syslogedit

This is a community-maintained plugin! It does not ship with Logstash by default, but it is easy to install by running bin/plugin install logstash-output-syslog.

Send events to a syslog server.

You can send messages compliant with RFC3164 or RFC5424 using either UDP or TCP as the transport protocol.

By default the contents of the message field will be shipped as the free-form message text part of the emitted syslog message. If your messages don’t have a message field or if you for some other reason want to change the emitted message, modify the message configuration option.

 

Synopsisedit

This plugin supports the following configuration options:

Required configuration options:

syslog {
    facility => ...
    host => ...
    port => ...
    severity => ...
}

Available configuration options:

Setting Input type Required Default value

appname

string

No

"LOGSTASH"

codec

codec

No

"plain"

facility

string, one of ["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"]

Yes

host

string

Yes

message

string

No

"%{message}"

msgid

string

No

"-"

port

number

Yes

procid

string

No

"-"

protocol

string, one of ["tcp", "udp"]

No

"udp"

rfc

string, one of ["rfc3164", "rfc5424"]

No

"rfc3164"

severity

string, one of ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"]

Yes

sourcehost

string

No

"%{host}"

workers

number

No

1

Detailsedit

 

appnameedit

  • Value type is string
  • Default value is "LOGSTASH"

application name for syslog message

codecedit

  • Value type is codec
  • Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.

facilityedit

  • This is a required setting.
  • Value can be any of: kernel, user-level, mail, daemon, security/authorization, syslogd, line printer, network news, uucp, clock, security/authorization, ftp, ntp, log audit, log alert, clock, local0, local1, local2, local3, local4, local5, local6, local7
  • There is no default value for this setting.

facility label for syslog message

hostedit

  • This is a required setting.
  • Value type is string
  • There is no default value for this setting.

syslog server address to connect to

messageedit

  • Value type is string
  • Default value is "%{message}"

message text to log

msgidedit

  • Value type is string
  • Default value is "-"

message id for syslog message

portedit

  • This is a required setting.
  • Value type is number
  • There is no default value for this setting.

syslog server port to connect to

procidedit

  • Value type is string
  • Default value is "-"

process id for syslog message

protocoledit

  • Value can be any of: tcp, udp
  • Default value is "udp"

syslog server protocol. you can choose between udp and tcp

rfcedit

  • Value can be any of: rfc3164, rfc5424
  • Default value is "rfc3164"

syslog message format: you can choose between rfc3164 or rfc5424

severityedit

  • This is a required setting.
  • Value can be any of: emergency, alert, critical, error, warning, notice, informational, debug
  • There is no default value for this setting.

severity label for syslog message

sourcehostedit

  • Value type is string
  • Default value is "%{host}"

source host for syslog message

timestamp (DEPRECATED)edit

  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • Default value is "%{@timestamp}"

timestamp for syslog message

workersedit

  • Value type is number
  • Default value is 1

The number of workers to use for this output. Note that this setting may not be useful for all outputs.