# Syslog Forwarding Configure LinuxGuard to forward security signals as syslog messages to a SIEM or log aggregator. ## Prerequisites * Access to the LinuxGuard console with administrator role * A syslog receiver accessible from the LinuxGuard backend (host, port, and protocol confirmed) ## Configure a Syslog Destination 1. In the LinuxGuard console, navigate to **Settings** > **Integrations** > **Syslog**. 2. Select **Add Destination**. 3. Enter the **Host** of your syslog receiver. 4. Enter the **Port** (default: `514`). 5. Select the **Protocol**: `udp` (default), `tcp`, or `tls`. 6. Select the **Format**: `rfc5424` (default, recommended) or `rfc3164`. 7. Set the **Facility** (default: `1` — user-level). 8. Select **Save**. ## Protocol Options ### UDP (Default) UDP is the default protocol and is suitable for high-volume environments where occasional message loss is acceptable. It operates without connection state. Syslog over UDP is fire-and-forget — delivery failures are not retried. ### TCP TCP provides ordered delivery with connection state and is suitable when message loss is not acceptable. LinuxGuard makes a single write attempt per delivery over a TCP connection; there is no retry on failure. ### TLS TLS encrypts the syslog stream. When TLS is selected, you can configure the following certificate fields: | Field | Description | | ------------- | ---------------------------------------------------------------------------------------------------------------- | | `ca_cert` | Path to the CA certificate file for server certificate verification (recommended for self-signed or internal CA) | | `client_cert` | Path to the client certificate file (required for mTLS) | | `client_key` | Path to the client private key file (required for mTLS) | | `skip_verify` | Set to `true` to disable server certificate verification (not recommended for production) | #### Mutual TLS (mTLS) To require mutual authentication, provide both `client_cert` and `client_key` in addition to `ca_cert`. The syslog server will verify the client certificate during the TLS handshake. ## RFC Format Options ### RFC 5424 (Default, Recommended) RFC 5424 is the default format and is recommended for SIEM integration. It supports structured data elements that carry LinuxGuard-specific fields, enabling precise SIEM parser rules without relying on free-text message parsing. ## RFC 5424 Structured Data Every RFC 5424 message produced by LinuxGuard includes four structured data elements (SD-IDs) that carry identity, signal, tenant, and MITRE ATT\&CK information. Fields are only included when the corresponding data is non-empty. | SD-ID | Fields | Description | | --------------------- | ------------------------------------ | ------------------------------------------------ | | `identity@linuxguard` | `name`, `type`, `risk` | Identity associated with the signal | | `signal@linuxguard` | `type`, `severity`, `category`, `id` | Signal classification data | | `tenant@linuxguard` | `id` | Tenant identifier | | `mitre@linuxguard` | `technique_id` | MITRE ATT\&CK technique mapping (when available) | **Example RFC 5424 message** ``` <19>1 2026-03-02T14:32:01.123456Z linuxguard linuxguard 12345 - [identity@linuxguard name="jsmith" type="user" risk="high"][signal@linuxguard type="sudo_command_executed" severity="4" category="privilege_escalation" id="sig_abc123"][tenant@linuxguard id="tenant_xyz"][mitre@linuxguard technique_id="T1548.003"] Sudo command executed by jsmith on web-01 ``` > **Note**: Priority value `<19>` = facility 1 (user-level) × 8 + syslog severity 3 (high) = 19. ### RFC 3164 (Legacy) RFC 3164 is the older BSD syslog format and is supported for compatibility with legacy receivers. > **Important**: RFC 3164 enforces a 1024-byte message limit. LinuxGuard truncates message content at this limit and appends `...`. Use RFC 5424 if full signal descriptions are required. ## Severity Mapping LinuxGuard maps its 1–5 signal severity scale to syslog severity levels as follows: | LinuxGuard Severity | Syslog Severity | Syslog Level Name | | ------------------- | --------------- | ----------------- | | critical (5) | 2 | Critical | | high (4) | 3 | Error | | medium (3) | 4 | Warning | | low (2) | 6 | Informational | | info (1) | 6 | Informational | > **Note**: Syslog severities 0 (Emergency) and 1 (Alert) are reserved and not used by LinuxGuard. *** **Related**: [Alerting & SIEM Integration](/explanation/explanation/alerting.md) | [Configure Notification Rules](/how-to-guides/how-to/configure-notification-rules.md) | [Webhook Integration](/how-to-guides/how-to/configure-notification-rules/webhook-integration.md) | [Splunk HEC Integration](/how-to-guides/how-to/configure-notification-rules/splunk-hec-integration.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.linuxguard.io/how-to-guides/how-to/configure-notification-rules/syslog-forwarding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.