--- title: "loki.source.syslog | Grafana Agent documentation" description: "Learn about loki.source.syslog" --- # loki.source.syslog `loki.source.syslog` listens for syslog messages over TCP or UDP connections and forwards them to other `loki.*` components. The messages must be compliant with the [RFC5424](https://www.rfc-editor.org/rfc/rfc5424) format. The component starts a new syslog listener for each of the given `config` blocks and fans out incoming entries to the list of receivers in `forward_to`. Multiple `loki.source.syslog` components can be specified by giving them different labels. ## Usage Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```alloy loki.source.syslog "LABEL" { listener { address = "LISTEN_ADDRESS" } ... forward_to = RECEIVER_LIST } ``` ## Arguments `loki.source.syslog` supports the following arguments: Expand table | Name | Type | Description | Default | Required | |-----------------|----------------------|-------------------------------------------|---------|----------| | `forward_to` | `list(LogsReceiver)` | List of receivers to send log entries to. | | yes | | `relabel_rules` | `RelabelRules` | Relabeling rules to apply on log entries. | “{}” | no | The `relabel_rules` field can make use of the `rules` export value from a [loki.relabel](../loki.relabel/) component to apply one or more relabeling rules to log entries before they’re forwarded to the list of receivers in `forward_to`. ## Blocks The following blocks are supported inside the definition of `loki.source.syslog`: Expand table | Hierarchy | Name | Description | Required | |---------------------------|----------------------------------|-----------------------------------------------------------------------------|----------| | listener | [listener](#listener-block) | Configures a listener for IETF Syslog (RFC5424) messages. | no | | listener > tls\_config | [tls\_config](#tls_config-block) | Configures TLS settings for connecting to the endpoint for TCP connections. | no | The `>` symbol indicates deeper levels of nesting. For example, `config > tls_config` refers to a `tls_config` block defined inside a `config` block. ### listener block The `listener` block defines the listen address and protocol where the listener expects syslog messages to be sent to, as well as its behavior when receiving messages. The following arguments can be used to configure a `listener`. Only the `address` field is required and any omitted fields take their default values. Expand table | Name | Type | Description | Default | Required | |--------------------------|---------------|-------------------------------------------------------------------------------|----------|----------| | `address` | `string` | The `` address to listen to for syslog messages. | | yes | | `protocol` | `string` | The protocol to listen to for syslog messages. Must be either `tcp` or `udp`. | `tcp` | no | | `idle_timeout` | `duration` | The idle timeout for tcp connections. | `"120s"` | no | | `label_structured_data` | `bool` | Whether to translate syslog structured data to loki labels. | `false` | no | | `labels` | `map(string)` | The labels to associate with each received syslog record. | `{}` | no | | `use_incoming_timestamp` | `bool` | Whether to set the timestamp to the incoming syslog record timestamp. | `false` | no | | `use_rfc5424_message` | `bool` | Whether to forward the full RFC5424-formatted syslog message. | `false` | no | | `max_message_length` | `int` | The maximum limit to the length of syslog messages. | `8192` | no | By default, the component assigns the log entry timestamp as the time it was processed. The `labels` map is applied to every message that the component reads. All header fields from the parsed RFC5424 messages are brought in as internal labels, prefixed with `__syslog_`. If `label_structured_data` is set, structured data in the syslog header is also translated to internal labels in the form of `__syslog_message_sd__`. For example, a structured data entry of `[example@99999 test="yes"]` becomes the label `__syslog_message_sd_example_99999_test` with the value `"yes"`. ### tls\_config block Expand table | Name | Type | Description | Default | Required | |------------------------|----------|----------------------------------------------------------|---------|----------| | `ca_pem` | `string` | CA PEM-encoded text to validate the server with. | | no | | `ca_file` | `string` | CA certificate to validate the server with. | | no | | `cert_pem` | `string` | Certificate PEM-encoded text for client authentication. | | no | | `cert_file` | `string` | Certificate file for client authentication. | | no | | `insecure_skip_verify` | `bool` | Disables validation of the server certificate. | | no | | `key_file` | `string` | Key file for client authentication. | | no | | `key_pem` | `secret` | Key PEM-encoded text for client authentication. | | no | | `min_version` | `string` | Minimum acceptable TLS version. | | no | | `server_name` | `string` | ServerName extension to indicate the name of the server. | | no | The following pairs of arguments are mutually exclusive and can’t both be set simultaneously: - `ca_pem` and `ca_file` - `cert_pem` and `cert_file` - `key_pem` and `key_file` When configuring client authentication, both the client certificate (using `cert_pem` or `cert_file`) and the client key (using `key_pem` or `key_file`) must be provided. When `min_version` is not provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If `min_version` is provided, it must be set to one of the following strings: - `"TLS10"` (TLS 1.0) - `"TLS11"` (TLS 1.1) - `"TLS12"` (TLS 1.2) - `"TLS13"` (TLS 1.3) ## Exported fields `loki.source.syslog` does not export any fields. ## Component health `loki.source.syslog` is only reported as unhealthy if given an invalid configuration. ## Debug information `loki.source.syslog` exposes some debug information per syslog listener: - Whether the listener is currently running. - The listen address. - The labels that the listener applies to incoming log entries. ## Debug metrics - `loki_source_syslog_entries_total` (counter): Total number of successful entries sent to the syslog component. - `loki_source_syslog_parsing_errors_total` (counter): Total number of parsing errors while receiving syslog messages. - `loki_source_syslog_empty_messages_total` (counter): Total number of empty messages received from the syslog component. ## Example This example listens for Syslog messages in valid RFC5424 format over TCP and UDP in the specified ports and forwards them to a `loki.write` component. Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```alloy loki.source.syslog "local" { listener { address = "127.0.0.1:51893" labels = { component = "loki.source.syslog", protocol = "tcp" } } listener { address = "127.0.0.1:51898" protocol = "udp" labels = { component = "loki.source.syslog", protocol = "udp"} } forward_to = [loki.write.local.receiver] } loki.write "local" { endpoint { url = "loki:3100/api/v1/push" } } ``` ## Compatible components `loki.source.syslog` can accept arguments from the following components: - Components that export [Loki `LogsReceiver`](../../compatibility/#loki-logsreceiver-exporters) > Note > > Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.