Skip to content

Reference

Frequently Asked Questions

Quick answers to the questions we get most often. If yours isn't here, check Troubleshooting or get in touch.

General

What is LuceDev Syslog?

A lightweight syslog collector for Windows and Linux. It receives RFC 3164/5424 messages from network devices over UDP and TLS, stores them in a tuned SQLite database, and serves a real-time web dashboard with role-based access, audit trails, and automatic log archival. Single binary, single process, no external dependencies.

What devices can send logs to it?

Anything that speaks standard syslog over UDP or TLS-TCP — firewalls (pfSense, Fortinet, Palo Alto, Cisco), switches, routers, Linux servers, ESXi hosts, network printers, IoT devices. Windows servers need a syslog forwarder agent like NXLog or Snare since Windows doesn't speak syslog natively.

Is there a Linux version?

Yes — native support for Ubuntu 22.04 and 24.04 (x86_64). Download the .tar.gz from lucedev.com/products/lucedev-syslog and run sudo bash install.sh.

What versions of Windows are supported?

Windows 10, Windows 11, Windows Server 2019, 2022, and 2025. All 64-bit. No .NET runtime needs to be installed separately.

Does it support syslog over plain TCP (no TLS)?

No. The supported transports are UDP/514 and TLS/6514. If you need TCP transport, enable TLS.

Licensing

How does the trial work?

Every install gets a 7-day trial with full access to all features. No credit card. The trial start date is anchored in the Windows Registry (or license_state.json on Linux) so it survives reinstall.

What happens when the trial ends?

  • Syslog ingestion stops — incoming messages are dropped at the receiver.
  • The dashboard blocks navigation to everything except the License page and Settings, so you can always enter a key.
  • Your existing data is not deleted. Activate a key and ingestion resumes immediately.

How much does a license cost?

$299 per year, per server. Includes all features and updates. Purchase at lucedev.com/products/lucedev-syslog.

Can I use one license on multiple servers?

No — each key is bound to one server. Contact LuceDev for volume pricing if you need several.

What happens if my license server access is blocked?

The server enters a grace state for 7 days. Dashboard and ingestion continue. After 7 days without a successful re-check, the state moves to expired and ingestion stops. See Licensing for the full lifecycle.

Data and storage

Where is my data stored?

Everything is local. No data leaves the server except for daily update checks and weekly license re-validation against lucedev.com.

  • Database: C:\Program Files\LuceDev Syslog\data\syslog.db
  • Archives: C:\Program Files\LuceDev Syslog\archives\
  • Certs: C:\Program Files\LuceDev Syslog\certs\
  • Database: /var/lib/lucedev-syslog/data/syslog.db
  • Archives: /var/lib/lucedev-syslog/archives/
  • Certs: /var/lib/lucedev-syslog/certs/
  • Logs: /var/log/lucedev-syslog/

How much disk space do I need?

Roughly 50 MB per 100,000 logs in the live database. Compressed archives are ~5% of that. See System Requirements for fuller estimates.

Can I back up the database while the service is running?

Yes. SQLite handles concurrent reads safely. For a clean snapshot use:

sqlite3 /var/lib/lucedev-syslog/data/syslog.db ".backup /backup/syslog-$(date +%F).db"

That's the SQLite-recommended way; it's safe under WAL mode without stopping the service.

Can I import old syslog data from another tool?

There's no built-in import. You can shape your data into the same gzipped CSV format used by archives (id, timestamp, host, severity, facility, message) and drop it into the archives/ directory — the dashboard will list it as a downloadable archive. There's no automatic re-ingest path back into the live database today.

Security

Is data encrypted?

  • In transit: Yes when using TLS syslog (6514) and HTTPS dashboard (5001).
  • At rest: SQLite is plain on disk. Use BitLocker (Windows) or LUKS (Linux) for full-disk encryption if you need at-rest protection.

Who can access the dashboard?

Only authenticated users. The dashboard uses Flask-Login with bcrypt-hashed passwords. Access is gated by role — see User Management.

Is there an audit trail?

Yes. Every login, setting change, user action, certificate change, license event, export, and service restart is recorded with timestamp, user, and IP. Audit events are never archived — they stay in the live database indefinitely. Admins and auditors can view the trail at /audit.

What outbound network does the server make?

Only three things:

  1. Daily update check to lucedev.com/api/version/syslog
  2. Weekly license re-validation to lucedev.com/api/validate
  3. Notification email to your configured SMTP relay

No telemetry, no analytics, no third-party CDNs.

Operations

How do I check service status on Linux?

sudo systemctl status lucedev-syslog
sudo journalctl -u lucedev-syslog -f

How do I check service status on Windows?

sc query LuceDevSyslog

Or use the Services GUI (services.msc) — look for LuceDev Syslog.

Can I run it on the same host as another web server?

Yes, as long as ports don't conflict. Move the dashboard off 5000 to something like 8080 in Settings → Server if you already have a web server on 5000.

Does it have a JSON API?

Yes — see the JSON API reference. It uses the same session cookie as the dashboard.

How do I forward Windows Event Logs?

Windows doesn't speak syslog natively. Use a syslog agent — NXLog Community Edition is free and well-supported, or Snare for enterprise.