Comment on page
syslog
The
in_syslog Input plugin enables Fluentd to retrieve records via the syslog protocol on UDP or TCP.in_syslog is included in Fluentd's core. No additional installation process is required.<source>
@type syslog
port 5140
bind 0.0.0.0
tag system
</source>
The retrieved data is organized as follows. Fluentd's tag is generated by the
tag parameter (tag prefix), facility level, and priority. The record is parsed by the regexp here.tag = "#{@tag}.#{facility}.#{priority}"
record = {
"pri": "0",
"time": 1353436518,
"host": "host",
"ident": "ident",
"pid": "12345",
"message": "text"
}
The value must be
syslog.The port to listen to. Default Value = 5140
The bind address to listen to. Default Value = 0.0.0.0 (all addresses)
The transport protocol used to receive logs. "udp" and "tcp" are supported. "udp" by default.
The max bytes of syslog message. Default is
2048. If you send larger message, change this parameter.This parameter is available since v0.12.33.
Specify protocol format. Supported values are
rfc3164, rfc5424 and auto. Default is rfc3164. If your syslog uses rfc5424, use rfc5424 instead. Here is an example of message:# rfc3164
<6>Feb 28 12:00:00 192.168.0.1 fluentd[11111]: [error] Hello!
# rfc5424
<16>1 2017-02-28T12:00:00.009Z 192.168.0.1 fluentd - - - Hello!
auto is useful when in_syslog receives both rfc3164 and rfc5424 message per source. in_syslog detects message format by using message prefix and parse it.The format of the log. This option is used to parse non-standard syslog formats using parser plugins.
<source>
@type syslog
tag system
format FORMAT_PARAMETER
</source>
Your
format regexp should not consider the 'priority' prefix of the log. For example, if in_syslog receives the log below: <1>Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge
then the format parser receives the following log:
Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge
If the
format parameter is missing, then the log data is assumed to have the canonical syslog format (see with_priority).This option matters only when
format is absent. If with_priority is true, then syslog messages are assumed to be prefixed with a priority tag like "\". This option exists since some syslog daemons output logs without the priority tag preceding the message body.If true, add source host to event record. The default is
false. This is deprecated. Use source_hostname_key.The field name of the client's hostname. If set the value, the client's hostname will be set to its key. The default is nil (no adding hostname).
The field name of the priority. If set the value, the priority will be set to its key. The default is nil (no adding priority).
The field name of the facility. If set the value, the facility will be set to its key. The default is nil (no adding facility).
The
log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.This plugin assumes
\n for delimiter character between syslog messages in one TCP connection. If you use syslog library in your application with protocol_type tcp, add \n to your syslog message. See also rfc6587.If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last modified 3yr ago