diff --git a/config/ns-clm.conf b/config/ns-clm.conf
new file mode 100644
index 000000000..73be8abb8
--- /dev/null
+++ b/config/ns-clm.conf
@@ -0,0 +1 @@
+CONFIG_PACKAGE_ns-clm=y
diff --git a/packages/ns-clm/Makefile b/packages/ns-clm/Makefile
new file mode 100644
index 000000000..1a75b5367
--- /dev/null
+++ b/packages/ns-clm/Makefile
@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2026 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-only
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=ns-clm
+PKG_VERSION:=0.0.1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/ns-clm-$(PKG_VERSION)
+
+PKG_MAINTAINER:=Nethesis <nethesis@nethesis.it>
+PKG_LICENSE:=GPL-3.0-only
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/ns-clm
+	SECTION:=base
+	CATEGORY:=NethSecurity
+	TITLE:=Cloud Log Manager forwarder
+	URL:=https://github.com/NethServer/nethsecurity/
+	DEPENDS:=+python3-urllib
+	PKGARCH:=all
+endef
+
+define Package/ns-clm/description
+	Forward syslog messages to the Nethesis Cloud Log Manager service
+endef
+
+define Package/ns-clm/conffiles
+/etc/config/ns-clm
+endef
+
+# this is required, otherwise compile will fail
+define Build/Compile
+endef
+
+define Package/ns-clm/prerm
+#!/bin/sh
+if [ -z "$${IPKG_INSTROOT}" ]; then
+  /etc/init.d/ns-clm stop 2>/dev/null
+  /etc/init.d/ns-clm disable 2>/dev/null
+fi
+exit 0
+endef
+
+define Package/ns-clm/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN) ./files/ns-clm-forwarder $(1)/usr/sbin/
+	$(INSTALL_BIN) ./files/ns-clm.init $(1)/etc/init.d/ns-clm
+	$(INSTALL_CONF) ./files/config $(1)/etc/config/ns-clm
+endef
+
+$(eval $(call BuildPackage,ns-clm))
diff --git a/packages/ns-clm/README.md b/packages/ns-clm/README.md
new file mode 100644
index 000000000..56e821e74
--- /dev/null
+++ b/packages/ns-clm/README.md
@@ -0,0 +1,54 @@
+# ns-clm
+
+Cloud Log Manager (CLM) forwarder for NethSecurity. Reads syslog messages from `/var/log/messages` and forwards them to the Nethesis CLM service.
+
+## Requirements
+
+- A CLM UUID provided manually by the user
+
+## Configuration
+
+UCI configuration is stored in `/etc/config/ns-clm`:
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `enabled` | `0` | Enable/disable the forwarder |
+| `uuid` | (empty) | Required CLM UUID used for registration and log forwarding |
+| `address` | `https://nar.nethesis.it` | CLM server address |
+| `tenant` | (empty) | CLM tenant identifier |
+| `debug` | `0` | Enable debug output to stderr |
+
+The forwarder will not start until `uuid` is configured.
+
+Example setup:
+
+```bash
+uci set ns-clm.config.uuid="L$(uuidgen)"
+uci set ns-clm.config.tenant='12345'
+uci set ns-clm.config.enabled='1'
+uci commit ns-clm
+reload_config
+```
+
+## Service management
+
+Only if the package is installed via opkg, the service must be enabled and started via the init script. If the packages is already part of the base image, the forwarder is automatically enabled and started on first boot, so no manual action is required.
+
+```bash
+# Enable and start
+/etc/init.d/ns-clm enable && /etc/init.d/ns-clm start
+
+# Stop and disable
+/etc/init.d/ns-clm stop && /etc/init.d/ns-clm disable
+```
+
+## How it works
+
+1. On startup the daemon registers the appliance against the CLM `/adm/api/noauth_lmcheck/` endpoint using the configured UUID, tenant, hostname, and MAC address
+2. It sends a startup event to the CLM syslog endpoint
+3. It tails `/var/log/messages`, tracking its position via an offset file
+4. New syslog lines are parsed and batched
+5. Batches are sent as JSON to the CLM endpoint via HTTP POST
+6. Log rotation is detected automatically (file shrinks → offset resets)
+7. The daemon polls every 10 seconds for new lines
+8. On shutdown (SIGTERM), the current offset is persisted for resume
diff --git a/packages/ns-clm/files/config b/packages/ns-clm/files/config
new file mode 100644
index 000000000..0bfd0812e
--- /dev/null
+++ b/packages/ns-clm/files/config
@@ -0,0 +1,6 @@
+config main 'config'
+    option enabled '0'
+    option uuid ''
+    option address 'https://nar.nethesis.it'
+    option tenant ''
+    option debug '0'
diff --git a/packages/ns-clm/files/ns-clm-forwarder b/packages/ns-clm/files/ns-clm-forwarder
new file mode 100644
index 000000000..65ea955de
--- /dev/null
+++ b/packages/ns-clm/files/ns-clm-forwarder
@@ -0,0 +1,308 @@
+#!/usr/bin/env python3
+
+#
+# Copyright (C) 2026 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-only
+#
+
+import json
+import os
+import platform
+import re
+import signal
+import sys
+import time
+import urllib.parse
+import urllib.request
+import urllib.error
+from datetime import datetime
+
+#-------------------------------- CONFIG --------------------------------#
+
+MESSAGES_FILE = "/var/log/messages"
+OFFSET_FILE = "/var/run/ns-clm/last_offset"
+BATCH_SIZE_THRESHOLD = 16384  # 16 KB
+POLL_INTERVAL = 10  # seconds
+AGENT_VERSION = "1"
+
+try:
+    UUID = os.environ["CLM_UUID"]
+    HOSTNAME = os.environ.get("CLM_HOSTNAME", "nethsecurity")
+    ADDRESS = os.environ.get("CLM_ADDRESS", "https://nar.nethesis.it")
+    TENANT = os.environ.get("CLM_TENANT", "")
+    MACADDR = os.environ.get("CLM_MACADDR", "00:00:00:00:00:00")
+    DEBUG = os.environ.get("CLM_DEBUG", "0") == "1"
+except Exception as exc:
+    print(f"Error reading configuration: {exc}", file=sys.stderr)
+    sys.exit(1)
+
+#------------------------------- GLOBALS --------------------------------#
+
+running = True
+
+#--------------------------------- CODE ---------------------------------#
+
+# Syslog severity name to numeric mapping
+SEVERITY_NAMES = {
+    "emerg": 0,
+    "alert": 1,
+    "crit": 2,
+    "err": 3,
+    "warning": 4,
+    "notice": 5,
+    "info": 6,
+    "debug": 7,
+}
+
+# Numeric severity to CLM LOGTYPE mapping (same as reference)
+SEVERITY_LOGTYPE = {
+    0: "Emergency",
+    1: "Warning",
+    2: "Error",
+    3: "Error",
+    4: "Warning",
+    5: "Information",
+    6: "Information",
+    7: "Debug",
+}
+
+# Regex for standard syslog format: "Mon DD HH:MM:SS hostname facility.severity program[pid]: message"
+# Also handles format without facility.severity prefix
+SYSLOG_RE = re.compile(
+    r"^(?P<month>\w{3})\s+(?P<day>\d{1,2})\s+(?P<time>\d{2}:\d{2}:\d{2})\s+"
+    r"(?P<hostname>\S+)\s+"
+    r"(?:(?P<facility>\w+)\.(?P<severity>\w+)\s+)?"
+    r"(?P<program>[^\[:]+)(?:\[(?P<pid>\d+)\])?:\s+"
+    r"(?P<message>.*)$"
+)
+
+
+def signal_handler(signum, frame):
+    global running
+    running = False
+
+
+def dbg(msg: str):
+    if DEBUG:
+        print(f"[DEBUG] {msg}", file=sys.stderr)
+
+
+def post_form(path: str, payload: dict[str, str], timeout: int = 30) -> str:
+    """POST form data and return the response body as text."""
+    data = urllib.parse.urlencode(payload).encode("utf-8")
+    req = urllib.request.Request(
+        ADDRESS + path,
+        data=data,
+        method="POST",
+    )
+    with urllib.request.urlopen(req, timeout=timeout) as resp:
+        return resp.read().decode("utf-8", errors="replace").strip()
+
+
+def register_host():
+    """Register the local appliance against the CLM endpoint."""
+    dbg(f"Registering host {HOSTNAME} with UUID {UUID} to tenant '{TENANT}' with MAC {MACADDR}")
+    response = post_form(
+        "/adm/api/noauth_lmcheck/",
+        {
+            "LMCHECK": "1",
+            "GUID": UUID,
+            "SITE": TENANT,
+            "MACHINE": HOSTNAME,
+            "MACADDR": MACADDR,
+        },
+    )
+
+    if response == "OK":
+        dbg("Registration accepted by CLM")
+        return
+
+    if response == "KO":
+        raise RuntimeError("This server is not authorized")
+
+    if response == "NOLICENSEAVAIBLE":
+        raise RuntimeError(f"No license available for tenant '{TENANT}'")
+
+    raise RuntimeError(f"Unexpected registration response: {response}")
+
+
+def send_start_event():
+    """Send the lmagent-style startup notification."""
+    log_entry = {
+        "UUID": UUID,
+        "PC": HOSTNAME,
+        "DTA": datetime.now().strftime("%Y-%m-%d"),
+        "TIME": datetime.now().strftime("%H:%M:%S"),
+        "MSG": f"Start Version {AGENT_VERSION} {platform.system()}",
+        "AGENT_VERSION": AGENT_VERSION,
+        "SOURCE": "ns-clm-forwarder",
+        "LOGTYPE": "info",
+        "SITE": TENANT,
+    }
+    dbg("Sending startup event to CLM")
+    send_logs_list([log_entry])
+
+
+def send_logs_list(logs_list: list):
+    """Send log batch to CLM server with retries."""
+    dbg(f"Sending batch of {len(logs_list)} log entries to {ADDRESS}")
+    data = json.dumps(logs_list).encode("utf-8")
+    req = urllib.request.Request(
+        ADDRESS + "/adm/syslog/noauth_put_json/",
+        data=data,
+        method="POST",
+    )
+    for attempt in range(3):
+        try:
+            with urllib.request.urlopen(req, timeout=30) as resp:
+                dbg(f"Batch sent successfully (HTTP {resp.status})")
+                return
+        except Exception as exc:
+            if attempt < 2:
+                time.sleep(0.5 * (2 ** attempt))
+            else:
+                print(f"Error sending logs: {exc}", file=sys.stderr)
+
+
+def read_offset() -> int:
+    """Read the last known file offset."""
+    try:
+        if os.path.exists(OFFSET_FILE) and os.path.getsize(OFFSET_FILE) > 0:
+            with open(OFFSET_FILE, "r") as f:
+                return int(f.read().strip())
+    except (ValueError, OSError):
+        pass
+    return 0
+
+
+def write_offset(offset: int):
+    """Persist the current file offset."""
+    try:
+        with open(OFFSET_FILE, "w") as f:
+            f.write(str(offset))
+    except OSError as exc:
+        print(f"Error writing offset file: {exc}", file=sys.stderr)
+
+
+def parse_syslog_line(line: str) -> dict | None:
+    """Parse a syslog line and return a CLM-formatted dict, or None if filtered out."""
+    m = SYSLOG_RE.match(line)
+    if not m:
+        return None
+
+    severity_name = (m.group("severity") or "info").lower()
+    severity_num = SEVERITY_NAMES.get(severity_name, 6)
+
+    # Build date from syslog timestamp (syslog doesn't include year, use current)
+    month_str = m.group("month")
+    day_str = m.group("day")
+    time_str = m.group("time")
+    now = datetime.now()
+    try:
+        log_date = datetime.strptime(f"{now.year} {month_str} {day_str}", "%Y %b %d")
+        # Handle December→January year boundary
+        if log_date.month > now.month:
+            log_date = log_date.replace(year=now.year - 1)
+        date_str = log_date.strftime("%Y%m%d")
+    except ValueError:
+        date_str = now.strftime("%Y%m%d")
+
+    program = m.group("program").strip()
+    message = m.group("message")
+    pid = m.group("pid")
+    hostname = m.group("hostname")
+
+    source_display = f"{program}[{pid}]" if pid else program
+    msg_display = f"[{hostname}:{source_display}]: {message}"
+
+    return {
+        "UUID": UUID,
+        "PC": HOSTNAME,
+        "DTA": date_str,
+        "TIME": time_str,
+        "MSG": msg_display,
+        "SOURCE": program,
+        "LOGTYPE": SEVERITY_LOGTYPE.get(severity_num, "Information"),
+        "SITE": TENANT,
+    }
+
+
+def tail_messages():
+    """Main loop: tail /var/log/messages and forward new lines to CLM."""
+    offset = read_offset()
+    dbg(f"Starting at offset {offset}")
+
+    while running:
+        try:
+            # Check if file exists
+            if not os.path.exists(MESSAGES_FILE):
+                time.sleep(POLL_INTERVAL)
+                continue
+
+            file_size = os.path.getsize(MESSAGES_FILE)
+
+            # Detect log rotation: file is smaller than our offset
+            if file_size < offset:
+                dbg(f"Log rotation detected (file_size={file_size} < offset={offset}), resetting offset")
+                offset = 0
+
+            # No new data
+            if file_size == offset:
+                time.sleep(POLL_INTERVAL)
+                continue
+
+            dbg(f"Reading from offset {offset} to {file_size} ({file_size - offset} bytes)")
+            logs_list = []
+            batch_bytes = 0
+
+            with open(MESSAGES_FILE, "r", errors="replace") as f:
+                f.seek(offset)
+                for line in f:
+                    line = line.rstrip("\n")
+                    if not line:
+                        continue
+
+                    log_entry = parse_syslog_line(line)
+                    if log_entry:
+                        logs_list.append(log_entry)
+                        batch_bytes += len(json.dumps(log_entry))
+                    else:
+                        dbg(f"Line filtered/skipped: {line[:80]}")
+
+                    # Flush batch when threshold reached
+                    if batch_bytes >= BATCH_SIZE_THRESHOLD:
+                        dbg(f"Batch threshold reached ({batch_bytes} bytes), flushing")
+                        send_logs_list(logs_list)
+                        logs_list.clear()
+                        batch_bytes = 0
+
+                new_offset = f.tell()
+
+            # Send remaining logs
+            if len(logs_list) > 0:
+                send_logs_list(logs_list)
+                logs_list.clear()
+
+            offset = new_offset
+            dbg(f"Persisting offset {offset}")
+            write_offset(offset)
+
+        except Exception as exc:
+            print(f"Error during loop: {exc}", file=sys.stderr)
+
+        time.sleep(POLL_INTERVAL)
+
+    # Graceful shutdown: persist offset
+    write_offset(offset)
+
+
+if __name__ == "__main__":
+    signal.signal(signal.SIGTERM, signal_handler)
+    signal.signal(signal.SIGINT, signal_handler)
+    try:
+        register_host()
+        send_start_event()
+    except Exception as exc:
+        print(f"Startup failed: {exc}", file=sys.stderr)
+        sys.exit(1)
+    tail_messages()
diff --git a/packages/ns-clm/files/ns-clm.init b/packages/ns-clm/files/ns-clm.init
new file mode 100644
index 000000000..b215c0563
--- /dev/null
+++ b/packages/ns-clm/files/ns-clm.init
@@ -0,0 +1,54 @@
+#!/bin/sh /etc/rc.common
+
+#
+# Copyright (C) 2026 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-only
+#
+
+START=90
+
+USE_PROCD=1
+
+start_service() {
+    config_load ns-clm
+    local enabled uuid address tenant debug macaddr
+    config_get enabled config enabled '0'
+    config_get uuid config uuid ''
+    config_get address config address 'https://nar.nethesis.it'
+    config_get tenant config tenant ''
+    config_get debug config debug '0'
+
+    [ "$enabled" = "1" ] || return 0
+    [ -n "$uuid" ] || return 1
+
+    local hostname
+    hostname=$(cat /proc/sys/kernel/hostname)
+
+    macaddr=$(ip link show | awk '/link\/ether/ { print $2; exit }')
+    [ -n "$macaddr" ] || macaddr='00:00:00:00:00:00'
+
+    mkdir -p /var/run/ns-clm
+
+    procd_open_instance
+    procd_set_param stdout 1
+    procd_set_param stderr 1
+    procd_set_param env \
+        CLM_UUID="$uuid" \
+        CLM_HOSTNAME="$hostname" \
+        CLM_ADDRESS="$address" \
+        CLM_TENANT="$tenant" \
+        CLM_MACADDR="$macaddr" \
+        CLM_DEBUG="$debug"
+    procd_set_param command /usr/sbin/ns-clm-forwarder
+    procd_set_param respawn 3600 60 0
+    procd_close_instance
+}
+
+service_triggers() {
+    procd_add_reload_trigger "ns-clm"
+}
+
+reload_service() {
+    stop
+    start
+}