syslog source

Ingests data through the Syslog 5424 protocol and outputs `log` events.

The syslog source ingests data through the Syslog 5424 protocol and outputs log events.

Config File

vector.toml (simple)
vector.toml (advanced)
[sources.my_source_id]
type = "syslog" # must be: "syslog"
mode = "tcp" # enum: "tcp", "udp", and "unix"
# For a complete list of options see the "advanced" tab above.

Examples

Given the following input line:

A log event will be emitted with the following structure:

log
{
"timestamp": <2018-10-11T22:14:15.003Z> # current time,
"message": "<34>1 2018-10-11T22:14:15.003Z mymachine.example.com su - ID47 - 'su root' failed for lonvick on /dev/pts/8",
"host": "mymachine.example.com",
"peer_path": "/path/to/unix/socket" # only relevant if `mode` is `unix`
}

How It Works

Context

By default, the syslog source will add context keys to your events via the host_key options.

Delivery Guarantee

Due to the nature of this component, it offers a best effort delivery guarantee.

Environment Variables

Environment variables are supported through all of Vector's configuration. Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable will be replaced before being evaluated.

You can learn more in the Environment Variables section.

Line Delimiters

Each line is read until a new line delimiter (the 0xA byte) is found.

Parsing

Vector will parse messages in the Syslog 5424 format.

Successful parsing

Upon successful parsing, Vector will create a structured event. For example, given this Syslog message:

<13>1 2019-02-13T19:48:34+00:00 74794bfb6795 root 8449 - [meta sequenceId="1"] i am foobar

Vector will produce an event with this structure.

{
"message": "<13>1 2019-02-13T19:48:34+00:00 74794bfb6795 root 8449 - [meta sequenceId="1"] i am foobar",
"timestamp": "2019-02-13T19:48:34+00:00",
"host": "74794bfb6795"
}

Unsuccessful parsing

Anyone with Syslog experience knows there are often deviations from the Syslog specifications. Vector tries its best to account for these (note the tests here). In the event Vector fails to parse your format, we recommend that you open an issue informing us of this, and then proceed to use the tcp, udp, or unix source coupled with a parser transform transform of your choice.

Troubleshooting

The best place to start with troubleshooting is to check the Vector logs. This is typically located at /var/log/vector.log, then proceed to follow the Troubleshooting Guide.

If the Troubleshooting Guide does not resolve your issue, please:

  1. If encountered a bug, please file a bug report.

  2. If encountered a missing feature, please file a feature request.

  3. If you need help, join our chat/forum community. You can post a question and search previous questions.

Resources