Syslog
Example Configuration
Syslog Eve
1[sources.my_source_id]
2type = "syslog"
1"<13>1 2020-03-13T20:45:38.119Z dynamicwireless.name non 2426 ID931 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] Try to override the THX port, maybe it will reboot the neural interface!"
1{
2 "log": {
3 "severity": "notice",
4 "facility": "user",
5 "timestamp": "2020-03-13T20:45:38.119Z",
6 "host": "my-host.local",
7 "source_ip": "34.33.222.212",
8 "hostname": "dynamicwireless.name",
9 "appname": "non",
10 "procid": "2426",
11 "msgid": "ID931",
12 "iut": "3",
13 "eventSource": "Application",
14 "eventID": "1011",
15 "message": "Try to override the THX port, maybe it will reboot the neural interface!"
16 }
17}
Configuration Options
Required Options
address(required)
The address to listen for connections on, or systemd#N to use the Nth socket passed by systemd socket activation. If an address is used it must include a port.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | ["0.0.0.0:9000","systemd","systemd#3"] |
mode(required)
The type of socket to use.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | ["tcp","udp","unix_datagram","unix_stream"] |
path(required)
The unix socket path. This should be an absolute path.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | ["/path/to/socket"] |
type(required)
The component type. This is a required field for all components and tells Vector which component to use.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | ["syslog","socket"] |
Advanced Options
host_key(optional)
The key name added to each event representing the current host. This can also be globally set via the
global host_key option.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | host |
max_length(optional)
The maximum bytes size of incoming messages before they are discarded.
| Type | Syntax | Default | Example |
|---|---|---|---|
| uint | 102400 |
receive_buffer_bytes(optional)
Configures the receive buffer size using the SO_RCVBUF option on the socket.
| Type | Syntax | Default | Example |
|---|---|---|---|
| uint | [65536] |
keepalive(optional)
Configures the TCP keepalive behavior for the connection to the source.
| Type | Syntax | Default | Example |
|---|---|---|---|
| hash | [] |
tls(optional)
Configures the TLS options for incoming connections.
| Type | Syntax | Default | Example |
|---|---|---|---|
| hash | literal | [] |
shutdown_timeout_secs(optional)
The timeout before a connection is forcefully closed during shutdown.
| Type | Syntax | Default | Example |
|---|---|---|---|
| uint | 30 |
How it Works
Line Delimiters
Each line is read until a new line delimiter, the 0xA byte, is found.
State
This component is stateless, meaning its behavior is consistent across each input.
Transport Layer Security (TLS)
Vector uses OpenSSL for TLS protocols. You can
adjust TLS behavior via the tls.* options.
Parsing
Vector makes a best effort to parse the various Syslog formats out in the wild. This includes RFC 6587, RFC 5424, RFC 3164, and other common variations (such as the Nginx Syslog style). It's unfortunate that the Syslog specification isn't more accurately followed, but we hope that Vector insulates you from these deviations.
If parsing fails, Vector includes the entire Syslog line in the message
key. If you find this happening often, we recommend using the
socket source combined with
regex parsing to implement your own custom
ingestion and parsing scheme. Alternatively, you can open an
issue to request support for your specific format.
Context
By default, the syslog source augments events with helpful
context keys.