Versions | v0.14 (td-agent3) | v0.12 (td-agent2) | v0.10 (td-agent1)

This page is for v0.14, not the latest stable version which is v0.12. For the latest stable version of this article, click here.


syslog Input Plugin

The in_syslog Input plugin enables Fluentd to retrieve records via the syslog protocol on UDP or TCP.

Table of Contents

Example Configuration

in_syslog is included in Fluentd’s core. No additional installation process is required.

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag system
</source>
Please see the Config File article for the basic structure and syntax of the configuration file.

Example Usage

The retrieved data is organized as follows. Fluentd’s tag is generated by the tag parameter (tag prefix), facility level, and priority. The record is parsed by the regexp here.

tag = "#{@tag}.#{facility}.#{priority}"

record = {
  "pri": "0",
  "time": 1353436518,
  "host": "host",
  "ident": "ident",
  "pid": "12345",
  "message": "text"
}

Parameters

@type (required)

The value must be syslog.

tag (required)

The prefix of the tag. The tag itself is generated by the tag prefix, facility level, and priority.

port

The port to listen to. The default is 5140.

bind

The bind address to listen to. The default is 0.0.0.0 (all addresses)

protocol_type

The transport protocol used to receive logs. “udp” and “tcp” are supported. “udp” by default.

message_length_limit

The max bytes of syslog message. Default is 2048. If you send larger message, change this parameter.

format

Deprecated parameter. Use <parse> instead.

<parse> directive

The format of the log. This option is used to parse non-standard syslog formats using parser plugins.

<source>
  @type syslog
  tag system
  <parse>
    @type FORMAT_PARAMETER
  </parse>
</source>
Your `` regexp should not consider the 'priority' prefix of the log. For example, if in_syslog receives the log below:
 <1>Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge

then the format parser receives the following log:

 Feb 20 00:00:00 192.168.0.1 fluentd[11111]: [error] hogehoge

If the <parse>/@type parameter is missing, then the log data is assumed to have the canonical syslog format.

message_format

This parameter is used inside <parse> directive. The default is rfc3164

<source>
  @type syslog
  tag system
  <parse>
    message_format rfc5424
  </parse>
</source>

Specify protocol format. Supported values are rfc3164, rfc5424 and auto. Default is rfc3164. If your syslog uses rfc5424, use rfc5424 instead.
Here is an example of message:

# rfc3164
<6>Feb 28 12:00:00 192.168.0.1 fluentd[11111]: [error] Hello!
# rfc5424
<16>1 2017-02-28T12:00:00.009Z 192.168.0.1 fluentd - - - Hello!

auto is useful when in_syslog receives both rfc3164 and rfc5424 message per source. in_syslog detects message format by using message prefix and parse it.

with_priority

This parameter is used inside <parse> directive. The default is true in in_syslog.

<source>
  @type syslog
  tag system
  <parse>
    with_priority false
  </parse>
</source>

If with_priority is true, then syslog messages are assumed to be prefixed with a priority tag like “<3>”. This option exists since some syslog daemons output logs without the priority tag preceding the message body.

If you wish to parse syslog messages of arbitrary formats, in_tcp or in_udp are recommended.

source_hostname_key

The field name of the client’s hostname. If set the value, the client’s hostname will be set to its key. The default is nil (no adding hostname).

source_address_key

The field name of the client’s address. If set the value, the client’s address will be set to its key. The default is nil (no adding hostname).

priority_key

The field name of the priority. If set the value, the priority will be set to its key. The default is nil (no adding priority).

facility_key

The field name of the facility. If set the value, the facility will be set to its key. The default is nil (no adding facility).

@log_level option

The @log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.

Please see the logging article for further details.

TCP protocol and message delimiter

This plugin assumes \n for delimiter character between syslog messages in one TCP connection. If you use syslog library in your application with protocol_type tcp, add \n to your syslog message.
See also rfc6587.

Last updated: 2017-09-22 18:55:10 +0000

Versions | v0.14 (td-agent3) | v0.12 (td-agent2) | v0.10 (td-agent1)

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.

Interested in the Fluentd Newsletters?