Skip to content

Latest commit

 

History

History
39 lines (30 loc) · 895 Bytes

syslog.md

File metadata and controls

39 lines (30 loc) · 895 Bytes
Raw

Syslog input plugin

Status : core plugin, unit tested and maintained.

There is no syslog plugin, but it's easy to emulate with udp plugin.

Example 1: Config using url :

input://udp://0.0.0.0:514?type=syslog
filter://regex://syslog?only_type=syslog
filter://syslog_pri://?only_type=syslog

Config using logstash format:

input {
  udp {
    host => 0.0.0.0
    port => 514
    type => syslog
  }
}

filter {
  if [type] == syslog {
    regex {
      builtin_regex => syslog
    }
    syslog_pri {}
  }
}

The first filter will parse the syslog line, and extract syslog_priority, syslog_program, syslog_pid fields, parse timestamp, and will replace host and message field.

The second filter will extract from syslog_priority field severity and facility.

You can also use the regex syslog_no_prio if there is no timestamp in syslog lines.