Syslog source

The syslog source listens on a UDP socket for syslog messages. It supports both RFC 3164 and RFC 5424 formats. Use it to collect logs from network devices, appliances, or services that speak syslog.

Configuration

{
  "sources": {
    "network-devices": {
      "type": "syslog",
      "addr": "0.0.0.0:514"
    }
  }
}

Options

Option	Type	Default	Description
`addr`	string	required	UDP listen address (e.g. `"0.0.0.0:514"`, `":5514"`)
`contentType`	string	`""`	Content type hint for downstream parsing
`format`	string	`"rfc3164"`	Syslog format: `"rfc3164"`, `"rfc5424"`, or `"auto"`

Examples

Listen on a non-privileged port

{
  "sources": {
    "syslog": {
      "type": "syslog",
      "addr": "0.0.0.0:5514"
    }
  }
}

RFC 5424 format

Use "format": "rfc5424" for devices that send RFC 5424 syslog, such as Juniper SRX firewalls. RFC 5424 provides richer metadata including structured data, application name, and message ID.

{
  "sources": {
    "firewall": {
      "type": "syslog",
      "addr": "0.0.0.0:514",
      "format": "rfc5424"
    }
  }
}

Auto-detect format

Use "format": "auto" when you receive a mix of RFC 3164 and RFC 5424 messages on the same port.

{
  "sources": {
    "mixed-syslog": {
      "type": "syslog",
      "addr": "0.0.0.0:514",
      "format": "auto"
    }
  }
}

With content type for JSON syslog

{
  "sources": {
    "json-syslog": {
      "type": "syslog",
      "addr": "0.0.0.0:5514",
      "contentType": "application/json"
    }
  }
}

Event fields

RFC 3164 (default)

Field	Value
`sourceType`	`"syslog"`
`rawLog`	Syslog message content
`eventTime`	Parsed from syslog timestamp (falls back to current time)
`service.name`	Syslog tag field (if present)

RFC 5424

Field	Value
`sourceType`	`"syslog"`
`rawLog`	Message body, or structured data prefixed with message ID if the body is empty
`eventTime`	Parsed from syslog timestamp
`service.name`	Application name (`app_name` field)

On this page