User Guide
TLS & HTTPS¶
LuceDev Syslog supports encrypted syslog transport on TCP port 6514 and HTTPS for the web dashboard on an independent port. Both share a single certificate management UI in Settings → Server.
TLS syslog (TCP 6514)¶
TLS syslog (RFC 5425) encrypts log messages in transit between your devices and the server.
Enable it¶
- Go to Settings → Server → TLS Syslog
- Toggle TLS enabled
- Provide a certificate and private key (see below)
- Save changes
- Restart the service when prompted
Certificate options¶
You have three ways to give the server a certificate and key:
- Generate a self-signed certificate — click Generate Self-Signed Certificate in the TLS Syslog section. The server creates a 2048-bit RSA cert valid for 365 days with the hostname,
localhost, and127.0.0.1in the Subject Alternative Names. Files are written tocerts/server.crtandcerts/server.keyand selected automatically. - Paste PEM content — paste the certificate and key directly into the form. The server writes them to
certs/server.crtandcerts/server.key. - Reference an existing file — point the cert and key fields at file paths already on disk (absolute or relative to the install directory).
The private key is automatically chmod 600 after upload on Linux.
Configure your devices¶
| Setting | Value |
|---|---|
| Protocol | TCP + TLS |
| Port | 6514 |
| Server | <your-server-ip> |
Most network devices (Cisco, pfSense, Fortinet, Palo Alto) accept self-signed certificates for syslog. If your device requires a trusted CA chain, use a certificate issued by your internal PKI or Let's Encrypt.
HTTPS dashboard¶
Serve the web dashboard over HTTPS for encrypted browser access.
Independent port¶
HTTP and HTTPS run on independent ports:
- HTTP runs on
flask_port(default5000) — always runs, no exception - HTTPS runs on
flask_https_port(default5001) — runs only when enabled and certs are valid
This means HTTPS is purely additive. If you mis-configure a certificate, HTTP keeps serving the dashboard so you can never lock yourself out.
Enable HTTPS¶
- Go to Settings → Server → HTTPS (Web Dashboard)
- Toggle HTTPS enabled
- Provide a certificate and private key
- Save changes
- Restart the service when prompted
After restart, the dashboard is reachable at both:
http://<server-ip>:5000(HTTP)https://<server-ip>:5001(HTTPS)
Certificate options for HTTPS¶
The same three options as TLS syslog, plus one more:
- Generate self-signed — same flow as TLS syslog, but writes to
certs/web.crtandcerts/web.key - Paste PEM content — writes to
certs/web.crtandcerts/web.key - Reference an existing file — point at any path on disk
- Use Syslog Cert — point HTTPS at the same cert/key files already configured for TLS syslog. Useful when one certificate covers both purposes.
Browser warnings on self-signed certs¶
Browsers will show a security warning for self-signed certificates — the connection is still encrypted; the warning is about trust, not security. For production, use a certificate from your internal CA or Let's Encrypt.
Generating a certificate outside the product¶
If you prefer the command line — or need to issue from your own CA — use OpenSSL:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem \
-days 365 -nodes -subj "/CN=syslog.yourdomain.com"
Then copy the files into the server's certs/ directory and reference them by path in Settings → Server.
Removing a certificate¶
Click Delete next to the configured cert/key in Settings → Server. The file is removed from disk and the setting is cleared. The corresponding listener (TLS syslog or HTTPS) will stop on next restart.
Audit trail¶
Every certificate upload, generation, and deletion is recorded in the audit trail with the file path and the user who performed it.