Fluentd
Introduction
Overview
Installation
Configuration
Deployment
Input Plugins
Output Plugins
Filter Plugins
Parser Plugins
regexp
apache2
apache_error
nginx
syslog
ltsv
csv
tsv
json
multiline
none
Formatter Plugins
Buffer Plugins
Storage Plugins
How-to Guides
Language Bindings
Plugin Development
Plugin Helper API
Powered by GitBook

syslog

The syslog parser plugin parses syslog generated logs. This plugin supports two RFC formats, rfc3164 and rfc5424.

Parameters

See Parse section configurations​

time_format

type

default

version

string

%b %d %H:%M:%S

0.14.10

Specify time format for event time. Default is "%b %d %H:%M:%S" for rfc3164 protocol.

rfc5424_time_format

type

default

version

string

%Y-%m-%dT%H:%M:%S.%L%z

0.14.14

Specify time format for event time for rfc5424 protocol.

message_format

type

default

version

string

rfc3164

0.14.14

Specify protocol format. Supported values are rfc3164, rfc5424 and auto. Default is rfc3164. If your syslog uses rfc5424, use rfc5424 instead.

auto is useful when this parser receives both rfc3164 and rfc5424 message. syslog parser detects message format by using message prefix.

This parameter is used inside in_syslog plugin because the file logs via syslog don't have <9> like priority prefix.

with_priority

type

default

version

bool

false

0.14.0

If the incoming logs have priority prefix, e.g. <9>, set true. Default is false.

Regexp patterns

rfc3164 pattern

expression /^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
time_format "%b %d %H:%M:%S"

pri, host, ident, pid and message are included in the event record. time is used for the event time.

pri value is converted into integer type.

If with_priority is false, ^\<(?<pri>[0-9]+)\> is removed from the pattern.

rfc5424 pattern

expression /\A^\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>[-0-9]+) (?<msgid>[^ ]+) (?<extradata>(\[(.*)\]|[^ ])) (?<message>.+)$\z/
time_format "%Y-%m-%dT%H:%M:%S.%L%z"

pri, host, ident, pid, msgid, extradata and message are included in the event record. time is used for the event time.

pri value is converted into integer type.

Example

rfc3164 log

<6>Feb 28 12:00:00 192.168.0.1 fluentd[11111]: [error] Syslog test

This incoming event is parsed as:

time:
1362020400 (Feb 28 12:00:00)
​
record:
{
  "pri"    : 6,
  "host"   : "192.168.0.1",
  "ident"  : "fluentd",
  "pid"    : "11111",
  "message": "[error] Syslog test"
}

rfc5424 log

<16>1 2013-02-28T12:00:00.003Z 192.168.0.1 fluentd 11111 ID24224 [exampleSDID@20224 iut="3" eventSource="Application" eventID="11211"] Hi, from Fluentd!

This incoming event is parsed as:

time:
1362052800 (2013-02-28T12:00:00.003Z)
​
record:
{
  "pri"      : 16,
  "host"     : "192.168.0.1",
  "ident"    : "fluentd",
  "pid"      : "11111",
  "msgid"    : "ID24224",
  "extradata": "[exampleSDID@20224 iut=\"3\" eventSource=\"Application\" eventID=\"11211\"]",
  "message"  : "Hi, from Fluentd!"
}

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.

Previous
nginx
Next
ltsv
Last updated 3 days ago
Edit on GitHub
Contents
Parameters
time_format
rfc5424_time_format
message_format
with_priority
Regexp patterns
rfc3164 pattern
rfc5424 pattern
Example
rfc3164 log
rfc5424 log