Syslog output plugin v3.1.0
editSyslog output plugin v3.1.0
edit- Plugin version: v3.1.0
- Released on: 2025-12-23
- Changelog
For other versions, see the overview list.
To learn more about Logstash, see the Logstash Reference.
Getting help
editFor questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
Description
editSend events to a syslog server.
You can send messages compliant with RFC3164 or RFC5424 using either UDP or TCP as the transport protocol.
By default the contents of the message field will be shipped as
the free-form message text part of the emitted syslog message. If
your messages don’t have a message field or if you for some other
reason want to change the emitted message, modify the message
configuration option.
Syslog Output Configuration Options
editThis plugin supports the following configuration options plus the Common options and the Deprecated Configuration Options described later.
| Setting | Input type | Required |
|---|---|---|
No |
||
No |
||
Yes |
||
No |
||
No |
||
Yes |
||
No |
||
No |
||
string, one of |
No |
|
No |
||
string, one of |
No |
|
No |
||
No |
||
a valid filesystem path |
No |
|
No |
||
a valid filesystem path |
No |
|
No |
||
No |
||
a valid filesystem path |
No |
|
No |
||
No |
||
No |
||
No |
||
No |
Also see Common options for a list of options supported by all output plugins.
appname
edit- Value type is string
-
Default value is
"LOGSTASH"
application name for syslog message. The new value can include %{foo} strings
to help you build a new value from other parts of the event.
facility
edit- Value type is string
-
Default value is
"user-level"
facility label for syslog message
default fallback to user-level as in rfc3164
The new value can include %{foo} strings
to help you build a new value from other parts of the event.
host
edit- This is a required setting.
- Value type is string
- There is no default value for this setting.
syslog server address to connect to
message
edit- Value type is string
-
Default value is
"%{message}"
message text to log. The new value can include %{foo} strings
to help you build a new value from other parts of the event.
msgid
edit- Value type is string
-
Default value is
"-"
message id for syslog message. The new value can include %{foo} strings
to help you build a new value from other parts of the event.
port
edit- This is a required setting.
- Value type is number
- There is no default value for this setting.
syslog server port to connect to
priority
edit- Value type is string
-
Default value is
"%{syslog_pri}"
syslog priority
The new value can include %{foo} strings
to help you build a new value from other parts of the event.
procid
edit- Value type is string
-
Default value is
"-"
process id for syslog message. The new value can include %{foo} strings
to help you build a new value from other parts of the event.
protocol
edit-
Value can be any of:
tcp,udp,ssl-tcp -
Default value is
"udp"
syslog server protocol. you can choose between udp, tcp and ssl/tls over tcp
reconnect_interval
edit- Value type is number
-
Default value is
1
when connection fails, retry interval in sec.
rfc
edit-
Value can be any of:
rfc3164,rfc5424 -
Default value is
"rfc3164"
syslog message format: you can choose between rfc3164 or rfc5424
severity
edit- Value type is string
-
Default value is
"notice"
severity label for syslog message
default fallback to notice as in rfc3164
The new value can include %{foo} strings
to help you build a new value from other parts of the event.
sourcehost
edit- Value type is string
-
Default value is
"%{host}"
source host for syslog message. The new value can include %{foo} strings
to help you build a new value from other parts of the event.
ssl_certificate
edit- Value type is path
- There is no default value for this setting.
SSL certificate path
ssl_certificate_authorities
edit- Value type is a list of path
- There is no default value for this setting
List of SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
ssl_verify
edit- Value type is boolean
-
Default value is
false
Verify the identity of the other end of the SSL connection against the CA.
ssl_crl_path
edit- Value type is path
- There is no default value for this setting.
SSL CRL path for checking the revocation status of the server certificate. File may contain one or more PEM encoded CRLs.
ssl_crl_check
edit- Value type is array
-
Default value is
['leaf']
When set to leaf (default), only the server certificate is validated against CRLs.
When set to chain, the entire certificate chain, including subordinate Certificate Authorities, is validated against CRLs.
For each certificate validated, a CRL from its issuing Certificate Authority must be present in the ssl_crl_path.
ssl_cipher_suites
edit- Value type is array
- There is no default value for this setting
The list of cipher suites to use, listed by priorities. Supported cipher suites vary depending on the Java and protocol versions.
ssl_supported_protocols
edit- Value type is array
-
Allowed values are:
'TLSv1.1','TLSv1.2','TLSv1.3' -
Default depends on the JDK being used. With up-to-date Logstash, the default is
['TLSv1.2', 'TLSv1.3'].'TLSv1.1'is not considered secure and is only provided for legacy applications.
List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
For Java 8 'TLSv1.3' is supported only since 8u262 (Adoptium.net), but requires that you set the
LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.
If you configure the plugin to use 'TLSv1.1' on any recent JVM, such as the one packaged with Logstash,
the protocol is disabled by default and needs to be enabled manually by changing jdk.tls.disabledAlgorithms in
the $JDK_HOME/conf/security/java.security configuration file. That is, TLSv1.1 needs to be removed from the list.
use_labels
edit- Value type is boolean
-
Default value is
true
use label parsing for severity and facility levels use priority field if set to false
structured_data
edit- Value type is string
- There is no default value for this setting.
RFC5424 structured data is a string of one or more structured data elements, including brackets. The elements need to be formatted according to RFC5424 section 6.3, for example:
`[exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]`
The new value can include %{foo} strings to help you build a new value from other parts of the event.
Deprecated Configuration Options
editDeprecated options are subject to removal in future releases.
| Setting | Input type | Replaced by |
|---|---|---|
a valid filesystem path |
||
a valid filesystem path |
ssl_cacert
editDeprecated in 3.1.0 Replaced by ssl_certificate_authorities.
- Value type is path
- There is no default value for this setting.
The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
ssl_cert
editDeprecated in 3.1.0 Replaced by ssl_certificate.
- Value type is path
- There is no default value for this setting.
SSL certificate path
Common options
editThese configuration options are supported by all output plugins:
codec
edit- Value type is codec
-
Default value is
"plain"
The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output without needing a separate filter in your Logstash pipeline.
enable_metric
edit- Value type is boolean
-
Default value is
true
Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
id
edit- Value type is string
- There is no default value for this setting.
Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one.
It is strongly recommended to set this ID in your configuration. This is particularly useful
when you have two or more plugins of the same type. For example, if you have 2 syslog outputs.
Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
output {
syslog {
id => "my_plugin_id"
}
}