search

Integrating port 514 data sources

Some legacy systems (certain network appliances, older firmware, or embedded electronics) can only send syslog to destination port 514 and cannot be reconfigured to use an alternative port. Our Forwarder preserves compatibility by redirecting everything received on port 514 to port 10514 internally. This allows a single, consistent processing pipeline and simplifies security hardening and monitoring.

High-Level Behavior

  • Inbound (from customer data sources)

    • The Forwarder accepts logs on multiple listener ports.

    • For legacy sources fixed to 514 (UDP/TCP), the Forwarder locally redirects traffic from 514 → 10514.

    • For modern sources, we recommend sending directly to 10514 (preferably TCP/TLS).

  • Processing

    • All messages—whether they arrived on 10514 natively or were redirected from 514—are processed by the same 10514 linked Transformation Pipeline (parsing, normalization, enrichment, etc).

What Partners Must Configure

If your device can choose the destination port

  • Point it to the Forwarder’s IP on port 10514.

  • Prefer TCP (or TCP+TLS if available) over UDP for reliability.

If your device can only send to port 514

  • Point it to the Forwarder’s IP on port 514 (UDP or TCP as supported by the device).

  • No extra action is required on your side to target 10514; the Forwarder will automatically redirect 514 → 10514 internally.

  • In the platform/UI, when creating the integration, select listener port 10514 (this is the canonical listener the Forwarder uses after redirection).

circle-info

Why 10514? It is a widely used alternative syslog port that avoids privileged-port constraints and aligns with common deployments for TCP/TLS syslog while keeping a single inspection pipeline.

Supported Protocols

  • UDP/514 → internally redirected to 10514/UDP

  • TCP/514 → internally redirected to 10514/TCP

  • TCP/10514 (recommended)

  • TCP+TLS/10514 (if enabled in your deployment)

Inbound rules (to Forwarder)

  • Allow from your source IP ranges to port 10514 (preferred) and port 514 (for legacy devices).

Quick Validation (optional)

  • UDP test (example): logger -n <FORWARDER_IP> -P 514 -d "test over UDP/514 (redirects to 10514)"

  • TCP test (example): nc -v <FORWARDER_IP> 514 then send a line like <134>TEST TCP/514 redirect

circle-info

Verify the message appears in the collector console associated with 10514 integration.

Troubleshooting

  • No logs received from a legacy device

    • Confirm network path to 514 on the Forwarder.

    • Check device supports the selected protocol (UDP vs TCP).

  • Intermittent loss with UDP sources

    • Prefer TCP/TLS if the device supports it.

    • Check intermediate network devices for rate-limits or ACLs.

Example in the platform

To configure port 514, go to the Integrations > Data Sources section of the main menu, as shown in the image.

New data source integration configuration panel
New data source integration configuration panel

Step by step instructions:

1

Click + New Integration

2

Set Protocol as TCP

3

Set Port as 10514

4

Configure the rest of the parameters as desired

5

Click + Add Integration at the bottom to save the changes

circle-info

From now on, logs sent to port 514 of the local Forwarder deployed in the customer premises will be integrated into the platform, as it's reaching port 10514

PreviousRemoveNextCloud data sources

Last updated