Menu

Caution

Grafana Alloy is the new name for our distribution of the OTel collector. Grafana Agent has been deprecated and is in Long-Term Support (LTS) through October 31, 2025. Grafana Agent will reach an End-of-Life (EOL) on November 1, 2025. Read more about why we recommend migrating to Grafana Alloy.

Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Open source

loki.source.syslog

loki.source.syslog listens for syslog messages over TCP or UDP connections and forwards them to other loki.* components. The messages must be compliant with the RFC5424 format.

The component starts a new syslog listener for each of the given config blocks and fans out incoming entries to the list of receivers in forward_to.

Multiple loki.source.syslog components can be specified by giving them different labels.

Usage

river
loki.source.syslog "LABEL" {
  listener {
    address = "LISTEN_ADDRESS"
  }
  ...

  forward_to = RECEIVER_LIST
}

Arguments

loki.source.syslog supports the following arguments:

NameTypeDescriptionDefaultRequired
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes
relabel_rulesRelabelRulesRelabeling rules to apply on log entries.“{}”no

The relabel_rules field can make use of the rules export value from a loki.relabel component to apply one or more relabeling rules to log entries before they’re forwarded to the list of receivers in forward_to.

Blocks

The following blocks are supported inside the definition of loki.source.syslog:

HierarchyNameDescriptionRequired
listenerlistenerConfigures a listener for IETF Syslog (RFC5424) messages.no
listener > tls_configtls_configConfigures TLS settings for connecting to the endpoint for TCP connections.no

The > symbol indicates deeper levels of nesting. For example, config > tls_config refers to a tls_config block defined inside a config block.

listener block

The listener block defines the listen address and protocol where the listener expects syslog messages to be sent to, as well as its behavior when receiving messages.

The following arguments can be used to configure a listener. Only the address field is required and any omitted fields take their default values.

NameTypeDescriptionDefaultRequired
addressstringThe <host:port> address to listen to for syslog messages.yes
protocolstringThe protocol to listen to for syslog messages. Must be either tcp or udp.tcpno
idle_timeoutdurationThe idle timeout for tcp connections."120s"no
label_structured_databoolWhether to translate syslog structured data to loki labels.falseno
labelsmap(string)The labels to associate with each received syslog record.{}no
use_incoming_timestampboolWhether to set the timestamp to the incoming syslog record timestamp.falseno
use_rfc5424_messageboolWhether to forward the full RFC5424-formatted syslog message.falseno
max_message_lengthintThe maximum limit to the length of syslog messages.8192no

By default, the component assigns the log entry timestamp as the time it was processed.

The labels map is applied to every message that the component reads.

All header fields from the parsed RFC5424 messages are brought in as internal labels, prefixed with __syslog_.

If label_structured_data is set, structured data in the syslog header is also translated to internal labels in the form of __syslog_message_sd_<ID>_<KEY>. For example, a structured data entry of [example@99999 test="yes"] becomes the label __syslog_message_sd_example_99999_test with the value "yes".

tls_config block

NameTypeDescriptionDefaultRequired
ca_pemstringCA PEM-encoded text to validate the server with.no
ca_filestringCA certificate to validate the server with.no
cert_pemstringCertificate PEM-encoded text for client authentication.no
cert_filestringCertificate file for client authentication.no
key_pemsecretKey PEM-encoded text for client authentication.no
key_filestringKey file for client authentication.no
server_namestringServerName extension to indicate the name of the server.no
insecure_skip_verifyboolDisables validation of the server certificate.no
min_versionstringMinimum acceptable TLS version.no

The following pairs of arguments are mutually exclusive and cannot both be set simultaneously:

  • ca_pem and ca_file
  • cert_pem and cert_file
  • key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

When min_version is not provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If min_version is provided, it must be set to one of the following strings:

  • "TLS10" (TLS 1.0)
  • "TLS11" (TLS 1.1)
  • "TLS12" (TLS 1.2)
  • "TLS13" (TLS 1.3)

Exported fields

loki.source.syslog does not export any fields.

Component health

loki.source.syslog is only reported as unhealthy if given an invalid configuration.

Debug information

loki.source.syslog exposes some debug information per syslog listener:

  • Whether the listener is currently running.
  • The listen address.
  • The labels that the listener applies to incoming log entries.

Debug metrics

  • loki_source_syslog_entries_total (counter): Total number of successful entries sent to the syslog component.
  • loki_source_syslog_parsing_errors_total (counter): Total number of parsing errors while receiving syslog messages.
  • loki_source_syslog_empty_messages_total (counter): Total number of empty messages received from the syslog component.

Example

This example listens for Syslog messages in valid RFC5424 format over TCP and UDP in the specified ports and forwards them to a loki.write component.

river
loki.source.syslog "local" {
  listener {
    address  = "127.0.0.1:51893"
    labels   = { component = "loki.source.syslog", protocol = "tcp" }
  }

  listener {
    address  = "127.0.0.1:51898"
    protocol = "udp"
    labels   = { component = "loki.source.syslog", protocol = "udp"}
  }

  forward_to = [loki.write.local.receiver]
}

loki.write "local" {
  endpoint {
    url = "loki:3100/api/v1/push"
  }
}