syslog
The
syslog
parser plugin parses syslog generated logs. This plugin supports two RFC formats, rfc3164 and rfc5424.Specify time format for event time. Default is "%b %d %H:%M:%S" for rfc3164 protocol.
Specify protocol format. Supported values are
rfc3164
, rfc5424
and auto
. Default is rfc3164
. If your syslog uses rfc5424
, use rfc5424
instead.auto
is useful when this parser receives both rfc3164
and rfc5424
message. syslog
parser detects message format by using message prefix.This parameter is used inside
in_syslog
plugin because the file logs via syslog don't have <9>
like priority prefix.If the incoming logs have priority prefix, e.g. \, set
true
. Default is false
.If you want to keep time field in the record, set
true
. Default is false
.format /^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
time_format "%b %d %H:%M:%S"
pri
, host
, ident
, pid
and message
are included in the event record. time
is used for the event time.pri
value is converted into integer type.If
with_priority
is false
, ^\<(?<pri>[0-9]+)\>
is removed from the pattern.format /\A^\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>[-0-9]+) (?<msgid>[^ ]+) (?<extradata>(\[(.*)\]|[^ ])) (?<message>.+)$\z/
time_format "%Y-%m-%dT%H:%M:%S.%L%z"
pri
, host
, ident
, pid
, msgid
, extradata
and message
are included in the event record. time
is used for the event time.pri
value is converted into integer type.<6>Feb 28 12:00:00 192.168.0.1 fluentd[11111]: [error] Syslog test
This incoming event is parsed as:
time:
1362020400 (Feb 28 12:00:00)
record:
{
"pri" : 6,
"host" : "192.168.0.1",
"ident" : "fluentd",
"pid" : "11111",
"message": "[error] Syslog test"
}
<16>1 2013-02-28T12:00:00.003Z 192.168.0.1 fluentd 11111 ID24224 [[email protected] iut="3" eventSource="Application" eventID="11211"] Hi, from Fluentd!
This incoming event is parsed as:
time:
1362052800 (2013-02-28T12:00:00.003Z)
record:
{
"pri" : 16,
"host" : "192.168.0.1",
"ident" : "fluentd",
"pid" : "11111",
"msgid" : "ID24224",
"extradata": "[[email protected] iut=\"3\" eventSource=\"Application\" eventID=\"11211\"]",
"message" : "Hi, from Fluentd!"
}
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last modified 3yr ago