syslog

edit

This is a community-maintained plugin! It does not ship with Logstash by default, but it is easy to install by running bin/logstash-plugin install logstash-output-syslog.

Send events to a syslog server.

You can send messages compliant with RFC3164 or RFC5424 using either UDP or TCP as the transport protocol.

By default the contents of the message field will be shipped as the free-form message text part of the emitted syslog message. If your messages don’t have a message field or if you for some other reason want to change the emitted message, modify the message configuration option.

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

syslog {
    facility => ...
    host => ...
    port => ...
    severity => ...
}

Available configuration options:

Setting Input type Required Default value

appname

string

No

"LOGSTASH"

codec

codec

No

"plain"

facility

string, one of ["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"]

Yes

host

string

Yes

message

string

No

"%{message}"

msgid

string

No

"-"

port

number

Yes

procid

string

No

"-"

protocol

string, one of ["tcp", "udp"]

No

"udp"

rfc

string, one of ["rfc3164", "rfc5424"]

No

"rfc3164"

severity

string, one of ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"]

Yes

sourcehost

string

No

"%{host}"

workers

number

No

1

Details

edit

 

appname

edit
  • Value type is string
  • Default value is "LOGSTASH"

application name for syslog message

codec

edit
  • Value type is codec
  • Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.

facility

edit
  • This is a required setting.
  • Value can be any of: kernel, user-level, mail, daemon, security/authorization, syslogd, line printer, network news, uucp, clock, security/authorization, ftp, ntp, log audit, log alert, clock, local0, local1, local2, local3, local4, local5, local6, local7
  • There is no default value for this setting.

facility label for syslog message

host

edit
  • This is a required setting.
  • Value type is string
  • There is no default value for this setting.

syslog server address to connect to

message

edit
  • Value type is string
  • Default value is "%{message}"

message text to log

msgid

edit
  • Value type is string
  • Default value is "-"

message id for syslog message

port

edit
  • This is a required setting.
  • Value type is number
  • There is no default value for this setting.

syslog server port to connect to

procid

edit
  • Value type is string
  • Default value is "-"

process id for syslog message

protocol

edit
  • Value can be any of: tcp, udp
  • Default value is "udp"

syslog server protocol. you can choose between udp and tcp

rfc

edit
  • Value can be any of: rfc3164, rfc5424
  • Default value is "rfc3164"

syslog message format: you can choose between rfc3164 or rfc5424

severity

edit
  • This is a required setting.
  • Value can be any of: emergency, alert, critical, error, warning, notice, informational, debug
  • There is no default value for this setting.

severity label for syslog message

sourcehost

edit
  • Value type is string
  • Default value is "%{host}"

source host for syslog message

timestamp (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • Default value is "%{@timestamp}"

timestamp for syslog message

workers

edit
  • Value type is number
  • Default value is 1

The number of workers to use for this output. Note that this setting may not be useful for all outputs.