Syslog source

The syslog source listens on a UDP socket for syslog messages in RFC 3164 format. Use it to collect logs from network devices, appliances, or services that speak syslog.

Configuration

{
  "sources": {
    "network-devices": {
      "type": "syslog",
      "addr": "0.0.0.0:514"
    }
  }
}

Options

Option	Type	Default	Description
`addr`	string	required	UDP listen address (e.g. `"0.0.0.0:514"`, `":5514"`)
`contentType`	string	`""`	Content type hint for downstream parsing

Examples

Listen on a non-privileged port

{
  "sources": {
    "syslog": {
      "type": "syslog",
      "addr": "0.0.0.0:5514"
    }
  }
}

With content type for JSON syslog

{
  "sources": {
    "json-syslog": {
      "type": "syslog",
      "addr": "0.0.0.0:5514",
      "contentType": "application/json"
    }
  }
}

Event fields

Field	Value
`sourceType`	`"syslog"`
`rawLog`	Syslog message content
`eventTime`	Parsed from syslog timestamp (falls back to current time)
`service.name`	Syslog tag field (if present)

Syslog source

Configuration

Options

Examples

Listen on a non-privileged port

With content type for JSON syslog

Event fields

On this page