Log streaming: Syslog
Last updated 2021-06-09
Fastly's Real-Time Log Streaming feature can send log files to syslog-based logging software. Syslog is a widely used standard for message logging.
Fastly does not provide direct support for third-party services. See Fastly's Terms of Service for more information.
Adding syslog as a logging endpoint
Follow these instructions to add syslog as a logging endpoint:
- Review the information in our Setting Up Remote Log Streaming guide.
Click the Syslog Create endpoint button. The Create a Syslog endpoint page appears.
- Fill out the Create a Syslog endpoint fields as follows:
- In the Name field, enter a human-readable name for the endpoint.
- In the Placement area, select where the logging call should be placed in the generated VCL. Valid values are Format Version Default, waf_debug (waf_debug_log), and None. See our guide on changing log placement for more information.
- In the Log format field, optionally enter an Apache-style string or VCL variables to use for log formatting. Our discussion of format strings provides more information.
- In the Syslog address field, enter the domain name or IP address and port to which logs should be sent. Be sure this port can receive incoming TCP traffic from Fastly. See the firewall considerations section for more information.
- In the Token field, optionally enter a string prefix (line prefix) to send in front of each log line.
- From the TLS menu, select No to disable encryption for the syslog endpoint, or Yes to enable it. When you select Yes, additional TLS fields appear.
- In the TLS hostname field, optionally enter a hostname to verify the server's certificate. This should be one of the Subject Alternative Name (SAN) fields for the certificate. Common Names (CN) are not supported. This field only appears when you select Yes from the Use TLS menu.
- In the TLS CA certificate field, optionally copy and paste the certification authority (CA) certificate used to verify that the origin server's certificate is valid. The certificate you upload must be in PEM format. Consider uploading the certificate if it's not signed by a well-known certification authority. This value is not required if your TLS certificate is signed by a well-known authority. This field only appears when you select Yes from the Use TLS menu.
- In the TLS client certificate field, optionally copy and paste the TLS client certificate used to authenticate to the origin server. The TLS client certificate you upload must be in PEM format and must be accompanied by a client certificate. A TLS client certificate allows your server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
- In the TLS client key field, optionally copy and paste the TLS client key used to authenticate to the backend server. The TLS client key you upload must be in PEM format and must be accompanied by a TLS client certificate. A TLS client key allows your server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
Click the Advanced options link of the Create a Syslog endpoint page and decide which of the optional fields to change, if any.
- Fill out the Advanced options of the Create a Syslog endpoint page as follows:
- In the Select a log line format area, select the log line format for your log messages. Our guide on changing log line formats provides more information.
- Click the Create button to create the new logging endpoint.
- Click the Activate button to deploy your configuration changes.
Adding separators or static strings
To insert a separator or other arbitrary string into the syslog endpoint format:
- Create a new header with the following fields:
- From the Type menu, select Request, and from the Action menu, select Set.
- In the Destination field, enter any suitable header name (for example,
- In the Source field, enter any special character or string you want (for example,
- Reference the new header variable in the log format box for your specific provider (for example,
Syslog facility and severity
The syslog output includes the following facility and severity values:
1 2 facility: local0 severity: info
Syslog has limited security features. For this reason, it's best to create a firewall for your syslog server and only accept TCP traffic on your configured port from our address blocks. Our list of address blocks is dynamic, so we recommend programmatically obtaining the list from our JSON feed whenever possible.