Syslog
Overview
Syslog parses syslog messages accepted over TCP or UDP.
Supported platforms
- Linux:
Logs - Windows:
Logs - macOS:
Logs
Listen Address
Basic configuration defines the network endpoint where the syslog source listens for incoming messages.
| Parameter | Default Value | Required | Description |
|---|---|---|---|
| listen_address | 0.0.0.0:514 | Yes | The network address and port on which the syslog source listens for incoming messages. Example: 0.0.0.0:514. |
Protocol Settings
Protocol settings define the syslog message format and the network transport protocol used to receive incoming syslog messages.
| Parameter | Default Value | Required | Description |
|---|---|---|---|
| protocol | RFC5424 | Yes | The syslog protocol standard used to parse incoming messages. Supported values: Unknown, RFC3164, RFC6587,RFC5424. |
| transport_protocol | tcp | Yes | The network protocol used to receive syslog messages. Supported values: tcp, udp. |
| encoding | utf-8 | No | The encoding of the files being read. Valid values are: utf, utf-16, ascii . |
| add_net_attributes | false | No | Adds network-related metadata such as client IP and port to the log entries. |
TCP Settings
These settings are applied only when the Transport Protocol is set to tcp.
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| max_line_size | int | 1024 | Maximum size of a single syslog message in bytes. |
| read_timeout | duration | 5s | Timeout duration for reading data from a TCP connection. |
| enable_tls | bool | false | Enables TLS encryption for incoming TCP syslog connections. |
| min_version | string | none | Defines the minimum TLS version accepted for secure connections. (supports TLS versions 1.2 and above. ) |
| cert_file | string | none | Path to the TLS certificate file used by the server. |
| key_file | string | none | Path to the TLS private key file used by the server. |
| client_ca_file | string | none | Path to the client CA certificate file used to verify client certificates for mutual TLS (mTLS). |
| insecure_skip_verify | bool | false | Whether to skip verification of the server's certificate. |
UDP Settings
These settings are applied only when the Transport Protocol is set to udp.
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| async_readers | int | 4 | Number of asynchronous reader threads used to process incoming UDP syslog messages. Increasing this value can improve throughput when handling high log volumes. |
Message Handling
Message handling controls how the syslog source processes incoming messages and how errors are handled during parsing.
| Parameter | Default Value | Required | Description |
|---|---|---|---|
| multiline | false | No | Enables processing of multiline syslog messages. When enabled, related log lines can be grouped and processed as a single log entry. |
| on_error | drop | Yes | Defines the action taken when an error occurs while processing a syslog message. Supported values: drop, send , drop_quiet , send_quiet . |
Example Configuration
{
"listen_address": "0.0.0.0:514", // required, default: "0.0.0.0:514"
"transport_protocol": "tcp", // required, default: "tcp"
"protocol": "RFC5424", // required, default: "RFC5424"
"on_error": "drop", // required, default: "drop"
"max_line_size": 1024, // default: 1024
"encoding": "utf-8", // default: "utf-8"
"add_net_attributes": false, // default: false
"max_queue_length": 1024, // default: 1024
"max_connections": 512, // default: 512
"read_timeout": "5s", // default: "5s"
"async_max_queue_length": 8192, // default: 8192
"async_readers": 4, // default: 4
"tls": {
"enable_tls": false, // default: false
"cert_file": "", // default: none
"key_file": "", // default: none
"client_ca_file": "", // default: none
"insecure_skip_verify": false, // default: false
"min_version": "1.2", // default: "1.2"
},
"multiline": {
"enabled": false, // default: false
"pattern_mode": "start", // default: "start"
"line_start_pattern": "", // default: none
"line_end_pattern": "", // default: none
"omit_pattern": false, // default: false
},
}
Metrics
Syslog records operational metrics to monitor connection activity, message ingestion, parsing behavior, and error conditions when receiving syslog messages over TCP or UDP.
| Metric Name | Description |
|---|---|
collector_source_records_received_total | Total number of syslog records received by the source. This includes raw messages received from TCP or UDP connections and successfully parsed log messages (logs logs_parsed). |
collector_source_bytes_received_total | Total number of bytes received from syslog messages over the configured transport protocol (TCP or UDP). |
collector_source_records_dropped_total | Counts syslog records that were dropped during processing. Possible reasons include invalid_format downstream_error line_too_long partial_frame_timeout encoding_error backpressure and udp_overflow. |
collector_source_parse_errors_total | Counts errors encountered while parsing syslog messages. Possible reasons include protocol_detection rfc3164 rfc5424 and udp_scanner. |
collector_source_errors_total | Counts operational errors encountered by the source. Possible reasons include consume_failed queue_full scanner_error read_timeout set_read_deadline_failed accept_connection_error and tls_handshake_failed |
collector_source_connections_total | Total number of TCP client connections accepted by the syslog source. |
collector_source_connections_closed_total | Total number of TCP client connections that were closed after processing. |
collector_source_connections_active | Current number of active TCP connections being handled by the syslog source. |