Syslog

The Syslog output plugin allows you to deliver messages to Syslog servers. It supports RFC3164 and RFC5424 formats through different transports such as UDP, TCP or TLS.

As of Fluent Bit v1.5.3 the configuration is very strict. You must be aware of the structure of your original record so you can configure the plugin to use specific keys to compose your outgoing Syslog message.

Future versions of Fluent Bit are expanding this plugin feature set to support better handling of keys and message composing.

Configuration Parameters

Key

Description

Default

host

Domain or IP address of the remote Syslog server.

127.0.0.1

port

TCP or UDP port of the remote Syslog server.

514

mode

Desired transport type. Available options are tcp and udp.

udp

syslog_format

The Syslog protocol format to use. Available options are rfc3164 and rfc5424.

rfc5424

syslog_maxsize

The maximum size allowed per message. The value must be an integer representing the number of bytes allowed. If no value is provided, the default size is set depending of the protocol version specified by syslog_format. rfc3164 sets max size to 1024 bytes. rfc5424 sets the size to 2048 bytes.

syslog_severity_key

The key name from the original record that contains the Syslog severity number. This configuration is optional.

syslog_severity_preset

The preset severity number. It will be overwritten if syslog_severity_key is set and a key of a record is matched. This configuration is optional.

syslog_facility_key

The key name from the original record that contains the Syslog facility number. This configuration is optional.

syslog_facility_preset

The preset facility number. It will be overwritten if syslog_facility_key is set and a key of a record is matched. This configuration is optional.

syslog_hostname_key

The key name from the original record that contains the hostname that generated the message. This configuration is optional.

syslog_hostname_preset

The preset hostname. It will be overwritten if syslog_hostname_key is set and a key of a record is matched. This configuration is optional.

syslog_appname_key

The key name from the original record that contains the application name that generated the message. This configuration is optional.

syslog_appname_preset

The preset application name. It will be overwritten if syslog_appname_key is set and a key of a record is matched. This configuration is optional.

syslog_procid_key

The key name from the original record that contains the Process ID that generated the message. This configuration is optional.

syslog_procid_preset

The preset process ID. It will be overwritten if syslog_procid_key is set and a key of a record is matched. This configuration is optional.

syslog_msgid_key

The key name from the original record that contains the Message ID associated to the message. This configuration is optional.

syslog_msgid_preset

The preset message ID. It will be overwritten if syslog_msgid_key is set and a key of a record is matched. This configuration is optional.

syslog_sd_key

The key name from the original record that contains a map of key/value pairs to use as Structured Data (SD) content. The key name is included in the resulting SD field as shown in examples below. This configuration is optional.

syslog_message_key

The key name from the original record that contains the message to deliver. Note that this property is mandatory, otherwise the message will be empty.

allow_longer_sd_id

If true, Fluent-bit allows SD-ID that is longer than 32 characters. Such long SD-ID violates RFC 5424.

false

workers

The number of workers to perform flush operations for this output.

0

TLS / SSL

The Syslog output plugin supports TLS/SSL. For more details about the properties available and general configuration, see TLS/SSL.

Examples

Configuration File

Get started quickly with this configuration file:

[OUTPUT]
    name                 syslog
    match                *
    host                 syslog.yourserver.com
    port                 514
    mode                 udp
    syslog_format        rfc5424
    syslog_maxsize       2048
    syslog_severity_key  severity
    syslog_facility_key  facility
    syslog_hostname_key  hostname
    syslog_appname_key   appname
    syslog_procid_key    procid
    syslog_msgid_key     msgid
    syslog_sd_key        sd
    syslog_message_key   message

    outputs:
        - name: syslog
          match: "*"
          host: syslog.yourserver.com
          port: 514
          mode: udp
          syslog_format: rfc5424
          syslog_maxsize: 2048
          syslog_severity_key: severity
          syslog_facility_key: facility
          syslog_hostname_key: hostname
          syslog_appname_key: appname
          syslog_procid_key: procid
          syslog_msgid_key: msgid
          syslog_sd_key: sd
          syslog_message_key: message

Structured Data

The following is an example of how to configure the syslog_sd_key to send Structured Data to the remote Syslog server.

Example log:

{
    "hostname": "myhost",
    "appname": "myapp",
    "procid": "1234",
    "msgid": "ID98",
    "uls@0": {
        "logtype": "access",
        "clustername": "mycluster",
        "namespace": "mynamespace"
    },
    "log": "Sample app log message."
}

Example configuration file:

[OUTPUT]
    name                 syslog
    match                *
    host                 syslog.yourserver.com
    port                 514
    mode                 udp
    syslog_format        rfc5424
    syslog_maxsize       2048
    syslog_hostname_key  hostname
    syslog_appname_key   appname
    syslog_procid_key    procid
    syslog_msgid_key     msgid
    syslog_sd_key        uls@0
    syslog_message_key   log

  outputs:
    - name: syslog
      match: "*"
      host: syslog.yourserver.com
      port: 514
      mode: udp
      syslog_format: rfc5424
      syslog_maxsize: 2048
      syslog_hostname_key: hostname
      syslog_appname_key: appname
      syslog_procid_key: procid
      syslog_msgid_key: msgid
      syslog_sd_key: uls@0
      syslog_message_key: log

Example output:

<14>1 2021-07-12T14:37:35.569848Z myhost myapp 1234 ID98 [uls@0 logtype="access" clustername="mycluster" namespace="mynamespace"] Sample app log message.

Adding Structured Data Authentication Token

Some services use the structured data field to pass authentication tokens (e.g. [<token>@41018]), which would need to be added to each log message dynamically. However, this requires setting the token as a key rather than as a value. Here's an example of how that might be achieved, using AUTH_TOKEN as a variable:

[FILTER]
    name  lua
    match *
    call  append_token
    code  function append_token(tag, timestamp, record) record["${AUTH_TOKEN}"] = {} return 2, timestamp, record end

[OUTPUT]
    name                    syslog
    match                   *
    host                    syslog.yourserver.com
    port                    514
    mode                    tcp
    syslog_format           rfc5424
    syslog_hostname_preset  my-hostname
    syslog_appname_preset   my-appname
    syslog_message_key      log
    allow_longer_sd_id      true
    syslog_sd_key           ${AUTH_TOKEN}
    tls                     on
    tls.crt_file            /path/to/my.crt

  filters:
    - name:  lua
      match: "*"
      call:  append_token
      code:  |
        function append_token(tag, timestamp, record)
            record["${AUTH_TOKEN}"] = {}
            return 2, timestamp, record
        end

  outputs:
    - name: syslog
      match: "*"
      host: syslog.yourserver.com
      port: 514
      mode: tcp
      syslog_format: rfc5424
      syslog_hostname_preset: myhost
      syslog_appname_preset: myapp
      syslog_message_key: log
      allow_longer_sd_id: true
      syslog_sd_key: ${AUTH_TOKEN}
      tls: on
      tls.crt_file: /path/to/my.crt

Last updated 2 months ago

Was this helpful?