For other versions, see theVersioned plugin docs.
For plugins not bundled by default, it is easy to install by running bin/logstash-plugin install logstash-output-syslog
. See Working with plugins for more details.
For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github.For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
Send events to a syslog server.
You can send messages compliant with RFC3164 or RFC5424using either UDP or TCP as the transport protocol.
By default the contents of the message
field will be shipped asthe free-form message text part of the emitted syslog message. Ifyour messages don’t have a message
field or if you for some otherreason want to change the emitted message, modify the message
configuration option.
This plugin supports the following configuration options plus the Common Options described later.
Setting | Input type | Required |
---|---|---|
No |
||
No |
||
Yes |
||
No |
||
No |
||
Yes |
||
No |
||
No |
||
string, one of |
No |
|
No |
||
string, one of |
No |
|
No |
||
No |
||
a valid filesystem path |
No |
|
a valid filesystem path |
No |
|
a valid filesystem path |
No |
|
No |
||
No |
||
No |
Also see Common Options for a list of options supported by alloutput plugins.
"LOGSTASH"
application name for syslog message. The new value can include %{foo}
stringsto help you build a new value from other parts of the event.
"user-level"
facility label for syslog messagedefault fallback to user-level as in rfc3164The new value can include %{foo}
stringsto help you build a new value from other parts of the event.
syslog server address to connect to
"%{message}"
message text to log. The new value can include %{foo}
stringsto help you build a new value from other parts of the event.
"-"
message id for syslog message. The new value can include %{foo}
stringsto help you build a new value from other parts of the event.
syslog server port to connect to
"%{syslog_pri}"
syslog priorityThe new value can include %{foo}
stringsto help you build a new value from other parts of the event.
"-"
process id for syslog message. The new value can include %{foo}
stringsto help you build a new value from other parts of the event.
tcp
, udp
, ssl-tcp
"udp"
syslog server protocol. you can choose between udp, tcp and ssl/tls over tcp
1
when connection fails, retry interval in sec.
rfc3164
, rfc5424
"rfc3164"
syslog message format: you can choose between rfc3164 or rfc5424
"notice"
severity label for syslog messagedefault fallback to notice as in rfc3164The new value can include %{foo}
stringsto help you build a new value from other parts of the event.
"%{host}"
source host for syslog message. The new value can include %{foo}
stringsto help you build a new value from other parts of the event.
The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
false
Verify the identity of the other end of the SSL connection against the CA.
true
use label parsing for severity and facility levelsuse priority field if set to false
The following configuration options are supported by all output plugins:
"plain"
The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output without needing a separate filter in your Logstash pipeline.
true
Disable or enable metric logging for this specific plugin instance.By default we record all the metrics we can, but you can disable metrics collectionfor a specific plugin.
Add a unique ID
to the plugin configuration. If no ID is specified, Logstash will generate one.It is strongly recommended to set this ID in your configuration. This is particularly usefulwhen you have two or more plugins of the same type. For example, if you have 2 syslog outputs.Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
output { syslog { id => "my_plugin_id" }}