syslog source

Ingests data through the Syslog 5424 protocol and outputs `log` events.

The syslog source ingests data through the Syslog 5424 protocol and outputs log events.

Config File

vector.toml (example)
vector.toml (schema)
vector.toml (specification)
[sources.my_source_id]
# REQUIRED - General
type = "syslog" # must be: "syslog"
mode = "tcp" # enum: "tcp", "udp", and "unix"
# OPTIONAL - General
address = "0.0.0.0:9000" # no default
max_length = 102400 # default, bytes
path = "/path/to/socket" # no default, relevant when mode = "unix"
# OPTIONAL - Context
host_key = "host" # default

Options

Key

Type

Description

REQUIRED - General

type

string

The component type required must be: "syslog"

mode

string

The input mode. required enum: "tcp", "udp", and "unix"

OPTIONAL - General

address

string

The TCP or UDP address to listen on. no default example: "0.0.0.0:9000"

max_length

int

The maximum bytes size of incoming messages before they are discarded. default: 102400 unit: bytes

path

string

The unix socket path. This should be absolute path. Only relevant when mode = "unix" no default example: "/path/to/socket"

OPTIONAL - Context

host_key

string

The key name added to each event representing the current host. See Context for more info. default: "host"

Examples

Given the following input line:

A log event will be emitted with the following structure:

log
{
"timestamp": <2018-10-11T22:14:15.003Z> # current time,
"message": "<34>1 2018-10-11T22:14:15.003Z mymachine.example.com su - ID47 - 'su root' failed for lonvick on /dev/pts/8",
"host": "mymachine.example.com",
"peer_path": "/path/to/unix/socket" # only relevant if `mode` is `unix`
}

How It Works

Context

By default, the syslog source will add context keys to your events via the host_key options.

Delivery Guarantee

Due to the nature of this component, it offers a best effort delivery guarantee.

Environment Variables

Environment variables are supported through all of Vector's configuration. Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable will be replaced before being evaluated.

You can learn more in the Environment Variables section.

Line Delimiters

Each line is read until a new line delimiter (the 0xA byte) is found.

Parsing

Vector will parse messages in the Syslog 5424 format.

Successful parsing

Upon successful parsing, Vector will create a structured event. For example, given this Syslog message:

<13>1 2019-02-13T19:48:34+00:00 74794bfb6795 root 8449 - [meta sequenceId="1"] i am foobar

Vector will produce an event with this structure.

{
"message": "<13>1 2019-02-13T19:48:34+00:00 74794bfb6795 root 8449 - [meta sequenceId="1"] i am foobar",
"timestamp": "2019-02-13T19:48:34+00:00",
"host": "74794bfb6795"
}

Unsuccessful parsing

Anyone with Syslog experience knows there are often deviations from the Syslog specifications. Vector tries its best to account for these (note the tests here). In the event Vector fails to parse your format, we recommend that you open an issue informing us of this, and then proceed to use the tcp, udp, or unix source coupled with a parser transform transform of your choice.

Troubleshooting

The best place to start with troubleshooting is to check the Vector logs. This is typically located at /var/log/vector.log, then proceed to follow the Troubleshooting Guide.

If the Troubleshooting Guide does not resolve your issue, please:

  1. If encountered a bug, please file a bug report.

  2. If encountered a missing feature, please file a feature request.

  3. If you need help, join our chat/forum community. You can post a question and search previous questions.

Resources