Syslog Receiver
Parses Syslogs received over TCP or UDP.
Configuration
Field |
Default |
Description |
tcp |
nil |
Defined tcp_input operator. (see the TCP configuration section) |
udp |
nil |
Defined udp_input operator. (see the UDP configuration section) |
protocol |
required |
The protocol to parse the syslog messages as. Options are rfc3164 and rfc5424 |
location |
UTC |
The geographic location (timezone) to use when parsing the timestamp (Syslog RFC 3164 only). The available locations depend on the local IANA Time Zone database. This page contains many examples, such as America/New_York . |
enable_octet_counting |
false |
Wether or not to enable RFC 6587 Octet Counting on syslog parsing (Syslog RFC 5424 and TCP only). |
allow_skip_pri_header |
false |
Allow parsing records without the PRI header. If this setting is enabled, messages without the PRI header will be successfully parsed. The SeverityNumber and SeverityText fields as well as the priority and facility attributes will not be set on the log record. If this setting is disabled (the default), messages without PRI header will throw an exception. To set this setting to true , the enable_octet_counting setting must be false . |
non_transparent_framing_trailer |
nil |
The framing trailer, either LF or NUL , when using RFC 6587 Non-Transparent-Framing (Syslog RFC 5424 and TCP only). |
attributes |
{} |
A map of key: value labels to add to the entry's attributes |
resource |
{} |
A map of key: value labels to add to the entry's resource |
operators |
[] |
An array of operators. See below for more details |
retry_on_failure.enabled |
false |
If true , the receiver will pause reading a file and attempt to resend the current batch of logs if it encounters an error from downstream components. |
retry_on_failure.initial_interval |
1 second |
Time to wait after the first failure before retrying. |
retry_on_failure.max_interval |
30 seconds |
Upper bound on retry backoff interval. Once this value is reached the delay between consecutive retries will remain constant at the specified value. |
retry_on_failure.max_elapsed_time |
5 minutes |
Maximum amount of time (including retries) spent trying to send a logs batch to a downstream consumer. Once this value is reached, the data is discarded. Retrying never stops if set to 0 . |
Operators
Each operator performs a simple responsibility, such as parsing a timestamp or JSON. Chain together operators to process logs into a desired format.
- Every operator has a
type
.
- Every operator can be given a unique
id
. If you use the same type of operator more than once in a pipeline, you must specify an id
. Otherwise, the id
defaults to the value of type
.
- Operators will output to the next operator in the pipeline. The last operator in the pipeline will emit from the receiver. Optionally, the
output
parameter can be used to specify the id
of another operator to which logs will be passed directly.
- Only parsers and general purpose operators should be used.
UDP Configuration
Field |
Default |
Description |
listen_address |
required |
A listen address of the form <ip>:<port> |
TCP Configuration
Field |
Default |
Description |
max_buffer_size |
1024kib |
Maximum size of buffer that may be allocated while reading TCP input |
listen_address |
required |
A listen address of the form <ip>:<port> |
tls |
|
An optional TLS configuration (see the TLS configuration section) |
TLS Configuration
The tcp_input
operator supports TLS, disabled by default.
Field |
Default |
Description |
cert_file |
|
Path to the TLS cert to use for TLS required connections. |
key_file |
|
Path to the TLS key to use for TLS required connections. |
ca_file |
|
Path to the CA cert. For a client this verifies the server certificate. For a server this verifies client certificates. If empty uses system root CA. |
client_ca_file |
|
(optional) Path to the TLS cert to use by the server to verify a client certificate. This sets the ClientCAs and ClientAuth to RequireAndVerifyClientCert in the TLSConfig. Please refer to godoc.org/crypto/tls#Config for more information. |
Additional Terminology and Features
- An entry is the base representation of log data as it moves through a pipeline. All operators either create, modify, or consume entries.
- A field is used to reference values in an entry.
- A common expression syntax is used in several operators. For example, expressions can be used to filter or route entries.
Parsers with Embedded Operations
Many parsers operators can be configured to embed certain followup operations such as timestamp and severity parsing. For more information, see complex parsers.
Example Configurations
TCP Configuration:
receivers:
syslog:
tcp:
listen_address: "0.0.0.0:54526"
protocol: rfc5424
UDP Configuration:
receivers:
syslog:
udp:
listen_address: "0.0.0.0:54526"
protocol: rfc3164
location: UTC