Secure60 Syslog Balancer

Overview

The Secure60 Syslog Balancer accepts syslog traffic and distributes each message across multiple backend collectors to prevent hotspots and stuck streams. It supports:

UDP syslog on port 515 (default)
TLS/TCP syslog on port 6515 (default)
Optional plain TCP on port 516
Deterministic per-message distribution using a hash-based selector
Durable queuing with backpressure (prevents data loss on backend outages)

No application changes are required on senders; point existing syslog clients at the balancer.

Key Features

Per-message load distribution that avoids TCP stream stickiness
Default listeners: UDP 515 and TLS/TCP 6515 (self-signed cert included; bring your own certs optional)
Optional plain TCP 516
Deterministic routing with consistent keys (hostname/appname/fromhost-ip) or per-message entropy (message content)
Backpressure: when backends are slow/unavailable, the balancer queues and slows intake rather than dropping
Simple, environment-variable configuration

How It Works

Incoming messages are parsed and a backend index is computed using a hash function.
By default, routing uses a hash of the message content with time entropy, distributing messages across all configured backends.
For stable affinity, set the hash key to a property (e.g., hostname) so messages from the same source map to the same backend.
Messages are forwarded to backend collectors over TCP by default; UDP backends are also supported.

Deployment

Docker

docker run -d --rm --name s60-syslog-balancer \
  -p 515:515/udp -p 6515:6515/tcp \
  -e BACKENDS="collector1:514,collector2:514" \
  secure60/s60-syslog-balancer:1.06

Docker Compose (example lab)

services:
  s60-lb:
    image: secure60/s60-syslog-balancer:1.06
    container_name: s60-syslog-balancer
    environment:
      BACKENDS: "be1:5514,be2:5514"
      ENABLE_UDP: "true"
      LISTEN_UDP_PORT: "515"
      ENABLE_TCP: "false"
      ENABLE_TCP_TLS: "true"
      LISTEN_TCP_TLS_PORT: "6515"
      # Hash-based routing (default):
      LB_POLICY: "hash"
      LB_HASH_KEY: "msg"
    ports:
      - "515:515/udp"
      - "6515:6515/tcp"
    depends_on: [be1, be2]

Configuration

Environment Variables

Variable	Description	Default
`ENABLE_UDP`	Enable UDP listener	`true`
`LISTEN_UDP_PORT`	UDP listen port	`515`
`ENABLE_TCP`	Enable plain TCP listener	`false`
`LISTEN_TCP_PORT`	Plain TCP listen port	`516`
`ENABLE_TCP_TLS`	Enable TLS/TCP listener	`true`
`LISTEN_TCP_TLS_PORT`	TLS/TCP listen port	`6515`
`BACKENDS`	Comma-separated `host[:port]` backends	required
`BACKEND_PORT`	Default backend port if omitted	`514`
`BACKEND_PROTOCOL`	Backend protocol `tcp` or `udp`	`tcp`
`LB_POLICY`	`hash` (default) or `random`	`hash`
`LB_HASH_KEY`	`msg`, `hostname`, `appname`, `fromhost-ip`	`msg`
`TLS_SERVER_CERT`	Path to listener public cert	`/etc/rsyslog.d/certs/server.crt`
`TLS_SERVER_KEY`	Path to listener private key	`/etc/rsyslog.d/certs/server.key`
`TLS_SERVER_CA`	Optional CA for client cert validation	empty
`TLS_REQUIRE_CLIENT_CERT`	Require client certificates (mTLS)	`false`
`WORK_DIRECTORY`	Queue/working directory	`/var/spool/rsyslog`
`MAINQ_MAX_DISK_GB`	Max disk for main queue	`10`
`ACTIONQ_MAX_DISK_GB`	Max disk per backend queue	`5`
`ACTION_QUEUE_SIZE`	Action queue in-memory size	`20000`
`QUEUE_HIGHWATERMARK`	High watermark before throttling	`16000`
`QUEUE_LOWWATERMARK`	Low watermark to resume	`4000`

TLS

A self-signed certificate is included by default for the TLS/TCP listener.
Bring your own certificate by mounting it and setting TLS_SERVER_CERT and TLS_SERVER_KEY.
For mTLS, set TLS_SERVER_CA and TLS_REQUIRE_CLIENT_CERT=true.

Best Practices

Use TLS/TCP (6515) for reliable delivery; enable UDP only when needed for legacy devices.
Start with LB_POLICY=hash and LB_HASH_KEY=hostname if you want stable backend affinity per sender.
Tune queue disk limits to your retention objectives during backend outages.
Set BACKEND_PROTOCOL=tcp to maintain reliability end-to-end.

Troubleshooting

No traffic on one backend: verify the hash key. msg with time entropy balances broadly; hostname pins per host.
TLS connection issues: confirm mounted cert/key paths and that clients trust the presented certificate (or disable validation on client for lab tests).
Backpressure: if senders block on TLS/TCP, review queue watermarks and disk limits.

Support

For assistance with the Secure60 Syslog Balancer, contact the integrations team at integrations@secure60.io.