About sloggo

Minimal RFC 5424 syslog collector and viewer based on DuckDB. Runs as a single, resource-friendly process.

p

Published by

phare

Visit View Profile

README.md

View on GitHub

Sloggo

Minimal RFC 5424 syslog collector and viewer based on DuckDB. Runs as a single, resource-friendly process.

Sloggo screenshot

Introduction

Sloggo is a lightweight log collection and exploration tool. It ingests logs over TCP and UDP using the RFC 5424 Syslog protocol, stores them in DuckDB, and presents them in a clean, modern web UI.

Designed for small to medium-sized setups where you want real-time logs without spinning up the JVM or a full Kubernetes cluster to ingest 10 daily lines of logs.

It runs in a single process with minimal resource usage, quick configuration via environment variables, and is less than 10 MiB in compressed size.

[!WARNING] Sloggo is currently in alpha release, do not use it for anything serious, it also doesn’t offer any security layer by default, only use it in a private network, or behind a secure reverse proxy.

Sloggo is made by Phare, a small bootstrapped company building shockingly good uptime monitoring, alerts, incidents, analytics, and status pages, with free Open source grants.

Getting Started

Start the container with docker or podman:

docker run --name sloggo \
   -p 5514:5514/udp -p 6514:6514 -p 8080:8080 \
   -e SLOGGO_LISTENERS=tcp,udp \
   -e SLOGGO_UDP_PORT=5514 \
   -e SLOGGO_TCP_PORT=6514 \
   -e SLOGGO_API_PORT=8080 \
   -v ./data:/app/.duckdb \
   ghcr.io/phare/sloggo:latest

Send some logs

echo "<34>1 2025-08-04T12:00:00Z myhost sloggo - - - Hello, Sloggo" | nc localhost 6514

Access the application:
- Frontend: http://localhost:8080/
- Health check endpoint: http://localhost:8080/api/health

Testing

To run the backend tests:

make test

Environment Variables

The following environment variables can be used to configure the application:

SLOGGO_LISTENERS: Comma-separated list of listeners to enable (default: tcp,udp).
SLOGGO_UDP_PORT: Port for the UDP Syslog listener (default: 5514).
SLOGGO_TCP_PORT: Port for the TCP Syslog listener (default: 6514).
SLOGGO_API_PORT: Port for the API (default: 8080).
SLOGGO_LOG_RETENTION_MINUTES: Duration in minutes to keep logs before deletion (default: 43200 - 30 days).
SLOGGO_LOG_FORMAT: Log parsing format (default: auto). Supported values:
- auto: Try RFC 5424 first, then fall back to RFC 3164.
- RFC5424: Only parse messages as RFC 5424.
- RFC3164: Only parse messages as RFC 3164.

What Sloggo is

RFC 5424 log ingestion over TCP and UDP
Fast search, filtering, and tailing
Up to 1 million logs per second ingestion rate
Lightweight and resource-efficient single process with zero config
Clean UI built with data-table-filters

What Sloggo is not

A replacement for full-fledged log management systems like ELK, Loki, or Datadog
A high availability or redundancy solution
A logging solution for critical or sensitive data
A tool for long-term log storage or analysis
A production-ready solution (yet)

Why Sloggo?

Slug + log + Go.

🐌🤷 Some slugs and snails shoot love darts made of calcium into each other before mating.

Credits

OpenStatus for the incredible data-table-filters React components.
Leo Di Donato for his colossal work on go-syslog.

Contributing

Contributions are welcome! Please fork the repository and submit a pull request with your changes.

License

This project is licensed under the MIT License. See the LICENSE file for details.

sloggo