Getting started
Domains & Origins

Domains & Origins
Request settings
Cache settings
Custom VCL
Image optimization

Access Control Lists
Monitoring and testing
Securing communications
Security measures
Web Application Firewall

Logging endpoints
Non-Fastly services

Streaming logs
Debugging techniques
Common errors

Account info
Account management
User access and control


    Log streaming: Syslog

      Last updated May 31, 2019

    Fastly's Real-Time Log Streaming feature can send log files to syslog-based logging software. Syslog is a widely used standard for message logging.

    Adding syslog as a logging endpoint

    Follow these instructions to add syslog as a logging endpoint:

    1. Review the information in our Setting Up Remote Log Streaming guide.
    2. Click the syslog icon. The Create a Syslog endpoint page appears.

      the create a Syslog endpoint page

    3. Fill out the Create a Syslog endpoint fields as follows:
      • In the Name field, type a human-readable name for the endpoint.
      • In the Log format field, optionally type an Apache-style string or VCL variables to use for log formatting. The Apache Common Log format string appears in this field by default. See our guidance on format strings for more information.
      • In the Syslog address field, type the domain name or IP address and port to which logs should be sent. Be sure this port can receive incoming TCP traffic from Fastly. See the firewall considerations section for more information.
      • In the Token field, optionally type a string prefix (line prefix) to send in front of each log line.
      • From the TLS menu, select No to disable encryption for the syslog endpoint, or Yes to enable it. When you select Yes, the TLS Hostname and TLS CA Certificate fields both appear.
      • In the TLS Hostname field, optionally type the hostname used to verify the syslog server's certificate. This can be either the Common Name (CN) or Subject Alternate Name (SAN). This field only appears when you select Yes from the Use TLS menu.
      • In the TLS CA certificate field, optionally copy and paste the certification authority (CA) certificate used to verify that the origin server's certificate is valid. The certificate you upload must be in PEM format. Consider uploading the certificate if it's not signed by a well-known certification authority. This value is not required if your TLS certificate is signed by a well-known authority. This field only appears when you select Yes from the Use TLS menu.
    4. Click the Advanced options link of the Create a Syslog endpoint page and decide which of the optional fields to change, if any.

      the advanced options on the create a new Syslog endpoint page

    5. Fill out the Advanced options of the Create a Syslog endpoint page as follows:
      • In the Select a log line format area, select the log line format for your log messages. Our guide on changing log line formats provides more information.
      • In the Placement area, select where the logging call should be placed in the generated VCL. Valid values are Format Version Default, None, and waf_debug (waf_debug_log). Selecting None creates a logging object that can only be used in custom VCL. See our guide on WAF logging for more information about waf_debug_log.
    6. Click the Create button to create the new logging endpoint.
    7. Click the Activate button to deploy your configuration changes.

    Adding separators or static strings

    To insert a separator or other arbitrary string into the syslog endpoint format:

    1. Create a new header with the following fields:
      • From the Type menu, select Request, and from the Action menu, select Set.
      • In the Destination field, type any suitable header name (for example, http.X-Separator).
      • In the Source field, type any special character or string you want (for example, "|" ).
    2. Reference the new header variable in the log format box for your specific provider (for example, req.http.X-Separator).

    Syslog facility and severity

    The syslog output includes the following facility and severity values:

    facility: local0
    severity: info

    Firewall considerations

    Syslog has limited security features. For this reason, it's best to create a firewall for your syslog server and only accept TCP traffic on your configured port from our address blocks. Our list of address blocks is dynamic, so we recommend programmatically obtaining the list from our JSON feed whenever possible.

    Back to Top