TCP
Overview
The TCP integration accepts logs over TCP.
Supported platforms
- Linux:
Logs - Windows:
Logs - macOS:
Logs
Listen Address
| Parameter | Default Value | Required | Description |
|---|---|---|---|
| listen_address | 0.0.0.0:514 | Yes | The network address and port on which the TCP source listens for incoming messages. Example: 0.0.0.0:514. |
Framing
| Parameter | Type | Default | Description |
|---|---|---|---|
octet_counted_framing | bool | false | Enable RFC 6587 §3.4.1 octet-counted TCP framing (<MSGLEN> <MSG>). Required for reliable syslog-over-TCP with embedded newlines. When enabled, Multiline configuration is ignored. |
Multiline Configuration
Multiline configuration allows the source to combine multiple related log lines into a single log entry.
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| enabled | bool | false | Enables or disables multiline log processing. When enabled, the source groups multiple log lines into a single log entry based on the configured patterns. |
| line_start_pattern | string | none | Regex pattern that matches the beginning of a log entry, for handling multiline logs. |
| line_end_pattern | string | none | Regex pattern that matches the end of a log entry, useful for terminating parsing of multiline logs. |
TLS Configuration
The tcp source supports TLS, disabled by default.
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| enabled | bool | false | Enables TLS encryption for incoming TCP syslog connections. |
| min_version | string | none | Defines the minimum TLS version accepted for secure connections. (supports TLS versions 1.2 and above. ) |
| cert_file | string | none | Path to the TLS certificate file used by the server. |
| key_file | string | none | Path to the TLS private key file used by the server. |
| client_ca_file | string | none | Path to the client CA certificate file used to verify client certificates for mutual TLS (mTLS). |
Advanced Configuration
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| max_log_size | string | 1MiB | The maximum size of a log entry to read before failing. Protects against reading large amounts of data into memory |
| encoding | string | utf-8 | The encoding of the files being read. Valid values are: nop, utf-8, utf-8-raw,utf-16le, utf-16be, ascii, and big5 |
| max_connections | int | 1000 | Maximum number of concurrent client connections that the source will accept. Default raised from 100 in v0.3. |
| max_queue_length | int | 10000 | Maximum number of parsed messages that can be buffered in the internal queue before being processed by downstream components. Default raised from 100 in v0.3. |
| read_timeout | duration | 30s | Maximum duration the source waits for data to be read from a TCP connection before timing out. |
Performance
High-throughput tuning knobs added in v0.3. Defaults are safe for low-volume sources; raise these when sustaining 10k+ EPS per listener or when kernel-side packet drops appear on the host.
| Parameter | Type | Default | Description |
|---|---|---|---|
num_workers | int | 0 | Number of goroutines draining the message queue. 0 = auto (one per CPU core). Increase if downstream ConsumeLogs is slow. Batching is handled downstream by the batch processor. |
socket_receive_buffer_size | int (B) | 0 | Per-connection SO_RCVBUF in bytes. 0 = OS default. Set to 4194304 (4 MB) or higher for high-throughput sources to prevent kernel-side packet drops. Equivalent to syslog-ng so-rcvbuf / Vector receive_buffer_bytes. |
max_reads_per_conn | int | 0 | Yield the Go scheduler after this many consecutive reads on a single connection. Prevents a single high-volume sender from starving others. 0 = unlimited. Equivalent to rsyslog StarvationProtection.MaxReads. |
message_send_timeout | duration | 5s | How long to wait when the internal queue is full before dropping a message. Increase when processing spikes cause queue saturation. |
TCP Keep Alive
Probes accepted connections to detect dead peers and release stale state. Disabled by default.
| Parameter | Type | Default | Description |
|---|---|---|---|
enabled | bool | false | Enable TCP keep-alive probes on accepted connections. |
idle | duration | 60s | Time a connection must be idle before the first keep-alive probe is sent. |
interval | duration | 30s | Time between successive keep-alive probes. |
count | int | 3 | Number of unacknowledged probes before the connection is declared dead and closed. |
Example Configuration
{
"listen_address": "0.0.0.0:514", // required, default: "0.0.0.0:514"
"multiline": {
"enabled": false, // default: false
"line_start_pattern": "", // default: none
"line_end_pattern": "", // default: none
},
"tls": {
"enabled": false, // default: false
"key_file": "", // default: none
"cert_file": "", // default: none
"min_version": "1.3", // default: "1.3"
"client_ca_file": "", // default: none
},
"advanced": {
// required
"encoding": "utf-8", // required, default: "utf-8"
"max_log_size": "1MiB", // required, default: "1MiB"
"read_timeout": "30s", // required, default: "30s"
"max_connections": 1000, // required, default: 1000
"max_queue_length": 10000, // required, default: 10000
},
"octet_counted_framing": false, // default: false
"performance": {
"num_workers": 0, // 0 = one per CPU core
"socket_receive_buffer_size": 4194304, // 4 MB per connection
"max_reads_per_conn": 0,
"message_send_timeout": "5s",
},
"keep_alive": {
"enabled": false,
"idle": "60s",
"interval": "30s",
"count": 3,
},
}
Metrics Covered
| Metric Name | Description |
|---|---|
collector_source_records_received_total | Total number of log records received by the TCP source. This includes messages successfully read from TCP connections and forwarded to the processing pipeline (logs). |
collector_source_bytes_received_total | Total number of bytes received from incoming TCP log messages. |
collector_source_records_dropped_total | Counts log records dropped during processing. Possible reasons include downstream_error line_too_long partial_frame_timeout encoding_error and backpressure . |
collector_source_errors_total | Counts operational errors encountered by the TCP source. Possible reasons include consume_failed queue_full scanner_error read_timeout set_read_deadline_failed accept_connection_error tls_handshake_failed start_failed |
collector_source_connections_total | Total number of TCP client connections accepted by the TCP source. |
collector_source_connections_closed_total | Total number of TCP client connections closed after processing. |
collector_source_connections_active | Current number of active TCP client connections being handled by the TCP source. |