Syslog output plugin
- Plugin version: v3.1.0 (Other versions)
- Released on: 2025-12-23
- Changelog
For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
Send events to a syslog server.
You can send messages compliant with RFC3164 or RFC5424 using either UDP or TCP as the transport protocol.
By default the contents of the message field will be shipped as the free-form message text part of the emitted syslog message. If your messages don’t have a message field or if you for some other reason want to change the emitted message, modify the message configuration option.
This plugin supports the following configuration options plus the Common options and the Deprecated Configuration Options described later.
| Setting | Input type | Required |
|---|---|---|
appname |
string | No |
facility |
string | No |
host |
string | Yes |
message |
string | No |
msgid |
string | No |
port |
number | Yes |
priority |
string | No |
procid |
string | No |
protocol |
string, one of ["tcp", "udp", "ssl-tcp"] |
No |
reconnect_interval |
number | No |
rfc |
string, one of ["rfc3164", "rfc5424"] |
No |
severity |
string | No |
sourcehost |
string | No |
ssl_certificate |
a valid filesystem path | No |
ssl_certificate_authorities |
array | No |
ssl_key |
a valid filesystem path | No |
ssl_key_passphrase |
password | No |
ssl_verify |
boolean | No |
ssl_crl_path |
a valid filesystem path | No |
ssl_crl_check |
array | No |
ssl_cipher_suites |
array | No |
ssl_supported_protocols |
array | No |
use_labels |
boolean | No |
structured_data |
string | No |
Also see Common options for a list of options supported by all output plugins.
- Value type is string
- Default value is
"LOGSTASH"
application name for syslog message. The new value can include %{foo} strings to help you build a new value from other parts of the event.
- Value type is string
- Default value is
"user-level"
facility label for syslog message default fallback to user-level as in rfc3164 The new value can include %{foo} strings to help you build a new value from other parts of the event.
- This is a required setting.
- Value type is string
- There is no default value for this setting.
syslog server address to connect to
- Value type is string
- Default value is
"%{message}"
message text to log. The new value can include %{foo} strings to help you build a new value from other parts of the event.
- Value type is string
- Default value is
"-"
message id for syslog message. The new value can include %{foo} strings to help you build a new value from other parts of the event.
- This is a required setting.
- Value type is number
- There is no default value for this setting.
syslog server port to connect to
- Value type is string
- Default value is
"%{syslog_pri}"
syslog priority The new value can include %{foo} strings to help you build a new value from other parts of the event.
- Value type is string
- Default value is
"-"
process id for syslog message. The new value can include %{foo} strings to help you build a new value from other parts of the event.
- Value can be any of:
tcp,udp,ssl-tcp - Default value is
"udp"
syslog server protocol. you can choose between udp, tcp and ssl/tls over tcp
- Value type is number
- Default value is
1
when connection fails, retry interval in sec.
- Value can be any of:
rfc3164,rfc5424 - Default value is
"rfc3164"
syslog message format: you can choose between rfc3164 or rfc5424
- Value type is string
- Default value is
"notice"
severity label for syslog message default fallback to notice as in rfc3164 The new value can include %{foo} strings to help you build a new value from other parts of the event.
- Value type is string
- Default value is
"%{host}"
source host for syslog message. The new value can include %{foo} strings to help you build a new value from other parts of the event.
- Value type is path
- There is no default value for this setting.
SSL certificate path
- Value type is a list of path
- There is no default value for this setting
List of SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
- Value type is path
- There is no default value for this setting.
SSL key path
- Value type is password
- Default value is
nil
SSL key passphrase
- Value type is boolean
- Default value is
false
Verify the identity of the other end of the SSL connection against the CA.
- Value type is path
- There is no default value for this setting.
SSL CRL path for checking the revocation status of the server certificate. File may contain one or more PEM encoded CRLs.
- Value type is array
- Default value is
['leaf']
When set to leaf (default), only the server certificate is validated against CRLs. When set to chain, the entire certificate chain, including subordinate Certificate Authorities, is validated against CRLs. For each certificate validated, a CRL from its issuing Certificate Authority must be present in the ssl_crl_path.
- Value type is array
- There is no default value for this setting
The list of cipher suites to use, listed by priorities. Supported cipher suites vary depending on the Java and protocol versions.
- Value type is array
- Allowed values are:
'TLSv1.1','TLSv1.2','TLSv1.3' - Default depends on the JDK being used. With up-to-date Logstash, the default is
['TLSv1.2', 'TLSv1.3'].'TLSv1.1'is not considered secure and is only provided for legacy applications.
List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
For Java 8 'TLSv1.3' is supported only since 8u262 (Adoptium.net), but requires that you set the LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.
If you configure the plugin to use 'TLSv1.1' on any recent JVM, such as the one packaged with Logstash, the protocol is disabled by default and needs to be enabled manually by changing jdk.tls.disabledAlgorithms in the $JDK_HOME/conf/security/java.security configuration file. That is, TLSv1.1 needs to be removed from the list.
- Value type is boolean
- Default value is
true
use label parsing for severity and facility levels use priority field if set to false
- Value type is string
- There is no default value for this setting.
RFC5424 structured data is a string of one or more structured data elements, including brackets. The elements need to be formatted according to RFC5424 section 6.3, for example:
`[exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]`
The new value can include %{foo} strings to help you build a new value from other parts of the event.
Deprecated options are subject to removal in future releases.
| Setting | Input type | Replaced by |
|---|---|---|
ssl_cacert |
a valid filesystem path | ssl_certificate_authorities |
ssl_cert |
a valid filesystem path | ssl_certificate |
Deprecated in 3.1.0 Replaced by ssl_certificate_authorities.
- Value type is path
- There is no default value for this setting.
The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
Deprecated in 3.1.0 Replaced by ssl_certificate.
- Value type is path
- There is no default value for this setting.
SSL certificate path
These configuration options are supported by all output plugins:
- Value type is codec
- Default value is
"plain"
The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output without needing a separate filter in your Logstash pipeline.
- Value type is boolean
- Default value is
true
Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
- Value type is string
- There is no default value for this setting.
Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type. For example, if you have 2 syslog outputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
output {
syslog {
id => "my_plugin_id"
}
}