Skip to main content

Device Syslog

Device syslog lets a customer's phones ship their debug logs to the shared collector for triage. It is a super-admin-only, opt-in per account debug feature: nothing is ingested until the account is allowlisted, and the collector accepts traffic only from the source addresses you list.

The Device Syslog card lives on the account's detail page, under the Devices tab (next to Device overrides). It is hidden for platform admins and account admins.

Allowing ingestion

  1. Open the account's detail page and find the Device Syslog card.
  2. Toggle Allow syslog ingestion on. While off, all device syslog from this account is dropped regardless of source.
  3. Add the customer's public egress IP address(es) under Allowed source IPs. Phones sit behind NAT, so this is the public IP or CIDR the customer's network exits through — not the phone's LAN IP. IPv4/IPv6 addresses and CIDR ranges are both accepted.

Allowing ingestion with an empty source-IP list is a valid intermediate state: the account is opted in but the collector accepts nothing yet (deny-all) until you add a source address.

Choosing the transport

The Transport selector controls how phones ship syslog to the collector:

  • UDP (cleartext) — the default. Universally supported across the fleet, but the phone-to-collector hop is unencrypted.
  • TLS (encrypted) — encrypts the phone-to-collector hop and authenticates the collector to the phone. Use this when the customer requires the syslog hop to be confidential.

UDP is the default when no transport has ever been selected, so existing accounts are unaffected until you explicitly switch them.

Before switching an account to TLS

  • The device firmware must support TLS syslog. Not every model/firmware does — confirm for the specific fleet before flipping the account. Devices that cannot do TLS should stay on UDP.
  • The collector's TLS listener must be live. TLS uses a separate listener port from UDP (dev 28512, prod 28513, parallel to the UDP 28510/28511 pair). If you point a phone at TLS before that listener is serving, the phone's syslog simply will not land. Verify the listener is up before switching any account.

When you select TLS, provisioning automatically points the account's phones at the TLS port and sets the vendor-specific TLS syslog parameter — you do not set a port by hand.

Certificate

TLS is terminated at the load balancer using the managed *.dialstack.ai wildcard certificate, which already covers the collector's hostname. The certificate is renewed automatically and no certificate material lives on the collector host — there is nothing to rotate or install when switching an account to TLS.

Verifying

After an allowlisted device on TLS provisions and ships logs, its lines land in the log store with a populated source IP and the correctly resolved account — the same attribution UDP already provides. If lines arrive with an unknown account or empty source, re-check the source-IP allowlist and that the device actually re-fetched its config after the transport change.