in_syslog
Input plugin enables Fluentd to retrieve records via the syslog protocol on UDP or TCP.syslog
daemon to send messages to the socket. For example, if you're using rsyslogd
, add the following lines to /etc/rsyslog.conf
:tag
parameter (tag prefix), facility level, and priority. The record is parsed by the regexp
here.@type
(required)syslog
.tag
(required)port
bind
protocol_type
udp
and tcp
are supported.<transport>
instead.<transport>
Sectionsyslog
transport.message_length_limit
frame_type
traditional
octet_count
format
<parse>
instead.<parse>
Directive<parse>
regexp should not consider the 'priority' prefix of the log. For example, if in_syslog
receives the log below:<parse>/@type
parameter is missing, the log data is assumed to have the canonical syslog
format. It is same with the following configuration:message_format
<parse>
directive. The default is rfc3164
.rfc3164
, rfc5424
and auto
. If your syslog uses rfc5424
, use rfc5424
instead. Here is an example of message:auto
is useful when in_syslog
receives both rfc3164
and rfc5424
message per source. in_syslog
detects message format by using message prefix and parses it.with_priority
<parse>
directive.with_priority
is true
, then syslog messages are assumed to be prefixed with a priority tag like <3>
. This option exists since some syslog daemons output logs without the priority tag preceding the message body.emit_unmatched_lines
<parse>
format is not matched for incoming logs.{"unmatched_line" : "incoming line"}
with ${tag parameter}.unmatched
tag.resolve_hostname
false
when source_hostname_key
is set.send_keepalive_packet
source_hostname_key
source_address_key
severity_key
severity_key severity
and got <6>
started syslog message, severity
field is info
.priority_key
severity_key
instead.facility_key
facility_key facility
and got <6>
started syslog message, facility
field is kern
.@log_level
@log_level
option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal
, error
, warn
, info
, debug
, and trace
.<transport tcp>
, add to your syslog message. See also rfc6587.frame_type octet_count
in in_syslog
configuration. See also frame_type
parameter.in_syslog
support TLS transport. Here is the configuration example with rsyslog
:in_syslog
rsyslog
time_format
in <parse>
may help.syslog
parser cannot parse your message. To resolve the problem, there are several approaches:regex
parser or write your parserin_udp
/in_tcp
with other parsers