Syslog
Overview
What is its Purpose?
Transfers Apinizer logs to a central syslog collector with low latency via Connection.
Provides flexible log transport compatible with different organization standards through TCP/UDP, TLS, and message format options.
Provides common naming and versioning while maintaining Development/Test/Production separation through environment-based configuration.
Logs transmitted in UDP mode have no delivery guarantee; prefer TCP + SSL/TLS for critical flows.
Working Principle
When a Syslog connection is requested from within an Integration Flow or Connector, the system reads the configured connection parameters.
In TCP mode, a persistent socket is opened for each environment; log messages are queued asynchronously and sent in order. When the queue is full, new messages are routed to the failover connector. Automatic reconnection is applied when the active connection closes or a write timeout occurs; stateless sending is performed in UDP mode.
If TLS is used, certificate-based Authentication is applied; otherwise, syslog server's IP-based security policies come into play.
Log messages in RFC 3164/5424/5425 format, hostname, and facility/severity fields are transmitted over selected protocol.
After operation completes, TCP connection returns to pool; UDP packets require no additional management as they are stateless.
In case of connection error, timeout, or authentication error, details are shown in deployment-result dialog; error metrics are propagated via Apinizer Event Manager.
Use Cases
Real-time transfer of API Gateway logs to SIEM or SOC platforms
Notification of security events (e.g., WS-Security, Authentication errors) to central alarm system
Providing single log flow for log correlation between operating systems, firewall, and Apinizer services
Validating new rule/transformation developments in test environment without affecting syslog infrastructure in prod environment
Technical Features and Capabilities
Basic Features
TCP/UDP: Selection can be made between low-latency UDP or reliable TCP modes via EnumSyslogProtocolType.
RFC 3164, RFC 5424, or RFC 5425 formats; compatible log template is created with hostname, facility, and severity fields.
Routing to different syslog endpoints is performed by selecting target Environment for each Connection via environmentId list.
Ability to define separate connection parameters for each environment (Development, Test, Production).
Activating or deactivating the Connection (enable/disable toggle). In passive state, connection cannot be used but its configuration is preserved.
Advanced Features
IDeploymentResult outputs are shown to user after save and test, real status of log flow is monitored instantly.
Admin users can move connection from project context to global area, thus facilitating reuse.
Can be transferred to other environments by packaging JSON + metadata with ExportFile structure.
Ability to validate connection parameters before saving with "Test Connection" button.
Export connection configuration as ZIP file. Import to different environments (Development, Test, Production). Version control and backup capability.
Monitoring connection health, pool status, and performance metrics.
Connection Parameters
Required Parameters
Parameter: Name
Example Value: Production_Syslog
Connection name (must be unique). Cannot start with space, special characters should not be used.
Parameter: Environment
Example Value: prod-env-id
Identity of published environment where logs will be targeted. Environment list comes via Environment Service, cannot be tested if selection is not made.
Parameter: Syslog Protocol Type
Example Value: TCP
TCP or UDP selection via EnumSyslogProtocolType. When TCP is selected, timeout and SSL settings become mandatory.
Parameter: Syslog Server Hostname
Example Value: syslog.corp.local
Syslog server name or IP where logs will be sent. FQDN recommended, DNS resolution is performed by gateway.
Parameter: Syslog Port
Example Value: 514
Syslog listening port. 514 for UDP, 6514 for TLS can be commonly used.
Parameter: Syslog Message Format
Example Value: RFC_3164
Message body template (RFC 3164/5424/5425). Should be selected according to SIEM expectations.
Parameter: Syslog App Name
Example Value: ApinizerGateway
Application name that will appear in messages. Recommended not to exceed 48 characters.
Parameter: Syslog Facility
Example Value: AUDIT
Log classification value. Limited to EnumSyslogFacility values.
Parameter: Syslog Severity
Example Value: INFORMATIONAL
Log importance level. Selected from EnumSyslogSeverity list.
Parameter: Syslog Timeout (TCP)
Example Value: 5000
Wait time in milliseconds for TCP handshake + ACK. Not shown in UDP mode, mandatory in TCP mode.
Optional Parameters
Parameter: Description
Default Value: -
Recommended Value: Specify usage purpose and target syslog cluster
Description about the connection
Parameter: Syslog Message Hostname
Default Value: gateway01
Recommended Value: Use different hostname for each environment to facilitate correlation
Overrides HOSTNAME field in log.
Parameter: Syslog SSL Enabled
Default Value: false
Recommended Value: true in Production, self-signed if needed in Test/Dev
Provides TLS encapsulation over TCP.
Parameter: Deploy To Worker
Default Value: true
Recommended Value: Leave true if network isolation exists
Whether connection will be deployed to worker nodes.
Timeout and Connection Pool Parameters
Description: syslogTimeout value in TCP mode
Default: 5000
Min: 1000 | Max: 60000
Unit: milliseconds
Description: General request wait time for Integration step (gateway setting)
Default: 15000
Min: 5000 | Max: 60000
Unit: milliseconds
Description: Maximum TCP sockets in Syslog connection pool
Default: 1
Min: 1 | Max: 5
Unit: count
Description: Delay recommendation between consecutive packets in UDP mode
Default: 0
Min: 0 | Max: 100
Unit: milliseconds
Description: Maximum number of log messages in the TCP async send queue. When the queue is full, new messages are routed to the failover connector.
Default: 10000
Min: 100 | Max: 1000000
Unit: messages
Description: If writing a message to the syslog server takes longer than this duration, the connection is forcibly closed and re-established.
Default: 5
Min: 1 | Max: 60
Unit: seconds
Use Cases
Situation: SOC platform accepts logs with TCP + TLS
Solution: Protocol: TCP, SSL Enabled: true, Port: 6514
Expected Behavior: Logs transmitted securely over TLS, facility/severity fields fall to SIEM rules
Situation: Fast UDP required for correlation with firewall logs
Solution: Protocol: UDP, Port: 514, Message Format: RFC_3164
Expected Behavior: Log flow performed with low latency, packet loss is tolerant
Situation: Detailed debug log requested in test environment
Solution: Severity: DEBUG, Facility: LOCAL0, Message Hostname: test-gw
Expected Behavior: Test syslog server receives detailed debug events
Situation: Audit teams request audit trail
Solution: Facility: AUDIT, Severity: NOTICE, App Name: ComplianceGW
Expected Behavior: Separated log flow provided for audit reports
Situation: Multiple projects will use same global syslog
Solution: Move to Global, Environment ID: admin project, Name prefix: Global_
Expected Behavior: Single connection shared across all projects, changes managed centrally
Situation: Production logs will be copied to secondary data center (optional)
Solution: Export ZIP, Import to different environment, Port/Hostname updated to DR address
Expected Behavior: DR syslog server starts receiving logs in same format
Connection Configuration
In this step, you can create a new connection or configure existing connection parameters to set connection rules. Defined parameters directly affect how the connection works and become available for use in Integration Flow or Connector steps.
Creating New Syslog Connection
- Go to Connection → Syslog Connection section from left menu.
- Click [+ Create] button at top right.
Enable Status (Active Status): Set active/passive status with toggle. New connections are active by default.
Name Required:
- Example:
Production_Syslog - Enter unique name, cannot start with space.
- System automatically checks. Green checkmark: available. Red X: existing name.
Description:
- Example: "Gateway prod log flow"
- Max. 1000 characters.
- Describe the purpose of the Connection.
In the action button area at the top of the page, you can use the [<> Variable] button to select dynamic values, and with global variables, you can manage connection parameters with variable-based values instead of fixed values. For detailed information, review the Dynamic Variables page.
- Select environment from dropdown menu: Development, Test, or Production.
- Different connection parameters can be defined for each environment.
- Select TCP or UDP from Syslog Protocol Type field.
- Enter Syslog Server Hostname and Syslog Port values.
- Incorrect port leads to log loss; verify network firewall openings.
- Select Syslog Message Format (RFC 3164/5424/5425).
- Fill Syslog Message Hostname, Syslog App Name, Facility, and Severity fields according to your log policy.
- When TCP is selected, Syslog Timeout value is entered in milliseconds (default 5000).
- Timeout field is hidden in UDP mode; consider UDP Burst Interval recommendations for high traffic.
- Enable TLS tunneling by setting Syslog SSL Enabled option to true in TCP mode.
- Match certificate chain with syslog server; assign from certificate store if mutual TLS is required.
- Click [Test Connection] button.
- Test whether connection parameters are correct.
- Success: Green confirmation message, Failed: Error details shown.
- Click [Save and Deploy] button at top right.
Checklist: Unique name. Required fields filled. Test connection successful (recommended)
Result:
- Connection is added to list.
- Becomes available in Integration Flow and Connector steps.
- Becomes active according to environment.
Connection created successfully! You can now use it in Integration Flow and Connector steps.
Deleting Connection
Select Delete from ⋮ menu at end of row or click [Delete] button on connection detail page
Check Before Deleting: May be used in Integration Flow or Connector steps. If necessary, assign an alternative connection. Back up with Export before deleting
Use Disable option instead of deleting. Connection becomes passive but is not deleted. Can be reactivated when needed
Exporting/Importing Connection
In this step, you can export existing connections for backup, moving to different environments, or sharing purposes, or import a previously exported connection again. This operation is used to maintain data integrity in version control, transitions between test and production environments, or inter-team sharing processes.
Export
Select ⋮ → Export from action menu. ZIP file is automatically downloaded.
Click [Export] button on connection detail page. ZIP file is downloaded.
Format: Date-connection-ConnectionName-export.zip
Example: 13 Nov 2025-connection-Production_Syslog-export.zip
- Connection JSON file
- Metadata information
- Dependency information (e.g., certificates, key store)
- Backup
- Moving between environments (Test → Prod)
- Versioning
- Team or project-based sharing
Import
- Click [Import Syslog Connection] button on main list.
- Select downloaded ZIP file.
- System checks: Is format valid? Is there name conflict? Are dependencies present?
- Then click [Import] button.
Scenario 1: Name Conflict → Overwrite old connection or create with new name.
Scenario 2: Missing Dependencies → Create missing certificates or key stores first or exclude during import.
Connection Usage Areas
In this step, you can use the Syslog Connection connection you created in different components of the system. Connections are used by being selected in Integration Flow, Connector steps, or Scheduled Jobs.
Steps:
- Create the connection.
- Validate connection with Test Connection.
- Save and activate with Save and Deploy.
- Ensure connection is in Enabled state.
- Connection is selected in steps with syslog output such as "Send Message", "Notify".
- Can also be used for custom log sending in API Gateway policies.
- Connection selection is made from Connection field in configuration screen.
- Jobs that collect logs at certain intervals or perform health checks send notifications via syslog connection.
- If environment is changed in job update, connection is automatically adjusted.
- Connection correctness can be checked independently from Integration Flow with Connection Test feature.
- This test is critical in debugging process.
Best Practices
Do's and Best Practices
Bad: Using default RFC 3164 in all environments.
Good: Selecting format according to SIEM requirements.
Best: Versioning and documenting environment-based different formats with Export/Import.
Bad: Sending all logs with same severity.
Good: Separating warning and error logs into different severities.
Best: Documenting facility/severity matrix according to incident classification.
Bad: Leaving default hostname value.
Good: Using environment-based hostname.
Best: Naming in EnvironmentCode-gatewayId format and mapping with CMDB.
Bad: Space-containing and ambiguous expressions in Name field.
Good: Using environment prefix (Test_Syslog).
Best: Making {Environment}_{Purpose}_{Region} template mandatory.
Bad: Using same connection parameters in all environments.
Good: Creating separate connection for each environment.
Best: Managing all environments in single connection using Environment option, only changing environment during transitions between environments.
Bad: Saving and deploying connection without testing.
Good: Validating with Test Connection before saving.
Best: Testing after every parameter change, performing full integration test in test environment before going to production.
Security Best Practices
Make syslog server accessible only from relevant gateway subnets. Restrict UDP/TCP 514/6514 ports in firewall.
If using TLS, renew certificate chain regularly; use self-signed certificates only in Development environment.
Protect integrity by using TLS + message signature mechanism in RFC 5425 format for critical logs.
Store sensitive information such as username and password using environment variable or secret manager. Do not hardcode credentials in code or configuration files. Update passwords periodically
Always enable SSL/TLS in production environment. Use self-signed certificates only in development environment. Track certificate expiration dates and renew on time
Allow only authorized users to change connection configuration. Store connection change logs. Apply change approval process for critical connections
Don'ts
Why avoid: UDP does not provide delivery guarantee, packet loss cannot be controlled.
Alternative: Use TCP + SSL/TLS mode.
Why avoid: SIEM rules are not triggered, alerts are missed.
Alternative: Validate facility/severity map with operations team.
Why avoid: Source cannot be distinguished on SIEM side.
Alternative: Use hostname containing environment + region + node identity.
Why avoid: Test data may be written to production system, real users may be affected, security risk occurs.
Alternative: Create separate connection for each environment, use environment parameter, separate connection names by adding prefix according to environment (Test_, Prod_).
Why avoid: Connection constantly times out in network delays, Integration steps fail.
Alternative: Adjust timeout values according to real usage scenarios, measure network latency and set timeouts accordingly.
Why avoid: New connection opens on every request, performance decreases, resource consumption increases, target system load increases.
Alternative: Enable connection pool, adjust pool size according to traffic volume, set up pool monitoring.
Performance Tips
Recommendation: Apply rate limiting on gateway side in UDP mode, add Burst Interval if needed.
Impact: Target syslog server buffer overflow is prevented.
Recommendation: Keep timeout values in 5-10 sec range, verify automatic reconnect behavior during network interruptions.
Impact: Log delivery continuity is maintained.
Recommendation: Use RFC 5424 only if mandatory, otherwise reduce message size with RFC 3164.
Impact: Bandwidth and storage costs decrease.
Recommendation: Set pool size according to peak traffic (recommended: concurrent request count × 1.5), set idle connection timeouts, perform pool health check.
Impact: Connection opening cost decreases by 80%, response times decrease, resource usage is optimized.
Recommendation: Measure real network latency, adjust timeout values accordingly, avoid very low or very high timeouts.
Impact: Unnecessary waits are prevented, fast fail-over is provided, user experience improves.
Recommendation: Monitor connection pool usage, track timeout rates, perform connection health check, set up alerting.
Impact: Problems are proactively detected, performance bottlenecks are identified early, downtime decreases.
Troubleshooting
TLS Handshake Failed
Wrong port (514 instead of 6514), certificate chain missing, or syslog server may not be expecting TLS.
Validate port and protocol match.
Update certificate stores.
Open TLS listener on syslog side.
UDP Logs Missing
Network packet loss, firewall throttling, or excessive burst rate may exist.
Measure loss by performing packet capture.
Add burst interval.
Switch to TCP mode if needed.
Connection Timeout
Network delay, target system responding slowly, or timeout value may be too low.
Check network connectivity.
Check target system health.
Increase timeout values.
Review connection logs.
Authentication Failed
Wrong username/password, expired credentials, or permission problem may exist.
Verify credentials.
Check that user is active on target system.
Check that necessary permissions are granted.
Check SSL/TLS certificates.
Pool Exhausted
Pool size may be too low, connection leak may exist, or traffic may be too high.
Increase pool size.
Check that connections are properly closed.
Set idle connection timeouts.
Monitor connection usage metrics.
Connection Test Successful But Integration Flow Errors
Different connection may be selected in Integration/Connector step, step may be misconfigured, or Flow/Job may not be redeployed.
Check that connection's enable toggle is active.
Verify that correct connection is selected in Integration Flow.
Redeploy connection.
Redeploy Integration Flow or Job.
Check Gateway logs.
Frequently Asked Questions (FAQ)
Can Syslog connection send to multiple syslog servers at once?
No, each connection targets a single destination; duplicate connection or use load balancer for multiple targets.
Do I need to create new connection when switching from UDP to TCP?
You can update protocol on same connection but it's recommended to back up with export before change.
Is additional configuration required to select RFC 5425?
Yes, a syslog server listening TLS and Syslog SSL Enabled value being true is required.
Which component does timeout value affect?
Only affects TCP handshake and ACK wait time; Integration request is additionally limited by Request Timeout.
Can I share connection in different projects?
Admin users can move connection to global area with Move to Global action; can be used in other projects.
Can I use the same connection in multiple Integration Flows?
Yes, the same connection can be used in multiple Integration Flow or Connector steps. This provides centralized management and guarantees configuration consistency. However, changes made to the connection will affect all usage locations, so care should be taken.
Is using connection pool mandatory?
Connection pool usage is not mandatory but strongly recommended in high-traffic systems. Reusing existing connections instead of opening new connection on every request significantly increases performance.
Should I create different connections for Test and Production?
Yes, it is recommended to create separate connection for each environment. Alternatively, you can manage all environments in a single connection using environment parameter. This approach provides easier management and less error risk.
Test Connection is successful but not working in Integration Flow, why?
Several reasons may exist:
- Connection enable toggle may be passive
- Different connection may be selected in Integration step
- Connection may not be deployed
- Integration Flow may not be redeployed yet