Documentation Index
Fetch the complete documentation index at: https://docs.tell.rs/llms.txt
Use this file to discover all available pages before exploring further.
Collect logs from servers, routers, and firewalls using standard syslog. Tell supports both TCP (reliable delivery) and UDP (high-volume, best-effort) with RFC 3164 (BSD) and RFC 5424 (IETF) formats.
TCP
For reliable log delivery with connection-based framing. Messages are newline-delimited.
[sources.syslog_tcp]
port = 514
CAP_NET_BIND_SERVICE.
UDP
For high-volume log ingestion where best-effort delivery is acceptable. Multiple workers share the same port using kernel-level load balancing.
[sources.syslog_udp]
port = 514
[sources.syslog_udp]
port = 514
num_workers = 8
When to use TCP vs UDP
TCP when you need every message delivered — audit logs, security events, compliance data.
UDP when volume matters more than completeness — application logs, metrics, high-traffic syslog servers.
You can run both at once on different ports to handle both cases.
Advanced
TCP config reference
[sources.syslog_tcp]
port = 514
address = "::" # Bind address
max_message_size = 8192 # Max syslog message (8 KB)
connection_timeout = "30s" # Idle connection timeout
no_delay = true # TCP_NODELAY
flush_interval = "100ms" # Batch flush interval
batch_size = 500 # Messages per batch
max_connections = 10000 # Connection limit
UDP config reference
[sources.syslog_udp]
port = 514
address = "::" # Bind address
num_workers = 4 # Parallel UDP workers
max_message_size = 8192 # Max syslog message (8 KB)
flush_interval = "50ms" # Faster flush for UDP bursts
batch_size = 500 # Messages per batch
