The server can write log messages using the syslog protocol for both access and error logs.
This allows messages to be aggregated at the system level and potentially forwarded to a centralized system. The messages are written to syslog as they are generated, so attackers do not have a chance to alter these log messages.
If you want to use syslog-based logging, configure the server to log to a syslog server running on the local server over the loopback interface. The local syslog server can then forward the messages to a remote server over a secure connection.
Logging over TCP for improved reliability is supported.
UDP-based communication is in the clear, so a network observer can see all of the log messages. You should only use syslog to log to a local syslog server and have it forward messages to a remote server in a secure manner. TLS encryption for TCP-based communication is optionally supported, so you can safely configure the server to log directly to a remote syslog server.
UDP does not provide any feedback about whether messages are successfully delivered, but TCP does provide this feedback. When using TCP-based logging, you can optionally specify information about multiple syslog servers. If the primary syslog server becomes unavailable, the logger can fail over to an alternative syslog server.
Logging access and error log messages can be logged as JSON objects or in legacy space-delimited text format.
In addition to access and error logging over syslog, loggers that can write JSON-formatted audit and HTTP operation log messages are also provided.