Fluentd
Search…
1.0
Introduction
Overview
Installation
Configuration
Deployment
Container Deployment
Monitoring Fluentd
Input Plugins
Output Plugins
Filter Plugins
Parser Plugins
regexp
apache2
apache_error
nginx
syslog
ltsv
csv
tsv
json
msgpack
multiline
none
Formatter Plugins
Buffer Plugins
Storage Plugins
Service Discovery Plugins
Metrics Plugins
How-to Guides
Language Bindings
Plugin Development
Plugin Helper API
Troubleshooting Guide
Powered By GitBook
syslog
The syslog parser plugin parses syslog generated logs. This plugin supports two RFC formats, RFC-3164 and RFC-5424.

Parameters

time_format

type
default
version
string
%b %d %H:%M:%S
0.14.10
Specifies the time format for the event time. Default is "%b %d %H:%M:%S" for RFC-3164 protocol. If your log uses sub-second timestamp, change this parameter to "%b %d %H:%M:%S.%N".

rfc5424_time_format

type
default
version
string
%Y-%m-%dT%H:%M:%S.%L%z
0.14.14
Specifies the event time format for the RFC-5424 protocol.

message_format

type
default
available values
version
enum
rfc3164
rfc3164/rfc5424/auto
0.14.14
Specifies the protocol format. Supported values are rfc3164, rfc5424 and auto. Default is rfc3164. If your syslog uses rfc5424, use rfc5424 instead.
auto is useful when this parser receives both rfc3164 and rfc5424 message. syslog parser detects message format by using message prefix.

with_priority

type
default
version
bool
false
0.14.0
If the incoming logs have priority prefix e.g. <9>, set true. Default is false.
This parameter is used inside in_syslog plugin because the file logs via syslog do not have <9> like priority prefix.

parser_type

type
default
available values
version
enum
regexp
regexp/string
1.7.1(for rfc3164)/1.11.0(for rfc5424)
Specifies the internal parser type for rfc3164/rfc5424 format. Supported values are regexp and string. Both parsers generate the same record for the standard format.
If regexp does not work for your logs, consider string type instead.
We recommend using string parser because it is 2x faster than regexp. The default is regexp for existing users. Fluentd v2 will change the default to string parser.

support_colonless_ident

type
default
version
bool
true
1.7.1
This parameter is used when parser_type is string. If your message does not contain the ident field, set false to avoid ident mismatch.
1
# No ident field log
2
Feb 5 17:32:18 10.0.0.99 Use the BFG!
3
​
4
# generated record with true is wrong
5
{"host":"10.0.0.99","ident":"Use","message":"the BFG!"}
6
​
7
# generated record with false is correct
8
{"host":"10.0.0.99","message":"Use the BFG!"}
Copied!

Regexp Patterns

Show regexp patterns for parsing logs.

RFC-3164 Pattern

1
expression /^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[^ :\[]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
2
time_format "%b %d %H:%M:%S"
Copied!
pri, host, ident, pid and message are included in the event record. time is used for the event time.
pri value is converted to the integer type.
If with_priority is false, ^\<(?<pri>[0-9]+)\> is removed from the pattern.

RFC-5424 Pattern

1
expression /\A\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|(?:\[.*?(?<!\\)\])+))(?: (?<message>.+))?\z/
2
time_format "%Y-%m-%dT%H:%M:%S.%L%z"
Copied!
pri, host, ident, pid, msgid, extradata and message are included in the event record. time is used for the event time.
pri value is converted to the integer type.
If with_priority is false, \<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} is removed from the pattern.

Example

RFC-3164 Log

This incoming event:
1
<6>Feb 28 12:00:00 192.168.0.1 fluentd[11111]: [error] Syslog test
Copied!
is parsed as:
1
time:
2
1362020400 (Feb 28 12:00:00)
3
​
4
record:
5
{
6
"pri" : 6,
7
"host" : "192.168.0.1",
8
"ident" : "fluentd",
9
"pid" : "11111",
10
"message": "[error] Syslog test"
11
}
Copied!

RFC-5424 Log

This incoming event:
1
<16>1 2013-02-28T12:00:00.003Z 192.168.0.1 fluentd 11111 ID24224 [[email protected] iut="3" eventSource="Application" eventID="11211"] Hi, from Fluentd!
Copied!
is parsed as:
1
time:
2
1362052800 (2013-02-28T12:00:00.003Z)
3
​
4
record:
5
{
6
"pri" : 16,
7
"host" : "192.168.0.1",
8
"ident" : "fluentd",
9
"pid" : "11111",
10
"msgid" : "ID24224",
11
"extradata": "[[email protected] iut=\"3\" eventSource=\"Application\" eventID=\"11211\"]",
12
"message" : "Hi, from Fluentd!"
13
}
Copied!
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Previous
nginx
Next
ltsv
Last modified 11mo ago
Copy link
Contents
Parameters
time_format
rfc5424_time_format
message_format
with_priority
parser_type
support_colonless_ident
Regexp Patterns
RFC-3164 Pattern
RFC-5424 Pattern
Example
RFC-3164 Log
RFC-5424 Log