Support

Find answers, guides, and tutorials to supercharge your content delivery.

Configure Your Own Syslog Server

Updated on November 20, 2020

Rsyslog is a rocket-fast system for log processing and is commonly used for any kind of system logging. We use a Ubuntu server 20.04 LTS distribution to show you how to configure your own syslog server to receive your CDN logs in real time.

Syslog server installation

Update the packages list and install the latest version of rsyslog.

  1. apt update
  2. apt install rsyslog

Syslog server configuration

Configure rsyslog to receive UDP logs and define a filter where you want to store the logs.

  1. Open the rsyslog.conf file and add the following lines.

    vi /etc/rsyslog.conf

# provides UDP syslog reception
module(load="imudp")

  2. Create and open your custom config file.

    vi /etc/rsyslog.d/00-custom.conf
# Templates
template(name="ReceiveFormat" type="string" string="%msg:39:$%\n")

# UDP ruleset mapping
input(type="imudp" port="514" ruleset="customRuleset")

# Custom ruleset
ruleset(name="customRuleset") {
    if ($msg contains '366c3df6-93dd-4ec0-a218-aec9d191c59e') then {
        /var/log/cdn.log;ReceiveFormat
        stop
    }
}

    Replace 366c3df6-93dd-4ec0-a218-aec9d191c59e with your own custom token. Your token values must be between 8 to 45 characters.

    Use the following regex expression with regex101 to validate the token value you define:

    ^[a-zA-Z0-9\-]*$

    You may use any letters from a-zA-Z, - and numbers from 0-9 when creating your token.

  3. Restart the rsyslog process.

    systemctl restart rsyslog

  4. Configure Log Forwarding in the KeyCDN dashboard with your syslog server details.

  5. Verify if you are receiving the logs (log forwarding starts within 5 minutes).

    tail -f /var/log/cdn.log

Troubleshooting commands

  • systemctl status rsyslog Verify that rsyslog is running.

  • netstat -na | grep ":<defined port>" Is rsyslog listening on the right port?

    # netstat -na | grep :514
udp        0      0 0.0.0.0:514             0.0.0.0:*

  • tcpdump port <defined port> Are you receiving any packet on the defined port?

    # tcpdump port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:20:53.066938 IP keycdn-syslog.37960 > your-server.syslog: [|syslog]
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

  • tail -f /path/to/your/logfile Check if you get new log entries.

    # tail -f /var/log/cdn.log
1421338853.058|defr|115.81.56.12|200|439|1|6976|zonename-hexid.kxcdn.com|HIT|"HEAD /lorem.jpg HTTP/1.1"|[15/Jan/2015:17:20:53 +0100]|"-"|"curl/7.30.0"|http|CH|Switzerland|Winterthur|25|47.5000|8.7251|"AS6830 Liberty Global Operations B.V."^C

Supercharge your content delivery 🚀

Try KeyCDN with a free 14 day trial, no credit card required.

Get started
KeyCDN uses cookies to make its website easier to use. Learn more