The in_syslog Input plugin enables Fluentd to retrieve records via the syslog protocol on UDP or TCP.

Example Configuration

in_syslog is included in Fluentd's core. No additional installation process is required.

  @type syslog
  port 5140
  tag system

Please see the Config File article for the basic structure and syntax of the configuration file.

Example Usage

The retrieved data is organized as follows. Fluentd's tag is generated by the tag parameter (tag prefix), facility level, and priority. The record is parsed by the regexp here.

tag = "#{@tag}.#{facility}.#{priority}"

record = {
  "pri": "0",
  "time": 1353436518,
  "host": "host",
  "ident": "ident",
  "pid": "12345",
  "message": "text"


type (required)

The value must be syslog.

tag (required)

The prefix of the tag. The tag itself is generated by the tag prefix, facility level, and priority.


The port to listen to. Default Value = 5140


The bind address to listen to. Default Value = (all addresses)


The transport protocol used to receive logs. "udp" and "tcp" are supported. "udp" by default.


The max bytes of syslog message. Default is 2048. If you send larger message, change this parameter.


This parameter is available since v0.12.33.

Specify protocol format. Supported values are rfc3164, rfc5424 and auto. Default is rfc3164. If your syslog uses rfc5424, use rfc5424 instead. Here is an example of message:

# rfc3164
<6>Feb 28 12:00:00 fluentd[11111]: [error] Hello!
# rfc5424
<16>1 2017-02-28T12:00:00.009Z fluentd - - - Hello!

auto is useful when in_syslog receives both rfc3164 and rfc5424 message per source. in_syslog detects message format by using message prefix and parse it.


The format of the log. This option is used to parse non-standard syslog formats using parser plugins.

  @type syslog
  tag system

Your format regexp should not consider the 'priority' prefix of the log. For example, if in_syslog receives the log below:

 <1>Feb 20 00:00:00 fluentd[11111]: [error] hogehoge

then the format parser receives the following log:

 Feb 20 00:00:00 fluentd[11111]: [error] hogehoge

If the format parameter is missing, then the log data is assumed to have the canonical syslog format (see with_priority).


This option matters only when format is absent. If with_priority is true, then syslog messages are assumed to be prefixed with a priority tag like "\". This option exists since some syslog daemons output logs without the priority tag preceding the message body.

If you wish to parse syslog messages of arbitrary formats, in_tcp or in_udp are recommended.


If true, add source host to event record. The default is false. This is deprecated. Use source_hostname_key.


The field name of the client's hostname. If set the value, the client's hostname will be set to its key. The default is nil (no adding hostname).


The field name of the priority. If set the value, the priority will be set to its key. The default is nil (no adding priority).


The field name of the facility. If set the value, the facility will be set to its key. The default is nil (no adding facility).

log_level option

The log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.

Please see the logging article for further details.

TCP protocol and message delimiter

This plugin assumes \n for delimiter character between syslog messages in one TCP connection. If you use syslog library in your application with protocol_type tcp, add \n to your syslog message. See also rfc6587.

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.

Last updated