Syslog Forwarding
Configure LinuxGuard to forward security signals as syslog messages to a SIEM or log aggregator.
Prerequisites
Access to the LinuxGuard console with administrator role
A syslog receiver accessible from the LinuxGuard backend (host, port, and protocol confirmed)
Configure a Syslog Destination
In the LinuxGuard console, navigate to Settings > Integrations > Syslog.
Select Add Destination.
Enter the Host of your syslog receiver.
Enter the Port (default:
514).Select the Protocol:
udp(default),tcp, ortls.Select the Format:
rfc5424(default, recommended) orrfc3164.Set the Facility (default:
1— user-level).Select Save.
Protocol Options
UDP (Default)
UDP is the default protocol and is suitable for high-volume environments where occasional message loss is acceptable. It operates without connection state. Syslog over UDP is fire-and-forget — delivery failures are not retried.
TCP
TCP provides ordered delivery with connection state and is suitable when message loss is not acceptable. LinuxGuard makes a single write attempt per delivery over a TCP connection; there is no retry on failure.
TLS
TLS encrypts the syslog stream. When TLS is selected, you can configure the following certificate fields:
ca_cert
Path to the CA certificate file for server certificate verification (recommended for self-signed or internal CA)
client_cert
Path to the client certificate file (required for mTLS)
client_key
Path to the client private key file (required for mTLS)
skip_verify
Set to true to disable server certificate verification (not recommended for production)
Mutual TLS (mTLS)
To require mutual authentication, provide both client_cert and client_key in addition to ca_cert. The syslog server will verify the client certificate during the TLS handshake.
RFC Format Options
RFC 5424 (Default, Recommended)
RFC 5424 is the default format and is recommended for SIEM integration. It supports structured data elements that carry LinuxGuard-specific fields, enabling precise SIEM parser rules without relying on free-text message parsing.
RFC 5424 Structured Data
Every RFC 5424 message produced by LinuxGuard includes four structured data elements (SD-IDs) that carry identity, signal, tenant, and MITRE ATT&CK information. Fields are only included when the corresponding data is non-empty.
identity@linuxguard
name, type, risk
Identity associated with the signal
signal@linuxguard
type, severity, category, id
Signal classification data
tenant@linuxguard
id
Tenant identifier
mitre@linuxguard
technique_id
MITRE ATT&CK technique mapping (when available)
Example RFC 5424 message
Note: Priority value
<19>= facility 1 (user-level) × 8 + syslog severity 3 (high) = 19.
RFC 3164 (Legacy)
RFC 3164 is the older BSD syslog format and is supported for compatibility with legacy receivers.
Important: RFC 3164 enforces a 1024-byte message limit. LinuxGuard truncates message content at this limit and appends
.... Use RFC 5424 if full signal descriptions are required.
Severity Mapping
LinuxGuard maps its 1–5 signal severity scale to syslog severity levels as follows:
critical (5)
2
Critical
high (4)
3
Error
medium (3)
4
Warning
low (2)
6
Informational
info (1)
6
Informational
Note: Syslog severities 0 (Emergency) and 1 (Alert) are reserved and not used by LinuxGuard.
Related: Alerting & SIEM Integration | Configure Notification Rules | Webhook Integration | Splunk HEC Integration
Last updated
Was this helpful?