UDP
Overview
The UDP integration accepts logs over UDP.
Supported platforms
- Linux:
Logs - Windows:
Logs - macOS:
Logs
Listen Address
| Parameter | Default Value | Required | Description |
|---|---|---|---|
| listen_address | 0.0.0.0:514 | Yes | The network address and port on which the UDP source listens for incoming messages. Example: 0.0.0.0:514. |
Multiline Configuration
Multiline configuration allows the source to combine multiple related log lines into a single log entry.
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| enabled | bool | false | Enables or disables multiline log processing. When enabled, the source groups multiple log lines into a single log entry based on the configured patterns. |
| line_start_pattern | string | none | Regex pattern that matches the beginning of a log entry, for handling multiline logs. |
| line_end_pattern | string | none | Regex pattern that matches the end of a log entry, useful for terminating parsing of multiline logs. |
Advanced Configuration
The advanced configuration section allows fine-tuning of how UDP handles incoming connections, message buffering, and log parsing limits.
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| encoding | string | utf-8 | The encoding of the files being read. Valid values are: nop, utf-8, utf-8-raw,utf-16le, utf-16be, ascii, and big5 |
| max_queue_length | int | 2000 | Parsed-message channel depth. Default raised from 100 in v0.3. Increase if downstream processing is slower than the ingest rate. Drives udp_overflow drops when full. |
Performance
High-throughput tuning knobs added in v0.3. Defaults are safe for low-volume listeners; raise these when sustaining 100k+ EPS or when udp_overflow drops appear on the host.
| Parameter | Type | Default | Description |
|---|---|---|---|
async_readers | int | 20 | Number of goroutines reading raw packets off the UDP socket. Increase when the kernel receive buffer is saturating. |
parse_workers | int | 20 | Number of goroutines decoding and splitting raw packets. Decoupled from socket readers so slow encoding never blocks the reader from draining the OS kernel buffer. |
socket_recv_buffer_bytes | int | 8388608 | OS kernel UDP receive buffer (SO_RCVBUF) in bytes. Default 8 MB. Raise to 33554432 (32 MB) or higher for 100k+ EPS — also requires sysctl net.core.rmem_max on the host. Equivalent to Fluent Bit receive_buffer_size / Vector receive_buffer_bytes. |
max_packet_size_bytes | int | 65536 | Maximum UDP datagram size in bytes. Packets larger than this are truncated. Raise for devices that send jumbo syslog payloads. |
Example Configuration
{
"listen_address": "0.0.0.0:514", // required, default: "0.0.0.0:514"
"multiline": {
"enabled": false, // default: false
"line_start_pattern": "", // conditionally required if multiline.enabled = true and start mode is used
"line_end_pattern": "", // conditionally required if multiline.enabled = true and end mode is used
},
"advanced": {
// required
"encoding": "utf-8", // required, default: "utf-8"
"async_readers": 20, // default: 20
"parse_workers": 20, // default: 20
"max_queue_length": 2000, // default: 2000
"socket_recv_buffer_bytes": 33554432, // 32 MB — also raise net.core.rmem_max
"max_packet_size_bytes": 65536, // default: 65536
},
}
Metrics Covered
| Metric Name | Description |
|---|---|
collector_source_records_received_total | Total number of log records received by the UDP source. This includes messages successfully read from UDP packets and forwarded to the processing pipeline (logs). |
collector_source_bytes_received_total | Total number of bytes received from incoming UDP log messages. |
collector_source_records_dropped_total | Counts log records that were dropped during processing. Possible reasons include downstream_error encoding_error invalid_format and udp_overflow |
collector_source_parse_errors_total | Counts errors encountered while parsing UDP messages. Possible reason includes udp_scanner |
collector_source_errors_total | Counts operational errors encountered by the UDP source. Possible reasons include consume_failed and start_failed |