Syslog
The Syslog input plugin lets you collect syslog
messages through a Unix socket server (UDP or TCP) or over the network using TCP or UDP.
Configuration parameters
The plugin supports the following configuration parameters:
Mode
Defines transport protocol mode: UDP over Unix socket (unix_udp
), TCP over Unix socket (unix_tcp
), tcp
, or udp
unix_udp
Listen
If Mode
is set to tcp
or udp
, specify the network interface to bind.
0.0.0.0
Port
If Mode
is set to tcp
or udp
, specify the TCP port to listen for incoming connections.
5140
Path
If Mode
is set to unix_tcp
or unix_udp
, set the absolute path to the Unix socket file.
none
Unix_Perm
If Mode
is set to unix_tcp
or unix_udp
, set the permission of the Unix socket file.
0644
Parser
Specify an alternative parser for the message. If Mode
is set to tcp
or udp
then the default parser is syslog-rfc5424
. Otherwise, syslog-rfc3164-local
is used. If your syslogmessages have fractional seconds set this parser value to
syslog-rfc5424` instead.
none
Buffer_Chunk_Size
By default, the buffer to store the incoming syslog
messages. Doesn't allocate the maximum memory allowed, instead it allocates memory when required. The rounds of allocations are set by Buffer_Chunk_Size
. There are considerations when using udp
or unix_udp
mode.
32KB
(set in code)
Buffer_Max_Size
Specify the maximum buffer size to receive a syslog
message. If not set, the default size is the value of Buffer_Chunk_Size
.
none
Receive_Buffer_Size
Specify the maximum socket receive buffer size. If not set, the default value is OS-dependant, but generally too low to accept thousands of syslog messages per second without loss on udp
or unix_udp
sockets. For Linux, the value is capped by sysctl net.core.rmem_max
.
none
Source_Address_Key
Specify the key where the source address will be injected.
none
Considerations
When using the Syslog input plugin, Fluent Bit requires access to the
parsers.conf
file. The path to this file can be specified with the option-R
or through theParsers_File
key in the[SERVICE]
section.When using
udp
orunix_udp
, the buffer size to receive messages is configurable only through theBuffer_Chunk_Size
option, which defaults to 32kb.
Get started
To receive syslog
messages, you can run the plugin from the command line or through the configuration file:
Command line
From the command line you can let Fluent Bit listen for Forward
messages with the following options:
fluent-bit -R /path/to/parsers.conf -i syslog -p path=/tmp/in_syslog -o stdout
By default the service will create and listen for Syslog messages on the Unix socket /tmp/in_syslog
.
Configuration file
In your main configuration file append the following sections:
service:
flush: 1
log_level: info
parsers_file: parsers.conf
pipeline:
inputs:
- name: syslog
path: /tmp/in_syslog
buffer_chunk_size: 32000
buffer_max_size: 64000
receive_buffer_size: 512000
outputs:
- name: stdout
match: '*'
Testing
When Fluent Bit is running, you can send some messages using the logger tool:
logger -u /tmp/in_syslog my_ident my_message
Then run Fluent bit using the following command:
bin/fluent-bit -R ../conf/parsers.conf -i syslog -p path=/tmp/in_syslog -o stdout
You should see the following output:
Fluent Bit v1.x.x
* Copyright (C) 2019-2020 The Fluent Bit Authors
* Copyright (C) 2015-2018 Treasure Data
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io
[2017/03/09 02:23:27] [ info] [engine] started
[0] syslog.0: [1489047822, {"pri"=>"13", "host"=>"edsiper:", "ident"=>"my_ident", "pid"=>"", "message"=>"my_message"}]
Examples
The following configuration examples cover different use cases to integrate Fluent Bit and make it listen for Syslog messages from your systems.
rsyslog
to Fluent Bit: Network mode over TCP
rsyslog
to Fluent Bit: Network mode over TCPFluent Bit configuration
Put the following content in your configuration file:
service:
flush: 1
parsers_file: parsers.conf
pipeline:
inputs:
- name: syslog
parser: syslog-rfc3164
listen: 0.0.0.0
port: 5140
mode: tcp
outputs:
- name: stdout
match: '*'
Then, start Fluent Bit.
rsyslog
configuration
rsyslog
configurationAdd a new file to your rsyslog
configuration rules called 60-fluent-bit.conf
inside the directory /etc/rsyslog.d/
and add the following content:
action(type="omfwd" Target="127.0.0.1" Port="5140" Protocol="tcp")
Then, restart your rsyslog
daemon:
sudo service rsyslog restart
rsyslog
to Fluent Bit: Unix socket mode over UDP
rsyslog
to Fluent Bit: Unix socket mode over UDPFluent Bit configuration
Put the following content in your fluent-bit.conf
file:
service:
flush: 1
parsers_file: parsers.conf
pipeline:
inputs:
- name: syslog
parser: syslog-rfc3164
path: /tmp/fluent-bit.sock
mode: unix_udp
unix_perm: 0644
outputs:
- name: stdout
match: '*'
Then, start Fluent Bit.
rsyslog
configuration
rsyslog
configurationAdd a new file to your rsyslog
configuration rules called 60-fluent-bit.conf
inside the directory /etc/rsyslog.d/
containing the following content:
$ModLoad omuxsock
$OMUxSockSocket /tmp/fluent-bit.sock
*.* :omuxsock:
Make sure that the socket file is readable by rsyslog
by modifying Unix_Perm
key.
Last updated
Was this helpful?