TCP

Forward

Synopsis

Creates a target that forwards log data to a remote TCP endpoint. Supports delimiter and octet-count framing, TLS encryption, connection pooling with keep-alive, batch delivery, and retry logic.

Schema

- name: <string>
  description: <string>
  type: tcp
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    address: <string>
    port: <numeric>
    framing: <string>
    line_delimiter: <string>
    timeout: <numeric>
    batch_size: <numeric>
    reconnect_interval: <numeric>
    max_retries: <numeric>
    retry_delay: <numeric>
    field_format: <string>
    tls:
      status: <boolean>
      verify: <boolean>
      server_name: <string>
      cert_name: <string>
      key_name: <string>
      min_tls_version: <string>
      max_tls_version: <string>
    interval: <string|numeric>
    cron: <string>
    debug:
      status: <boolean>
      dont_send_logs: <boolean>

Configuration

Field	Required	Default	Description
`name`	Y		Target name
`description`	N	-	Optional description
`type`	Y		Must be `tcp`
`pipelines`	N	-	Optional post-processor pipelines
`status`	N	`true`	Enable/disable the target

Connection

Field	Required	Default	Description
`address`	Y		Remote server IP address or hostname
`port`	Y		Remote server port (1-65535)
`timeout`	N	`30`	Connection timeout in seconds
`reconnect_interval`	N	`10`	Seconds to wait before reconnection attempts

TCP

Field	Required	Default	Description
`framing`	N	`"delimiter"`	Framing mode: `delimiter` or `octet`
`line_delimiter`	N	`"\n"`	Line separator appended to each message in delimiter framing
`batch_size`	N	`1000`	Maximum events buffered before flush

Retry

Field	Required	Default	Description
`max_retries`	N	`3`	Maximum delivery attempts per batch (total attempts = max_retries + 1)
`retry_delay`	N	`1`	Seconds between retry attempts

TLS

Field	Required	Default	Description
`tls.status`	N	`false`	Enable TLS encryption
`tls.verify`	N	`true`	Verify server certificate
`tls.server_name`	N	-	SNI hostname for TLS handshake
`tls.cert_name`	N	-	Client certificate file name
`tls.key_name`	N	-	Client private key file name
`tls.min_tls_version`	N	`"tls1.2"`	Minimum TLS version
`tls.max_tls_version`	N	`"tls1.3"`	Maximum TLS version

warning

When providing tls.cert_name, you must also provide tls.key_name and vice versa.

Normalization

Field	Required	Default	Description
`field_format`	N	-	Data normalization format. See applicable Normalization section

Scheduler

Field	Required	Default	Description
`interval`	N	realtime	Execution frequency. See Interval for details
`cron`	N	-	Cron expression for scheduled execution. See Cron for details

Debug Options

Field	Required	Default	Description
`debug.status`	N	`false`	Enable debug logging
`debug.dont_send_logs`	N	`false`	Process logs but don't send to target (testing)

Details

The TCP target buffers events in memory and delivers them in batches over a persistent TCP connection.

Framing modes determine how individual messages are delimited in the TCP stream:

Delimiter (default) appends line_delimiter (default \n) to each message before concatenation. Compatible with most line-based log receivers.
Octet prepends the byte length of each message per RFC 5425 (e.g., 42 <message>). Used with syslog-over-TLS receivers that expect length-prefixed framing.

Connection pooling maintains a single TCP connection shared across all worker threads. The connection is tested for liveness before each write and automatically recreated on failure. TCP keep-alive is enabled with a 30-second interval.

Batch delivery accumulates events up to batch_size, then concatenates all framed messages into a single write. If delivery fails, the target retries up to max_retries times with retry_delay between attempts. Connection errors trigger a reconnect_interval wait before retrying.

Examples

Basic

Forwarding logs to a remote TCP endpoint with default settings...

targets:
  - name: tcp_forwarder
    type: tcp
    properties:
      address: "192.168.1.100"
      port: 514

With Batching

Configuring batch size, timeout, and reconnection for high-volume forwarding...

targets:
  - name: tcp_high_volume
    type: tcp
    properties:
      address: "logs.example.com"
      port: 5000
      batch_size: 5000
      timeout: 60
      reconnect_interval: 5
      max_retries: 5
      retry_delay: 2

Octet Framing

Using RFC 5425 octet-count framing for syslog-over-TCP receivers...

targets:
  - name: tcp_octet
    type: tcp
    properties:
      address: "syslog.example.com"
      port: 601
      framing: "octet"

Secure (TLS)

Forwarding logs over TLS with client certificate authentication...

targets:
  - name: tcp_tls
    type: tcp
    properties:
      address: "secure-logs.example.com"
      port: 6514
      framing: "octet"
      tls:
        status: true
        verify: true
        server_name: "secure-logs.example.com"
        cert_name: "client-cert.pem"
        key_name: "client-key.pem"
        min_tls_version: "tls1.2"

With Field Normalization

Normalizing fields to Elastic Common Schema before forwarding...

targets:
  - name: tcp_ecs
    type: tcp
    properties:
      address: "192.168.1.100"
      port: 5000
      field_format: "ecs"

Synopsis​

Schema​

Configuration​

Connection​

TCP​

Retry​

TLS​

Normalization​

Scheduler​

Debug Options​

Details​

Examples​

Basic​

With Batching​

Octet Framing​

Secure (TLS)​

With Field Normalization​