Syslog input places a server that listens for syslog messages. It supports several transport protocols, but does not parse the received lines. If you want to do syslog parsing, you can use the syslog parser processor.
UDP Syslog server with buffer flow control
"inputs" : {
"syslog" : {
"type" : "syslog",
"maxPending" : 1000,
"buffer" : true,
"config" : {
"url" : "udp://0.0.0.0:514"
}
}
}TCP Syslog server without buffer flow control
"inputs" : {
"syslog" : {
"type" : "syslog",
"maxPending" : 1000,
"buffer" : false,
"config" : {
"url" : "tcp://0.0.0.0:514"
}
}
}Secure TLS Syslog server with private key and certificate
"inputs" : {
"syslog" : {
"type" : "syslog",
"maxPending" : 1000,
"config" : {
"url" : "tls://0.0.0.0:1514",
"tls" : {
"key" : "./config/server.key",
"cert" : "./config/server.crt",
"rejectUnauthorized" : false
}
}
}
}- url : Server URL bind pattern. Takes the form of <protocol>://<bind host>:<bind port>. Allowed protocols are: udp, udp6, tcp, tcp6, tls, and tls6.
- maxPending : Maximum number of pending messages in the buffer. Defaults to
1000. - buffer : Boolean. If
true, enables buffering of incoming messages. - tls : Object passed to the TLS server socket, as described in NodeJS documentation. Includes:
- key : Path to the private key file.
- cert : Path to the certificate file.
- rejectUnauthorized : Boolean. If
false, allows self-signed certificates.
Each syslog message will generate an object with the following schema:
{
id : '<input ID>',
type : 'syslog',
timestamp : Date.now(),
originalMessage : '<syslog message>',
server : {
protocol : '<bind protocol>',
port : '<bind port>',
host : '<bind host>'
},
client : {
address : '<client address>',
port : '<client port>' // Added client port for completeness
}
}