Fluentd
Search…
Config: Transport Section
Some Fluentd input, output, and filter plugins, that use server/http_server plugin helper, also support the <transport> section to specify how to handle the connections.

Transport Section Overview

The transport section must be under <match>, <source>, and <filter> sections. It specifies the transport protocol, version, and certificates.
# tcp
<transport tcp>
</transport>
# udp
<transport udp>
</transport>
# tls
<transport tls>
cert_path /path/to/fluentd.crt
private_key_path /path/to/fluentd.key
private_key_passphrase YOUR_PASSPHRASE
# ...
</transport>

Parameters

  • protocol [enum: tcp/udp/tls]
    • Default: tcp

TLS Setting

  • version: [enum: TLS1_1/TLS1_2/TLS1_3]
    • Default: TLSv1_2
  • min_version: [enum: TLS1_1/TLS1_2/TLS1_3]
    • Default: nil
    • Specifies the lower bound of the supported SSL/TLS protocol.
  • max_version: [enum: TLS1_1/TLS1_2/TLS1_3]
    • Default: nil
    • Specifies the upper bound of the supported SSL/TLS protocol.
  • ciphers [string]
    • Default: "ALL:!aNULL:!eNULL:!SSLv2"
    • OpenSSL 1.0.0 or higher default.
  • insecure [bool]
    • Default: false (uses secure connection with tls)
If you want to accept multiple TLS protocols, use min_version/max_version instead of version. To support the old style, fluentd accepts TLS1_1 and TLSv1_1 values.
NOTE: TLS1_3 is available when your system supports TLS 1.3.

Signed Public CA Parameters

For <transport tls>:
  • ca_path: [string]
    • Default: nil
    • Specifies the path of CA certificate file
  • cert_path: [string]
    • Default: nil
    • Specifies the path of Certificate file
  • private_key_path: [string]
    • Default: nil
    • Specifies the path of Private Key file
  • private_key_passphrase: [string]
    • Default: nil
    • Specifies the public CA private key passphrase
  • client_cert_auth: [bool]
    • Default: false
    • If true, Fluentd will check all the incoming HTTPS requests for a
      client certificate signed by the trusted CA. The requests that don't
      supply a valid client certificate will fail.
  • cert_verifier: [string]
    • Default: nil
    • Specifies the code path for cert verification. See also [server
      article](/developer/api-plugin-helper-server.md#cert_verifier-example).

Generated and Signed by Private CA Parameters

For <transport tls>:
  • ca_cert_path: [string]
    • Default: nil
    • Specifies the private CA cert path
  • ca_private_key_path: [string]
    • Default: nil
    • Specifies the private CA private key path
  • ca_private_key_passphrase: [string]
    • Default: nil
    • Specifies the private CA private key passphrase

Generated and Signed by Private CA Certs or Self-signed Parameters

For <transport tls>:
  • generate_private_key_length: [integer]
    • Default: 2048
  • generate_cert_country: [string]
    • Default: US
  • generate_cert_state: [string]
    • Default: CA
  • generate_cert_locality: [string]
    • Default: Mountain View
  • generate_cert_common_name: [string]
    • Default: nil
  • generate_cert_expiration: [integer]
    • Default: (60 * 60 * 24 = 86400) * 365 * 10 = 10 years

Cert Digest Algorithm Parameter

For <transport tls>:
  • generate_cert_digest: [enum: sha1/sha256/sha384/sha512]
    • Default: sha256
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Copy link
On this page
Transport Section Overview
Parameters
TLS Setting
Signed Public CA Parameters
Generated and Signed by Private CA Parameters
Generated and Signed by Private CA Certs or Self-signed Parameters
Cert Digest Algorithm Parameter