syslog
The
in_syslog Input plugin enables Fluentd to retrieve records via the syslog protocol on UDP or TCP.It is included in Fluentd's core.
<source>
@type syslog
port 5140
bind 0.0.0.0
tag system
</source>
This tells Fluentd to create a socket listening on port 5140. You need to set up your
syslog daemon to send messages to the socket. For example, if you're using rsyslogd, add the following lines to /etc/rsyslog.conf:# Send log messages to Fluentd
*.* @127.0.0.1:5140
The retrieved data is organized as follows. Fluentd's tag is generated by the
tag parameter (tag prefix), facility level, and priority. The record is parsed by the regexp here.tag = "#{@tag}.#{facility}.#{priority}"
time = 1353436518,
record = {
"host": "host",
"ident": "ident",
"pid": "12345",
"message": "text"
}
If you want to keep facility and priority in the record, set related parameters.
The value must be
syslog.type | default | version |
|---|---|---|
integer | 5140 | 0.14.0 |
The port to listen to.
type | default | version |
|---|---|---|
string | 0.0.0.0 (all addresses) | 0.14.0 |
The bind address to listen to.
type | default | available values | version |
|---|---|---|---|
enum | udp | udp/tcp | 0.14.0 |
The transport protocol used to receive logs.
udp and tcp are supported.This parameter is deprecated since v1.5. Use
<transport> instead.type | default | available values | version |
|---|---|---|---|
enum | udp | udp/tcp/tls | 1.5.0 |
The protocol of the
syslog transport.<source>
@type syslog
tag system
<transport tcp>
</transport>
# other parameters
</source>
See How to Enable TLS Encryption section for how to use and see Configuration Example for all supported parameters.
type | default | version |
|---|---|---|
size | 2048 | 0.14.2 |
The maximum length of a syslog message in bytes. If you send a larger message, change this parameter.
type | default | available values | version |
|---|---|---|---|
enum | traditional | traditional/octet_count | 1.3.0 |
Specifies the framing type in TCP protocol.
traditional
Messages are delimited by newline():
<6>Sep 10 00:00:00 localhost logger: hello!
octet_count
Message has the message size prefix to delimit:
43 <6>Sep 10 00:00:00 localhost logger: hello!
Deprecated parameter. Use
<parse> instead.The format of the log. This option is used to parse non-standard syslog formats using parser plugins.
<source>
@type syslog
tag system
<parse>
@type FORMAT_PARAMETER
</parse>
</source>
Your
<parse> regexp should not consider the 'priority' prefix of the log. For example, if in_syslog receives the log below:<1>Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge
Then, the format parser receives the following log:
Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge
If the
<parse>/@type parameter is missing, the log data is assumed to have the canonical syslog format. It is same with the following configuration:<parse>
@type syslog
with_priority true
</parse>
type | default | available values | version |
|---|---|---|---|
enum | rfc3164 | rfc3164/rfc5424/auto | 0.14.14 |
This parameter is used inside
<parse> directive. The default is rfc3164.<source>
@type syslog
tag system
<parse>
message_format rfc5424
</parse>
</source>
Specifies the protocol format. Supported values are
rfc3164, rfc5424 and auto. If your syslog uses rfc5424, use rfc5424 instead. Here is an example of message:# rfc3164
<6>Feb 28 12:00:00 192.168.0.1 fluentd[11111]: [error] Hello!
# rfc5424
<16>1 2017-02-28T12:00:00.009Z 192.168.0.1 fluentd - - - Hello!
auto is useful when in_syslog receives both rfc3164 and rfc5424 message per source. in_syslog detects message format by using message prefix and parses it.type | default | version |
|---|---|---|
bool | true | 0.14.0 |
This parameter is used inside
<parse> directive.<source>
@type syslog
tag system
<parse>
with_priority false
</parse>
</source>
If
with_priority is true, then syslog messages are assumed to be prefixed with a priority tag like <3>. This option exists since some syslog daemons output logs without the priority tag preceding the message body.type | default | version |
|---|---|---|
bool | false | 1.6.3 |
Emits unmatched lines when
<parse> format is not matched for incoming logs.Emitted record is
{"unmatched_line" : "incoming line"} with ${tag parameter}.unmatched tag.type | default | version |
|---|---|---|
bool | nil | 0.14.19 |
Tries to resolve hostname from IP addresses or not. Cannot set
false when source_hostname_key is set.type | default | version |
|---|---|---|
bool | false | 1.14.0 |
type | default | version |
|---|---|---|
string | nil (no assign) | 0.14.0 |
The field name of the client's hostname. If set, the client's hostname will be set to its key.
type | default | version |
|---|---|---|
string | nil (no assign) | 0.14.0 |
The field name of the client's address. If set, the client's address will be set to its key.
type | default | version |
|---|---|---|
string | nil (no assign) | 1.7.3 |
The field name of the severity. If set, the severity will be set to its key.
If you set
severity_key severity and got <6> started syslog message, severity field is info.type | default | version |
|---|---|---|
string | nil (no assign) | 0.14.10 |
This parameter is deprecated due to a misleading name. This sets severity, not priority.
This parameter will be removed in fluentd v2. Use
severity_key instead.type | default | version |
|---|---|---|
string | nil (no assign) | 0.14.10 |
The field name of the facility. If set, the facility will be set to its key.
If you set
facility_key facility and got <6> started syslog message, facility field is kern.The
@log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.This plugin assumes for delimiter character between syslog messages in one TCP connection by default. If you use syslog library in your application with
<transport tcp>, add to your syslog message. See also rfc6587.If your syslog uses octet counting mode, set
frame_type octet_count in in_syslog configuration. See also frame_type parameter.Since v1.5.0,
in_syslog support TLS transport. Here is the configuration example with rsyslog:in_syslog
<source>
@type syslog
port 5140
bind 0.0.0.0
<transport tls>
ca_path /etc/pki/ca.pem
cert_path /etc/pki/cert.pem
private_key_path /etc/pki/key.pem
private_key_passphrase PASSPHRASE
</transport>
tag system
</source>
rsyslog
$DefaultNetstreamDriverCAFile /etc/pki/ca.pem
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon
*.* @@127.0.0.1:5140
If you use this plugin under the multi-process environment, the port will be shared.
<system>
workers 3
</system>
<source>
@type syslog
port 5140
</source>
With this configuration, 3 workers share 5140 port. No need of an additional port. The incoming data will be routed to the three (3) workers automatically.
First, check your message format follows RFC3164/RFC5424 or not. Some systems say RFC3164/RFC5424 but it sends non-RFC3164/RFC5424 message, e.g. invalid priority, different timestamp, lack/add fields.
If only timestamp is different, configure
time_format in <parse> may help.If other parts are different, the
syslog parser cannot parse your message. To resolve the problem, there are several approaches:- Use
regexparser or write your parser - Use
in_udp/in_tcpwith other parsers
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last modified 1yr ago