---
title: Syslog Destinations
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Observability Pipelines > Destinations > Syslog Destinations
---

# Syslog Destinations

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}
Available for:
{% icon name="icon-logs" /%}
 Logs 
Use Observability Pipelines' syslog destinations to send logs to rsyslog or syslog-ng.

## Setup{% #setup %}

Set up the rsyslog or syslog-ng destination and its environment variables when you [set up a pipeline](https://app.datadoghq.com/observability-pipelines). The information below is configured in the pipelines UI.

### Set up the destination{% #set-up-the-destination %}

{% alert level="danger" %}
The rsyslog and syslog-ng destinations support the [RFC5424](https://datatracker.ietf.org/doc/html/rfc5424) format.
{% /alert %}

The rsyslog and syslog-ng destinations match these log fields to the following Syslog fields:

| Log Event        | SYSLOG FIELD | Default                          |
| ---------------- | ------------ | -------------------------------- |
| log["message"]   | MESSAGE      | `NIL`                            |
| log["procid"]    | PROCID       | The running Worker's process ID. |
| log["appname"]   | APP-NAME     | `observability_pipelines`        |
| log["facility"]  | FACILITY     | `8 (log_user)`                   |
| log["msgid"]     | MSGID        | `NIL`                            |
| log["severity"]  | SEVERITY     | `info`                           |
| log["host"]      | HOSTNAME     | `NIL`                            |
| log["timestamp"] | TIMESTAMP    | Current UTC time.                |

{% alert level="danger" %}
Only enter the identifiers for the syslog endpoint URL and, if applicable, the key pass. Do not enter the actual values.
{% /alert %}

To set up the syslog destination in the UI:

- Enter the identifier for your endpoint URL. If you leave it blank, the default is used.

#### Optional settings{% #optional-settings %}

##### Enable TLS{% #enable-tls %}

Toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required:

- Enter the identifier for your syslog key pass. If you leave it blank, the default is used.
- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
- `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.

##### Wait time for TCP keepalive probes{% #wait-time-for-tcp-keepalive-probes %}

Enter the number of seconds to wait before sending TCP keepalive probes on an idle connection.

##### Buffering{% #buffering %}

Toggle the switch to enable **Buffering Options**. Enable a configurable buffer on your destination to ensure intermittent latency or an outage at the destination doesn't create immediate backpressure, and allow events to continue to be ingested from your source. Disk buffers can also increase pipeline durability by writing data to disk, ensuring buffered data persists through a Worker restart. See [Destination buffers](https://docs.datadoghq.com/observability_pipelines/scaling_and_performance/buffering_and_backpressure/#destination-buffers) for more information.

- If left unconfigured, your destination uses a memory buffer with a capacity of 500 events.
- To configure a buffer on your destination:
  1. Select the buffer type you want to set (**Memory** or **Disk**).
  1. Enter the buffer size and select the unit.
     1. Maximum memory buffer size is 128 GB.
     1. Maximum disk buffer size is 500 GB.
  1. In the **Behavior on full buffer** dropdown menu, select whether you want to **block** events or **drop new events** when the buffer is full.

### Set secrets{% #set-secrets %}

These are the defaults used for secret identifiers and environment variables.

**Note**: If you enter secret identifiers and then choose to use environment variables, the environment variable is the identifier entered and prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for a password identifier, the environment variable for that password is `DD_OP_PASSWORD_1`.

{% tab title="Secrets Management" %}

- rsyslog or syslog-ng endpoint URL identifier:
  - References the address and port to which Observability Pipelines Worker sends logs. For example, `127.0.0.1:9997`.
  - The default identifier is `DESTINATION_SYSLOG_ENDPOINT_URL`.
- rsyslog or syslog-ng TLS passphrase identifier (when TLS is enabled):
  - The default identifier is `DESTINATION_SYSLOG_KEY_PASS`.

{% /tab %}

{% tab title="Environment Variables" %}

- The rsyslog or syslog-ng endpoint URL. For example, `127.0.0.1:9997`.
  - The Observability Pipelines Worker sends logs to this address and port.
  - The default environment variable is `DD_OP_DESTINATION_SYSLOG_ENDPOINT_URL`.
- The ryslog or syslog-ng TLS passphrase (when enabled):
  - The default environment variable is `DD_OP_DESTINATION_SYSLOG_KEY_PASS`.

{% /tab %}

### How the destination works{% #how-the-destination-works %}

#### Event batching{% #event-batching %}

The rsyslog and syslog-ng destinations do not batch events.