Skip to main content
Collect logs from servers, routers, and firewalls using standard syslog. Tell supports both TCP (reliable delivery) and UDP (high-volume, best-effort) with RFC 3164 (BSD) and RFC 5424 (IETF) formats.

TCP

For reliable log delivery with connection-based framing. Messages are newline-delimited. 
[sources.syslog_tcp]
port = 514
Syslog has no authentication — any client that can reach the port can send logs. Restrict access at the network level (firewall rules, private subnets). Port 514 requires root. Use a higher port (e.g., 50514) and redirect with iptables, or run Tell with CAP_NET_BIND_SERVICE.

UDP

For high-volume log ingestion where best-effort delivery is acceptable. Multiple workers share the same port using kernel-level load balancing. 
[sources.syslog_udp]
port = 514
When the pipeline is busy, packets are dropped rather than queued — consistent with UDP semantics. If you’re seeing drops under load, increase the worker count: 
[sources.syslog_udp]
port = 514
num_workers = 8

When to use TCP vs UDP

TCP when you need every message delivered — audit logs, security events, compliance data. UDP when volume matters more than completeness — application logs, metrics, high-traffic syslog servers. You can run both at once on different ports to handle both cases.

Advanced

TCP config reference

[sources.syslog_tcp]
port = 514
address = "::"              # Bind address
max_message_size = 8192     # Max syslog message (8 KB)
connection_timeout = "30s"  # Idle connection timeout
no_delay = true             # TCP_NODELAY
flush_interval = "100ms"    # Batch flush interval
batch_size = 500            # Messages per batch
max_connections = 10000     # Connection limit

UDP config reference

[sources.syslog_udp]
port = 514
address = "::"              # Bind address
num_workers = 4             # Parallel UDP workers
max_message_size = 8192     # Max syslog message (8 KB)
flush_interval = "50ms"     # Faster flush for UDP bursts
batch_size = 500            # Messages per batch