# syslog

![](https://3804023877-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LR7OsqPORtP86IQxs6E%2F-LX0aKuKEQ8l83KlUg5z%2F-LWNPOan9s_faZVC4rLN%2Fsyslog.png?generation=1548362555327815\&alt=media)

The `in_syslog` Input plugin enables Fluentd to retrieve records via the syslog protocol on UDP or TCP.

## Example Configuration

`in_syslog` is included in Fluentd's core. No additional installation process is required.

```
<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag system
</source>
```

Please see the [Config File](https://docs.fluentd.org/0.12/configuration/config-file) article for the basic structure and syntax of the configuration file.

### Example Usage

The retrieved data is organized as follows. Fluentd's tag is generated by the `tag` parameter (tag prefix), [facility level](http://en.wikipedia.org/wiki/Syslog#Facility_Levels), and [priority](http://en.wikipedia.org/wiki/Syslog#Severity_levels). The record is parsed by the regexp [here](https://github.com/fluent/fluentd/blob/master/lib/fluent/plugin/in_syslog.rb#L25).

```
tag = "#{@tag}.#{facility}.#{priority}"

record = {
  "pri": "0",
  "time": 1353436518,
  "host": "host",
  "ident": "ident",
  "pid": "12345",
  "message": "text"
}
```

## Parameters

### type (required)

The value must be `syslog`.

### tag (required)

The prefix of the tag. The tag itself is generated by the tag prefix, [facility level](http://en.wikipedia.org/wiki/Syslog#Facility_Levels), and [priority](http://en.wikipedia.org/wiki/Syslog#Severity_levels).

### port

The port to listen to. Default Value = 5140

### bind

The bind address to listen to. Default Value = 0.0.0.0 (all addresses)

### protocol\_type

The transport protocol used to receive logs. "udp" and "tcp" are supported. "udp" by default.

### message\_length\_limit

The max bytes of syslog message. Default is `2048`. If you send larger message, change this parameter.

### message\_format

This parameter is available since v0.12.33.

Specify protocol format. Supported values are `rfc3164`, `rfc5424` and `auto`. Default is `rfc3164`. If your syslog uses `rfc5424`, use `rfc5424` instead. Here is an example of message:

```
# rfc3164
<6>Feb 28 12:00:00 192.168.0.1 fluentd[11111]: [error] Hello!
# rfc5424
<16>1 2017-02-28T12:00:00.009Z 192.168.0.1 fluentd - - - Hello!
```

`auto` is useful when `in_syslog` receives both `rfc3164` and `rfc5424` message per source. `in_syslog` detects message format by using message prefix and parse it.

### format

The format of the log. This option is used to parse non-standard syslog formats using [parser plugins](https://docs.fluentd.org/0.12/parser).

```
<source>
  @type syslog
  tag system
  format FORMAT_PARAMETER
</source>
```

Your `format` regexp should not consider the 'priority' prefix of the log. For example, if in\_syslog receives the log below:

```
 <1>Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge
```

then the format parser receives the following log:

```
 Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge
```

If the `format` parameter is missing, then the log data is assumed to have the canonical syslog format (see with\_priority).

### with\_priority

This option matters only when `format` is absent. If `with_priority` is true, then syslog messages are assumed to be prefixed with a priority tag like "\\". This option exists since some syslog daemons output logs without the priority tag preceding the message body.

If you wish to parse syslog messages of arbitrary formats, [in\_tcp](https://docs.fluentd.org/0.12/input/tcp) or [in\_udp](https://docs.fluentd.org/0.12/input/udp) are recommended.

### include\_source\_host

If true, add source host to event record. The default is `false`. This is deprecated. Use `source_hostname_key`.

### source\_hostname\_key

The field name of the client's hostname. If set the value, the client's hostname will be set to its key. The default is nil (no adding hostname).

### priority\_key

The field name of the priority. If set the value, the priority will be set to its key. The default is nil (no adding priority).

### facility\_key

The field name of the facility. If set the value, the facility will be set to its key. The default is nil (no adding facility).

#### log\_level option

The `log_level` option allows the user to set different levels of logging for each plugin. The supported log levels are: `fatal`, `error`, `warn`, `info`, `debug`, and `trace`.

Please see the [logging article](https://docs.fluentd.org/0.12/deployment/logging) for further details.

## TCP protocol and message delimiter

This plugin assumes `\n` for delimiter character between syslog messages in one TCP connection. If you use syslog library in your application with `protocol_type tcp`, add `\n` to your syslog message. See also [rfc6587](https://tools.ietf.org/html/rfc6587#section-3.4.2).

If this article is incorrect or outdated, or omits critical information, please [let us know](https://github.com/fluent/fluentd-docs-gitbook/issues?state=open). [Fluentd](http://www.fluentd.org/) is a open source project under [Cloud Native Computing Foundation (CNCF)](https://cncf.io/). All components are available under the Apache 2 License.