Config: Transport Section
Some Fluentd input, output, and filter plugins, that use server/http_server plugin helper, also support the <transport> section to specify how to handle the connections.
Transport Section Overview
The transport section must be under <match>, <source>, and <filter> sections. It specifies the transport protocol, version, and certificates.
# tcp
<transport tcp>
</transport>
# udp
<transport udp>
</transport>
# tls
<transport tls>
cert_path /path/to/fluentd.crt
private_key_path /path/to/fluentd.key
private_key_passphrase YOUR_PASSPHRASE
# ...
</transport>Parameters
Protocol
The protocol is specified as the argument of <transport> section.
<transport PROTOCOL>
</transport>[enum:
tcp/udp/tls]Default:
tcp
General Setting
linger_timeout
linger_timeoutinteger
0
tcp, tls
1.14.6
The timeout (seconds) to set SO_LINGER.
The default value 0 is to send RST rather than FIN to avoid lots of connections sitting in TIME_WAIT on closing.
You can set positive value to send FIN on closing.
<transport tcp>
linger_timeout 1
</transport>receive_buffer_size
receive_buffer_sizeinteger
nil
tcp, udp, tls
1.18.0
The max size of socket receive buffer for TCP/UDP. This is used in SO_RCVBUF socket option.
<transport udp>
receive_buffer_size 4194304
</transport>TLS Setting
version: [enum:TLS1_1/TLS1_2/TLS1_3]Default:
TLSv1_2
min_version: [enum:TLS1_1/TLS1_2/TLS1_3]Default:
nilSpecifies the lower bound of the supported SSL/TLS protocol.
max_version: [enum:TLS1_1/TLS1_2/TLS1_3]Default:
nilSpecifies the upper bound of the supported SSL/TLS protocol.
ciphers[string]Default:
"ALL:!aNULL:!eNULL:!SSLv2"OpenSSL 1.0.0 or higher default.
insecure[bool]Default:
false(uses secure connection withtls)
ensure_fips: [bool]Default:
falseVersion: 1.18.0
Specifies whether it must use FIPS mode with OpenSSL. If
true, Fluentd will check FIPS mode is supported in your environment, if not, just aborts. Iffalse, it does nothing and don't care FIPS mode with OpenSSL.
If you want to accept multiple TLS protocols, use min_version/max_version instead of version. To support the old style, fluentd accepts TLS1_1 and TLSv1_1 values.
NOTE: TLS1_3 is available when your system supports TLS 1.3.
Signed Public CA Parameters
For <transport tls>:
ca_path: [string]Default:
nilSpecifies the path of CA certificate file
cert_path: [string]Default:
nilSpecifies the path of Certificate file
private_key_path: [string]Default:
nilSpecifies the path of Private Key file
private_key_passphrase: [string]Default:
nilSpecifies the public CA private key passphrase
client_cert_auth: [bool]Default:
falseIf
true, Fluentd will check all the incoming HTTPS requests for aclient certificate signed by the trusted CA. The requests that don't
supply a valid client certificate will fail.
cert_verifier: [string]Default:
nilSpecifies the code path for cert verification. See also [server
article](/developer/api-plugin-helper-server.md#cert_verifier-example).
Generated and Signed by Private CA Parameters
For <transport tls>:
ca_cert_path: [string]Default:
nilSpecifies the private CA cert path
ca_private_key_path: [string]Default:
nilSpecifies the private CA private key path
ca_private_key_passphrase: [string]Default:
nilSpecifies the private CA private key passphrase
Generated and Signed by Private CA Certs or Self-signed Parameters
For <transport tls>:
generate_private_key_length: [integer]Default: 2048
generate_cert_country: [string]Default: US
generate_cert_state: [string]Default: CA
generate_cert_locality: [string]Default: Mountain View
generate_cert_common_name: [string]Default:
nil
generate_cert_expiration: [integer]Default: (60 * 60 * 24 = 86400) * 365 * 10 = 10 years
Cert Digest Algorithm Parameter
For <transport tls>:
generate_cert_digest: [enum:sha1/sha256/sha384/sha512]Default:
sha256
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last updated
Was this helpful?