syslog

edit
  • Version: 3.0.1
  • Released on: 2016-07-14
  • Changelog
  • Compatible: 5.1.1.1, 5.0.0, 2.4.1, 2.4.0, 2.3.4

This plugin does not ship with Logstash by default, but it is easy to install by running bin/logstash-plugin install logstash-output-syslog.

Send events to a syslog server.

You can send messages compliant with RFC3164 or RFC5424 using either UDP or TCP as the transport protocol.

By default the contents of the message field will be shipped as the free-form message text part of the emitted syslog message. If your messages don’t have a message field or if you for some other reason want to change the emitted message, modify the message configuration option.

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

syslog {
    host => ...
    port => ...
}

Available configuration options:

Setting Input type Required Default value

appname

string

No

"LOGSTASH"

codec

codec

No

"plain"

enable_metric

boolean

No

true

facility

string

No

"user-level"

host

string

Yes

id

string

No

message

string

No

"%{message}"

msgid

string

No

"-"

port

number

Yes

priority

string

No

"%{syslog_pri}"

procid

string

No

"-"

protocol

string, one of ["tcp", "udp", "ssl-tcp"]

No

"udp"

reconnect_interval

number

No

1

rfc

string, one of ["rfc3164", "rfc5424"]

No

"rfc3164"

severity

string

No

"notice"

sourcehost

string

No

"%{host}"

ssl_cacert

a valid filesystem path

No

ssl_cert

a valid filesystem path

No

ssl_key

a valid filesystem path

No

ssl_key_passphrase

password

No

nil

ssl_verify

boolean

No

false

use_labels

boolean

No

true

workers

<<,>>

No

1

Details

edit

 

appname

edit
  • Value type is string
  • Default value is "LOGSTASH"

application name for syslog message. The new value can include %{foo} strings to help you build a new value from other parts of the event.

codec

edit
  • Value type is codec
  • Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.

enable_metric

edit
  • Value type is boolean
  • Default value is true

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

facility

edit
  • Value type is string
  • Default value is "user-level"

facility label for syslog message default fallback to user-level as in rfc3164 The new value can include %{foo} strings to help you build a new value from other parts of the event.

host

edit
  • This is a required setting.
  • Value type is string
  • There is no default value for this setting.

syslog server address to connect to

  • Value type is string
  • There is no default value for this setting.

Add a unique ID to the plugin instance, this ID is used for tracking information for a specific configuration of the plugin.

output {
 stdout {
   id => "ABC"
 }
}

If you don’t explicitely set this variable Logstash will generate a unique name.

message

edit
  • Value type is string
  • Default value is "%{message}"

message text to log. The new value can include %{foo} strings to help you build a new value from other parts of the event.

msgid

edit
  • Value type is string
  • Default value is "-"

message id for syslog message. The new value can include %{foo} strings to help you build a new value from other parts of the event.

port

edit
  • This is a required setting.
  • Value type is number
  • There is no default value for this setting.

syslog server port to connect to

priority

edit
  • Value type is string
  • Default value is "%{syslog_pri}"

syslog priority The new value can include %{foo} strings to help you build a new value from other parts of the event.

procid

edit
  • Value type is string
  • Default value is "-"

process id for syslog message. The new value can include %{foo} strings to help you build a new value from other parts of the event.

protocol

edit
  • Value can be any of: tcp, udp, ssl-tcp
  • Default value is "udp"

syslog server protocol. you can choose between udp, tcp and ssl/tls over tcp

reconnect_interval

edit
  • Value type is number
  • Default value is 1

when connection fails, retry interval in sec.

rfc

edit
  • Value can be any of: rfc3164, rfc5424
  • Default value is "rfc3164"

syslog message format: you can choose between rfc3164 or rfc5424

severity

edit
  • Value type is string
  • Default value is "notice"

severity label for syslog message default fallback to notice as in rfc3164 The new value can include %{foo} strings to help you build a new value from other parts of the event.

sourcehost

edit
  • Value type is string
  • Default value is "%{host}"

source host for syslog message. The new value can include %{foo} strings to help you build a new value from other parts of the event.

ssl_cacert

edit
  • Value type is path
  • There is no default value for this setting.

The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.

ssl_cert

edit
  • Value type is path
  • There is no default value for this setting.

SSL certificate path

ssl_key

edit
  • Value type is path
  • There is no default value for this setting.

SSL key path

ssl_key_passphrase

edit
  • Value type is password
  • Default value is nil

SSL key passphrase

ssl_verify

edit
  • Value type is boolean
  • Default value is false

Verify the identity of the other end of the SSL connection against the CA.

use_labels

edit
  • Value type is boolean
  • Default value is true

use label parsing for severity and facility levels use priority field if set to false

workers

edit
  • Value type is string
  • Default value is 1

TODO remove this in Logstash 6.0 when we no longer support the :legacy type This is hacky, but it can only be herne