424 and RFC 3164.<14>1RFC 5424 Format Reference & BuilderA field-by-field guide to the RFC 5424 message format with an interactive builder that emits a compliant line.<pri>Syslog PRI, Facility & Severity CalculatorConvert between PRI values and facility/severity both ways. Includes the full facility and severity tables.{ }Syslog to JSON & CEF ConverterTurn a raw syslog message into clean JSON or a best-effort CEF line for your SIEM — entirely in the browser.