The in_syslog Input plugin enables Fluentd to retrieve records via the syslog protocol on UDP or TCP.

Example Configuration

in_syslog is included in Fluentd's core. No additional installation process is required.

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag system
</source>

This tells Fluentd to create a socket listening on port 5140. You need to set up your syslog daemon to send messages to the socket. For example, if you're using rsyslogd, add the following lines to /etc/rsyslog.conf.

# Send log messages to Fluentd
*.* @127.0.0.1:5140

Example Usage

The retrieved data is organized as follows. Fluentd's tag is generated by the tag parameter (tag prefix), facility level, and priority. The record is parsed by the regexp here.

tag = "#{@tag}.#{facility}.#{priority}"
time = 1353436518,
record = {
  "host": "host",
  "ident": "ident",
  "pid": "12345",
  "message": "text"
}

If you want to keep facility and priority in the record, set related parameters.

Plugin helpers

• ​parser​

• ​compat_parameters​

• ​server​

Parameters

​Common Parameters​

@type (required)

The value must be syslog.

tag (required)

The prefix of the tag. The tag itself is generated by the tag prefix, facility level, and priority.

port

The port to listen to.

bind

The bind address to listen to.

protocol_type

The transport protocol used to receive logs. "udp" and "tcp" are supported.

This parameter is deprecated since v1.5. Use <transport> instead.

<transport> section

The protocol of the syslog transport.

<source>
  @type syslog
  tag system
  <transport tcp>
  </transport>
  # other parameters
</source>

See "How to Enable TLS Encryption" section for how to use and see "Configuration example" in "Server Plugin Helper" article for supported parameters

message_length_limit

The max bytes of syslog message. If you send larger message, change this parameter.

frame_type

Specify framing type in TCP protocol.

• traditional

Messages are delimited by newline(\n)

<6>Sep 10 00:00:00 localhost logger: hello!\n

• octet_count

Message has message size prefix to delimite

43 <6>Sep 10 00:00:00 localhost logger: hello!

See also rfc6587.

format

Deprecated parameter. Use <parse> instead.

<parse> directive

The format of the log. This option is used to parse non-standard syslog formats using parser plugins.

<source>
  @type syslog
  tag system
  <parse>
    @type FORMAT_PARAMETER
  </parse>
</source>

Your <parse> regexp should not consider the 'priority' prefix of the log. For example, if in_syslog receives the log below:

 <1>Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge

then the format parser receives the following log:

 Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge

If the <parse>/@type parameter is missing, then the log data is assumed to have the canonical syslog format. It is same with following configuration:

<parse>
  @type syslog
  with_priority true
</parse>

message_format

This parameter is used inside <parse> directive. The default is rfc3164

<source>
  @type syslog
  tag system
  <parse>
    message_format rfc5424
  </parse>
</source>

Specify protocol format. Supported values are rfc3164, rfc5424 and auto. If your syslog uses rfc5424, use rfc5424 instead. Here is an example of message:

# rfc3164
<6>Feb 28 12:00:00 192.168.0.1 fluentd[11111]: [error] Hello!
# rfc5424
<16>1 2017-02-28T12:00:00.009Z 192.168.0.1 fluentd - - - Hello!

auto is useful when in_syslog receives both rfc3164 and rfc5424 message per source. in_syslog detects message format by using message prefix and parse it.

with_priority

This parameter is used inside <parse> directive.

<source>
  @type syslog
  tag system
  <parse>
    with_priority false
  </parse>
</source>

If with_priority is true, then syslog messages are assumed to be prefixed with a priority tag like <3>. This option exists since some syslog daemons output logs without the priority tag preceding the message body.

If you wish to parse syslog messages of arbitrary formats, in_tcp or in_udp are recommended.

emit_unmatched_lines

Emit unmatched lines when <parse> format is not matched for incoming logs.

Emitted record is {"unmatched_line" : "incoming line"} with ${tag parameter}.unmatched tag.

source_hostname_key

The field name of the client's hostname. If set the value, the client's hostname will be set to its key.

source_address_key

The field name of the client's address. If set the value, the client's address will be set to its key.

severity_key

The field name of the severity. If set the value, the severity will be set to its key.

If you set severity_key severity and got <6> started syslog message, severity field is info

priority_key

This parameter is deprecated due to misleading name. This sets severity, not priority value.

This parameter will be removed at fluentd v2. Use severity_key instead.

facility_key

The field name of the facility. If set the value, the facility will be set to its key.

If you set facility_key facility and got <6> started syslog message, facility field is kern.

@log_level option

The @log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.

Please see the logging article for further details.

TCP protocol and message delimiter

This plugin assumes \n for delimiter character between syslog messages in one TCP connection by default. If you use syslog library in your application with <transport tcp>, add \n to your syslog message. See also rfc6587.

If your syslog uses octet counting mode, set frame_type octet_count in in_syslog configuration. See also frame_type parameter.

Tips

How to Enable TLS Encryption

Since v1.5.0, in_syslog support TLS tranport. Here is configuration example with rsyslog.

• in_syslog

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  <transport tls>
    ca_path /etc/pki/ca.pem
    cert_path /etc/pki/cert.pem
    private_key_path /etc/pki/key.pem
    private_key_passphrase PASSPHRASE
  </transport>
  tag system
</source>

• rsyslog

$DefaultNetstreamDriverCAFile /etc/pki/ca.pem
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon
*.* @@127.0.0.1:5140

Multi-process environment

If you use this plugin under multi-process environment, port will be shared.

<system>
  workers 3
</system>
​
<source>
  @type syslog
  port 5140
</source>

With this configuration, 3 workers share 5140 port. No need additional port. Incoming data will be routed to 3 workers automatically.

FAQ

Our system sends RFC3164/RFC5424 message but parse failure happens

First, check your message format follows RFC3164/RFC5424 or not. Some systems say RFC3164/RFC5424 but it sends non-RFC3164/RFC5424 message, e.g. invalid priority, different timestamp, lack/add fields.

If only timestamp is different, configure time_format in <parse> may help.

If other parts are different, syslog parser can't parse your message. To resolve the problem, there are several approaches:

• Use regex parser or write your parser

• Use in_udp/in_tcp with other parsers

Learn More

• ​Input Plugin Overview​

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.