syslog

Milestone: 1

This is a community-contributed plugin! It does not ship with logstash by default, but it is easy to install! To use this, you must have installed the contrib plugins package.

Send events to a syslog server.

You can send messages compliant with RFC3164 or RFC5424 UDP or TCP syslog transport is supported

Synopsis

This is what it might look like in your config file: 
output {
  syslog {
    appname => ... # string (optional), default: "LOGSTASH"
    codec => ... # codec (optional), default: "plain"
    facility => ... # string, one of ["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"] (required)
    host => ... # string (required)
    msgid => ... # string (optional), default: "-"
    port => ... # number (required)
    procid => ... # string (optional), default: "-"
    protocol => ... # string, one of ["tcp", "udp"] (optional), default: "udp"
    rfc => ... # string, one of ["rfc3164", "rfc5424"] (optional), default: "rfc3164"
    severity => ... # string, one of ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"] (required)
    sourcehost => ... # string (optional), default: "%{host}"
    workers => ... # number (optional), default: 1
  }
}

Details

appname

  • Value type is string
  • Default value is "LOGSTASH"

application name for syslog message

codec

  • Value type is codec
  • Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.

exclude_tags DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is array
  • Default value is []

Only handle events without any of these tags. Note this check is additional to type and tags.

facility (required setting)

  • Value can be any of: "kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"
  • There is no default value for this setting.

facility label for syslog message

host (required setting)

  • Value type is string
  • There is no default value for this setting.

syslog server address to connect to

msgid

  • Value type is string
  • Default value is "-"

message id for syslog message

port (required setting)

  • Value type is number
  • There is no default value for this setting.

syslog server port to connect to

procid

  • Value type is string
  • Default value is "-"

process id for syslog message

protocol

  • Value can be any of: "tcp", "udp"
  • Default value is "udp"

syslog server protocol. you can choose between udp and tcp

rfc

  • Value can be any of: "rfc3164", "rfc5424"
  • Default value is "rfc3164"

syslog message format: you can choose between rfc3164 or rfc5424

severity (required setting)

  • Value can be any of: "emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"
  • There is no default value for this setting.

severity label for syslog message

sourcehost

  • Value type is string
  • Default value is "%{host}"

source host for syslog message

tags DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is array
  • Default value is []

Only handle events with all of these tags. Note that if you specify a type, the event must also match that type. Optional.

timestamp DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is string
  • Default value is "%{@timestamp}"

timestamp for syslog message

type DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is string
  • Default value is ""

The type to act on. If a type is given, then this output will only act on messages with the same type. See any input plugin’s “type” attribute for more. Optional.

workers

  • Value type is number
  • Default value is 1

The number of workers to use for this output. Note that this setting may not be useful for all outputs.

This is documentation from lib/logstash/outputs/syslog.rb