syslog

edit

This is a community-maintained plugin! It does not ship with Logstash by default, but it is easy to install by running bin/plugin install logstash-output-syslog.

Send events to a syslog server.

You can send messages compliant with RFC3164 or RFC5424 UDP or TCP syslog transport is supported

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

syslog {
    facility => ...
    host => ...
    port => ...
    severity => ...
}

Available configuration options:

Setting Input type Required Default value

appname

string

No

"LOGSTASH"

codec

codec

No

"plain"

facility

string, one of ["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"]

Yes

host

string

Yes

msgid

string

No

"-"

port

number

Yes

procid

string

No

"-"

protocol

string, one of ["tcp", "udp"]

No

"udp"

rfc

string, one of ["rfc3164", "rfc5424"]

No

"rfc3164"

severity

string, one of ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"]

Yes

sourcehost

string

No

"%{host}"

workers

number

No

1

Details

edit

 

appname

edit
  • Value type is string
  • Default value is "LOGSTASH"

application name for syslog message

codec

edit
  • Value type is codec
  • Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.

exclude_tags (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is array
  • Default value is []

Only handle events without any of these tags. Optional.

facility

edit
  • This is a required setting.
  • Value can be any of: kernel, user-level, mail, daemon, security/authorization, syslogd, line printer, network news, uucp, clock, security/authorization, ftp, ntp, log audit, log alert, clock, local0, local1, local2, local3, local4, local5, local6, local7
  • There is no default value for this setting.

facility label for syslog message

host

edit
  • This is a required setting.
  • Value type is string
  • There is no default value for this setting.

syslog server address to connect to

msgid

edit
  • Value type is string
  • Default value is "-"

message id for syslog message

port

edit
  • This is a required setting.
  • Value type is number
  • There is no default value for this setting.

syslog server port to connect to

procid

edit
  • Value type is string
  • Default value is "-"

process id for syslog message

protocol

edit
  • Value can be any of: tcp, udp
  • Default value is "udp"

syslog server protocol. you can choose between udp and tcp

rfc

edit
  • Value can be any of: rfc3164, rfc5424
  • Default value is "rfc3164"

syslog message format: you can choose between rfc3164 or rfc5424

severity

edit
  • This is a required setting.
  • Value can be any of: emergency, alert, critical, error, warning, notice, informational, debug
  • There is no default value for this setting.

severity label for syslog message

sourcehost

edit
  • Value type is string
  • Default value is "%{host}"

source host for syslog message

tags (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is array
  • Default value is []

Only handle events with all of these tags. Optional.

timestamp (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • Default value is "%{@timestamp}"

timestamp for syslog message

type (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • Default value is ""

The type to act on. If a type is given, then this output will only act on messages with the same type. See any input plugin’s type attribute for more. Optional.

workers

edit
  • Value type is number
  • Default value is 1

The number of workers to use for this output. Note that this setting may not be useful for all outputs.