Syslog
Synopsis
Creates a target that forwards log messages to a remote syslog server. Supports multiple transport protocols, message templating, and TLS encryption.
The syslog target uses the RFC5424 format for all messages, ensuring modern syslog compatibility.
For details of the format, see Appendix.
Schema
- name: <string>
description: <string>
type: syslog
pipelines: <pipeline[]>
status: <boolean>
properties:
type: <string>
address: <string>
port: <numeric>
field_format: <string>
template: <string>
app_name: <string>
priority: <numeric>
tls:
status: <boolean>
verify: <boolean>
cert_name: <string>
key_name: <string>
interval: <string|numeric>
cron: <string>
debug:
status: <boolean>
dont_send_logs: <boolean>
Configuration
The following fields are used to define the target:
| Field | Required | Default | Description |
|---|---|---|---|
name | Y | Target name | |
description | N | - | Optional description |
type | Y | Must be syslog | |
pipelines | N | - | Optional post-processor pipelines |
status | N | true | Enable/disable the target |
Connection
| Field | Required | Default | Description |
|---|---|---|---|
type | N | "udp" | Transport protocol: udp, tcp, or tls |
address | N | "127.0.0.1" | Remote server address |
port | N | 514 | Remote server port |
Messages
| Field | Required | Default | Description |
|---|---|---|---|
template | N | "<{{.Priority}}> {{.Timestamp}} {{.AppName}}[{{.PID}}]: {{.Message}}" | Message template |
app_name | N | "vmetric" | Application name in the messages |
priority | N | 14 | Syslog priority value |
field_format | N | - | Data normalization format. See applicable Normalization section |
TLS
| Field | Required | Default | Description |
|---|---|---|---|
tls.status | N | false | Enable TLS encryption |
tls.verify | N | false | Verify server certificate |
tls.cert_name | N | "cert.pem" | Client certificate file |
tls.key_name | N | "key.pem" | Client private key file |
When using TLS, ensure that the certificate files are accessible and have the appropriate permissions.
Templates
The following variables can be used in the message template:
| Variable | Description | Example |
|---|---|---|
{{.Year}} | Current year | 2024 |
{{.Month}} | Current month | 01 |
{{.Day}} | Current day | 15 |
{{.Priority}} | Syslog priority | 14 |
{{.Timestamp}} | RFC3339 timestamp | 2024-01-15T14:30:00Z |
{{.AppName}} | Application name | vmetric |
{{.PID}} | Process ID | 1234 |
{{.Message}} | Log message | User login successful |
Invalid templates will fall back to sending the raw message content without formatting.
Scheduler
| Field | Required | Default | Description |
|---|---|---|---|
interval | N | realtime | Execution frequency. See Interval for details |
cron | N | - | Cron expression for scheduled execution. See Cron for details |
Debug Options
| Field | Required | Default | Description |
|---|---|---|---|
debug.status | N | false | Enable debug logging |
debug.dont_send_logs | N | false | Process logs but don't send to target (testing) |
Field Normalization
Field normalization helps standardize log data before sending it to the syslog server, ensuring consistent data formats:
ecs- Elastic Common Schemacim- Common Information Modelasim- Advanced Security Information Model
Examples
Basic UDP
The minimum configuration for a UDP syslog:
targets:
- name: udp_syslog
type: syslog
properties:
address: "192.168.1.100"
Secure TLS
Configuration for a TLS-encrypted syslog:
targets:
- name: secure_syslog
type: syslog
properties:
type: "tls"
address: "logs.example.com"
port: 6514
tls:
status: true
verify: true
cert_name: "client-cert.pem"
key_name: "client-key.pem"
Template
Configuration with a custom message template:
targets:
- name: custom_syslog
type: syslog
properties:
address: "192.168.1.100"
template: "{{.Timestamp}} [{{.AppName}}] severity={{.Priority}} {{.Message}}"
app_name: "myapp"
priority: 13
With Field Normalization
Using field normalization for standard format:
targets:
- name: normalized_syslog
type: syslog
properties:
address: "192.168.1.100"
field_format: "cim"