syslog
The in_syslog Input plugin enables Fluentd to retrieve records via the syslog protocol on UDP or TCP.
Example Configuration
in_syslog is included in Fluentd's core. No additional installation process is required.
Please see the Config File article for the basic structure and syntax of the configuration file.
Example Usage
The retrieved data is organized as follows. Fluentd's tag is generated by the tag parameter (tag prefix), facility level, and priority. The record is parsed by the regexp here.
Parameters
type (required)
The value must be syslog.
tag (required)
The prefix of the tag. The tag itself is generated by the tag prefix, facility level, and priority.
port
The port to listen to. Default Value = 5140
bind
The bind address to listen to. Default Value = 0.0.0.0 (all addresses)
protocol_type
The transport protocol used to receive logs. "udp" and "tcp" are supported. "udp" by default.
message_length_limit
The max bytes of syslog message. Default is 2048. If you send larger message, change this parameter.
message_format
This parameter is available since v0.12.33.
Specify protocol format. Supported values are rfc3164, rfc5424 and auto. Default is rfc3164. If your syslog uses rfc5424, use rfc5424 instead. Here is an example of message:
auto is useful when in_syslog receives both rfc3164 and rfc5424 message per source. in_syslog detects message format by using message prefix and parse it.
format
The format of the log. This option is used to parse non-standard syslog formats using parser plugins.
Your format regexp should not consider the 'priority' prefix of the log. For example, if in_syslog receives the log below:
then the format parser receives the following log:
If the format parameter is missing, then the log data is assumed to have the canonical syslog format (see with_priority).
with_priority
This option matters only when format is absent. If with_priority is true, then syslog messages are assumed to be prefixed with a priority tag like "\". This option exists since some syslog daemons output logs without the priority tag preceding the message body.
If you wish to parse syslog messages of arbitrary formats, in_tcp or in_udp are recommended.
include_source_host
If true, add source host to event record. The default is false. This is deprecated. Use source_hostname_key.
source_hostname_key
The field name of the client's hostname. If set the value, the client's hostname will be set to its key. The default is nil (no adding hostname).
priority_key
The field name of the priority. If set the value, the priority will be set to its key. The default is nil (no adding priority).
facility_key
The field name of the facility. If set the value, the facility will be set to its key. The default is nil (no adding facility).
log_level option
The log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.
Please see the logging article for further details.
TCP protocol and message delimiter
This plugin assumes \n for delimiter character between syslog messages in one TCP connection. If you use syslog library in your application with protocol_type tcp, add \n to your syslog message. See also rfc6587.
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last updated
