Config: Transport Section

Some Fluentd input, output, and filter plugins, that use server/http_server plugin helper, also support the <transport> section to specify how to handle the connections.

Transport Section Overview

The transport section must be under <match>, <source>, and <filter> sections. It specifies the transport protocol, version, and certificates.

# tcp
<transport tcp>
</transport>

# udp
<transport udp>
</transport>

# tls
<transport tls>
  cert_path /path/to/fluentd.crt
  private_key_path /path/to/fluentd.key
  private_key_passphrase YOUR_PASSPHRASE
  # ...
</transport>

Parameters

Protocol

The protocol is specified as the argument of <transport> section.

• [enum: tcp/udp/tls]

  • Default: tcp

General Setting

linger_timeout

The timeout (seconds) to set SO_LINGER.

The default value 0 is to send RST rather than FIN to avoid lots of connections sitting in TIME_WAIT on closing.

You can set positive value to send FIN on closing.

receive_buffer_size

The max size of socket receive buffer for TCP/UDP. This is used in SO_RCVBUF socket option.

TLS Setting

• version: [enum: TLS1_1/TLS1_2/TLS1_3]

  • Default: TLSv1_2

• min_version: [enum: TLS1_1/TLS1_2/TLS1_3]

  • Default: nil

  • Specifies the lower bound of the supported SSL/TLS protocol.

• max_version: [enum: TLS1_1/TLS1_2/TLS1_3]

  • Default: nil

  • Specifies the upper bound of the supported SSL/TLS protocol.

• ciphers [string]

  • Default: "ALL:!aNULL:!eNULL:!SSLv2"

  • OpenSSL 1.0.0 or higher default.

• insecure [bool]

  • Default: false (uses secure connection with tls)

• ensure_fips: [bool]

  • Default: false

  • Version: 1.18.0

  • Specifies whether it must use FIPS mode with OpenSSL. If true, Fluentd will check FIPS mode is supported in your environment, if not, just aborts. If false, it does nothing and don't care FIPS mode with OpenSSL.

If you want to accept multiple TLS protocols, use min_version/max_version instead of version. To support the old style, fluentd accepts TLS1_1 and TLSv1_1 values.

NOTE: TLS1_3 is available when your system supports TLS 1.3.

Signed Public CA Parameters

For <transport tls>:

• ca_path: [string]

  • Default: nil

  • Specifies the path of CA certificate file

• cert_path: [string]

  • Default: nil

  • Specifies the path of Certificate file

• private_key_path: [string]

  • Default: nil

  • Specifies the path of Private Key file

• private_key_passphrase: [string]

  • Default: nil

  • Specifies the public CA private key passphrase

• client_cert_auth: [bool]

  • Default: false

  • If true, Fluentd will check all the incoming HTTPS requests for a

    client certificate signed by the trusted CA. The requests that don't

    supply a valid client certificate will fail.

• cert_verifier: [string]

  • Default: nil

  • Specifies the code path for cert verification. See also [server

    article](/developer/api-plugin-helper-server.md#cert_verifier-example).

Generated and Signed by Private CA Parameters

For <transport tls>:

• ca_cert_path: [string]

  • Default: nil

  • Specifies the private CA cert path

• ca_private_key_path: [string]

  • Default: nil

  • Specifies the private CA private key path

• ca_private_key_passphrase: [string]

  • Default: nil

  • Specifies the private CA private key passphrase

Generated and Signed by Private CA Certs or Self-signed Parameters

For <transport tls>:

• generate_private_key_length: [integer]

  • Default: 2048

• generate_cert_country: [string]

  • Default: US

• generate_cert_state: [string]

  • Default: CA

• generate_cert_locality: [string]

  • Default: Mountain View

• generate_cert_common_name: [string]

  • Default: nil

• generate_cert_expiration: [integer]

  • Default: (60 * 60 * 24 = 86400) * 365 * 10 = 10 years

Cert Digest Algorithm Parameter

For <transport tls>:

• generate_cert_digest: [enum: sha1/sha256/sha384/sha512]

  • Default: sha256

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.