Sloggo is a lightweight log collection and exploration tool. It ingests logs over TCP and UDP using syslog, stores them in DuckDB, and presents them in a clean, modern web UI.

It supports RFC 5424, RFC 3164, and a few real-world RFC 3164 variations often seen from network gear. It can also optionally parse syslog-wrapped CEF payloads, but CEF support is disabled by default and must be enabled explicitly.

Designed for small to medium-sized setups where you want real-time logs without spinning up the JVM or a full Kubernetes cluster to ingest 10 daily lines of logs.

It runs in a single process with minimal resource usage, quick configuration via environment variables, and is less than 10 MiB in compressed size.

Sloggo is made by Phare, a small bootstrapped company building shockingly good uptime monitoring, alerts, incidents, analytics, and status pages, with free Open source grants.

1. Start the container with docker or podman:

   docker run --name sloggo \
      -p 5514:5514/udp -p 6514:6514 -p 8080:8080 \
      -e SLOGGO_LISTENERS=tcp,udp \
      -e SLOGGO_UDP_PORT=5514 \
      -e SLOGGO_TCP_PORT=6514 \
      -e SLOGGO_API_PORT=8080 \
      -e SLOGGO_ENABLE_CEF=false \
      -v ./data:/app/.duckdb \
      ghcr.io/phare/sloggo:latest

2. Send some logs

   echo "<34>1 2025-08-04T12:00:00Z myhost sloggo - - - Hello, Sloggo" | nc localhost 6514

3. Access the application:

   • Frontend: http://localhost:8080/
   • Health check endpoint: http://localhost:8080/api/health

To run the backend tests:

make test

To run a debug-oriented image with the Go backend and the Next.js development frontend in the same container:

docker build --target debug-runtime -t sloggo-debug .
docker run --rm \
  -p 5515:5515 -p 5514:5514/udp -p 6514:6514 \
  -e SLOGGO_LISTENERS=tcp,udp \
  -e SLOGGO_UDP_PORT=5514 \
  -e SLOGGO_TCP_PORT=6514 \
  -e SLOGGO_API_PORT=5515 \
  -e SLOGGO_ENABLE_CEF=false \
  -v ./data:/app/.duckdb \
  sloggo-debug

This target is intended for test/debug deployments. The frontend runs on SLOGGO_API_PORT and proxies /api/* to the Go backend inside the same container. The syslog listeners remain available on 5514/udp and 6514/tcp.

If needed, set SLOGGO_FRONTEND_PORT to split the frontend onto a different container port, or NEXT_PUBLIC_API_BASE_URL to bypass the built-in API proxy and send frontend requests somewhere else.

The following environment variables can be used to configure the application:

• SLOGGO_LISTENERS: Comma-separated list of listeners to enable (default: tcp,udp).
• SLOGGO_UDP_PORT: Port for the UDP Syslog listener (default: 5514).
• SLOGGO_TCP_PORT: Port for the TCP Syslog listener (default: 6514).
• SLOGGO_API_PORT: Port for the API (default: 8080).
• SLOGGO_LOG_RETENTION_MINUTES: Duration in minutes to keep logs before deletion (default: 43200 - 30 days).
• SLOGGO_DEBUG: Enable debug logging (default: false).
• SLOGGO_ENABLE_CEF: Enable syslog-wrapped CEF parsing and CEF-specific UI fields (default: false).
• SLOGGO_LOG_FORMAT: Log parsing format (default: auto). Supported values:
  • auto: Try RFC 5424 first, then fall back to RFC 3164.
  • RFC5424: Only parse messages as RFC 5424.
  • RFC3164: Only parse messages as RFC 3164.

• RFC 5424 and RFC 3164 ingestion over TCP and UDP
• Best-effort handling for some broken-but-common RFC 3164 variants from network devices
• Optional syslog-wrapped CEF parsing with fixed-field and extension filtering when enabled
• Automatic extraction of top-level scalar fields from JSON message bodies for filtering in the UI
• Fast filtering, exclusion queries, live tailing, and timeline view
• Resizable, reorderable, hideable table columns with optional wrapped cell text
• Lightweight single-process deployment backed by DuckDB

• RFC 5424 and RFC 3164 log ingestion over TCP and UDP
• Fast search, filtering, exclusion, and tailing
• Up to 1 million logs per second ingestion rate
• Lightweight and resource-efficient single process with zero config
• Clean UI built with data-table-filters

• A replacement for full-fledged log management systems like ELK, Loki, or Datadog
• A high availability or redundancy solution
• A logging solution for critical or sensitive data
• A tool for long-term log storage or analysis
• A production-ready solution (yet)

Slug + log + Go.

🐌🤷 Some slugs and snails shoot love darts made of calcium into each other before mating.

• OpenStatus for the incredible data-table-filters React components.
• Leo Di Donato for his colossal work on go-syslog.

Contributions are welcome! Please fork the repository and submit a pull request with your changes.

This project is licensed under the MIT License. See the LICENSE file for details.