Find answers, guides, and tutorials to supercharge your content delivery.

Configure your own Syslog Server

Updated on October 4, 2018

Rsyslog is a rocket-fast system for log processing and is commonly used for any kind of system logging. For more informations about rsyslog, visit We use a Ubuntu server 14.04 LTS distribution to show you how to configure your own syslog server to receive your CDN logs in real time.

Syslog Server Installation

Update the packages list and install the latest version of rsyslog.

  1. apt-get update
  2. apt-get install rsyslog

Syslog Server Configuration

Configure rsyslog to receive UDP logs and define a filter where you want to store the logs.

  1. Open the rsyslog conf file and add the following lines

    vi /etc/rsyslog.conf
    # provides UDP syslog reception
  2. Create and open your custom config file.

    vi /etc/rsyslog.d/00-custom.conf
    # Templates
    template(name="ReceiveFormat" type="string" string="%msg:39:$%\n")
    # UDP ruleset mapping
    input(type="imudp" port="514" ruleset="customRuleset")
    # Custom ruleset
    ruleset(name="customRuleset") {
        if ($msg contains '366c3df6-93dd-4ec0-a218-aec9d191c59e') then {

    Replace 366c3df6-93dd-4ec0-a218-aec9d191c59e with your own custom token. Your token values must be separated by four dashes “-” and must not exceed 45 characters. A few other valid token examples include:


    Use the following regex expression with regex101 to validate the token value you define:


    You may use any letters from a-z and numbers from 0-9 when creating your token.

  3. Restart the rsyslog process

    service rsyslog restart
  4. Configure your syslog server within the KeyCDN Dashboard: Account Settings -> General -> Real-time Log Forwarding (syslog)

    The log forwarding starts within 5 minutes after you save the configuration.

  5. Verify if you are receiving the logs

    tail -f /var/log/cdn.log

Troubleshooting Commands

  • service rsyslog status Verify that rsyslog is running.

    # service rsyslog status
    rsyslog start/running, process 26527
  • netstat -na | grep ":<defined port>" Is rsyslog listening on the right port?

    # netstat -na | grep :514
    udp        0      0   *
  • tcpdump port <defined port> Are you receiving any packet on the defined port?

    # tcpdump port 514
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    11:20:53.066938 IP keycdn-syslog.37960 > your-server.syslog: [|syslog]
    1 packet captured
    1 packet received by filter
    0 packets dropped by kernel
  • tail -f /path/to/your/logfile Check if you get new log entries.

    # tail -f /var/log/cdn.log
    1421338853.058|defr||200|439|1|6976||HIT|"HEAD /lorem.jpg HTTP/1.1"|[15/Jan/2015:17:20:53 +0100]|"-"|"curl/7.30.0"|http|CH|Switzerland|Winterthur|25|47.5000|8.7251|"AS6830 Liberty Global Operations B.V."^C

Supercharge your content delivery 🚀

Try KeyCDN with a free 30 day trial, no credit card required.

Get started