Documentationbreadcrumb arrow Grafana Alloybreadcrumb arrow Referencebreadcrumb arrow Componentsbreadcrumb arrow lokibreadcrumb arrow loki.source.syslog
General availability (GA) Open source

loki.source.syslog

loki.source.syslog listens for syslog messages over TCP or UDP connections and forwards them to other loki.* components. The messages must be compliant with the RFC5424 syslog protocol or the RFC3164 BSD syslog protocol. For a detailed example, refer to the Monitor RFC5424-compliant syslog messages with Grafana Alloy scenario.

Note

If your messages don’t conform to either RFC5424 or RFC3164, for example CEF logs, you can use the raw syslog format with the loki.process component to parse non-standard content.

If you receive RFC3164 messages from Cisco IOS devices that include non-standard Cisco extensions, use syslog_format = "rfc3164" with the rfc3164_cisco_components block.

The raw syslog format is an experimental feature.

The component starts a new syslog listener for each listener block and fans out entries to the list of receivers in forward_to.

You can run multiple loki.source.syslog components with different labels.

Usage

Alloy 
loki.source.syslog "<LABEL>" {
  listener {
    address = "<LISTEN_ADDRESS>"
  }
  ...

  forward_to = <RECEIVER_LIST>
}

Arguments

You can use the following arguments with loki.source.syslog:

NameTypeDescriptionDefaultRequired
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes
relabel_rulesRelabelRulesRelabel rules for log entries.{}no

The relabel_rules field accepts the rules export from a loki.relabel component. It applies the rules to log entries before loki.source.syslog forwards them to forward_to.

loki.source.syslog applies the following labels to log entries from the client information if possible.

  • __syslog_connection_ip_address
  • __syslog_connection_hostname

loki.source.syslog applies the following labels to log entries when the syslog message contains them.

  • __syslog_message_severity
  • __syslog_message_facility
  • __syslog_message_hostname
  • __syslog_message_app_name
  • __syslog_message_proc_id
  • __syslog_message_msg_id
  • __syslog_message_msg_counter
  • __syslog_message_sequence

If label_structured_data is true and the parsed message has RFC5424 structured data, the component adds labels with the prefix __syslog_message_sd_ to the log entry. For example, structured data of [example@99999 test="value"] produces the label __syslog_message_sd_example_99999_test with a value of value.

The syslog source removes all labels with a __ prefix before it passes log entries to the next component in the pipeline. To keep the __syslog_ labels, use rules in the relabel_rules argument to move them to labels that don’t have a __ prefix. The following relabel example keeps all __syslog_ labels when loki.source.syslog passes entries to the next component in the pipeline.

Alloy 
loki.relabel "syslog" {
  rule {
    action = "labelmap"
    regex = "__syslog_(.+)"
  }
}

Blocks

You can use the following blocks with loki.source.syslog:

listener

The listener block defines the listen address and protocol for syslog messages, and sets behavior options for how the component handles them.

You can configure a listener with the following arguments. Only the address field is required. Omitted fields take their default values.

NameTypeDescriptionDefaultRequired
addressstringThe <host:port> address to listen to for syslog messages.yes
idle_timeoutdurationThe idle timeout for TCP connections."120s"no
label_structured_databoolWhether to translate syslog structured data to Loki labels.falseno
labelsmap(string)The labels to associate with each received syslog record.{}no
max_message_lengthintThe maximum limit to the length of syslog messages.8192no
protocolstringThe protocol to listen to for syslog messages. Must be either tcp or udp."tcp"no
rfc3164_default_to_current_yearboolWhether to default the incoming timestamp of an rfc3164 message to the current year.falseno
rfc5424_allow_empty_msgboolWhether to forward RFC5424 messages with empty MSG content. When false, such messages are dropped. Only applies when syslog_format is rfc5424.falseno
syslog_formatstringThe format for incoming messages. See supported formats."rfc5424"no
use_incoming_timestampboolWhether to set the timestamp to the incoming syslog record timestamp.falseno
use_rfc5424_messageboolWhether to forward the full RFC5424-formatted syslog message.falseno

By default, the component uses the time it processes the log entry as the timestamp.

The labels map is applied to every message that the component reads.

All header fields from parsed RFC5424 and RFC3164 messages become internal labels, prefixed with __syslog_.

If you set label_structured_data to true, the component also translates structured data in the syslog header to internal labels in the form __syslog_message_sd_<ID>_<KEY>. For example, a structured data entry of [example@99999 test="yes"] becomes the label __syslog_message_sd_example_99999_test with the value "yes".

The rfc3164_default_to_current_year argument is only relevant when use_incoming_timestamp is also true. rfc3164 message timestamps don’t contain a year. By default, the component leaves the year as 0 to match Promtail behavior. When rfc3164_default_to_current_year is true, the component sets the year of the received timestamp to the current year, using the local time of the Alloy instance.

Note

You can’t use the rfc3164_default_to_current_year, use_incoming_timestamp, and use_rfc5424_message fields when syslog_format is raw.

Supported formats

  • rfc3164 A legacy syslog format, also known as BSD syslog. Example: <34>Oct 11 22:14:15 my-server-01 sshd[1234]: Failed password for root from 192.168.1.10 port 22 ssh2. loki.source.syslog drops messages with empty MSG content and increments the loki_source_syslog_empty_messages_total counter.
  • rfc5424 A modern, structured syslog format. Uses ISO 8601 for timestamps. Example: <165>1 2025-12-18T00:33:00Z web01 nginx - - [audit@123 id="456"] Login failed. loki.source.syslog drops messages with empty MSG content by default. Set rfc5424_allow_empty_msg to true to forward them. loki.source.syslog increments the loki_source_syslog_empty_messages_total counter in both cases for debugging.
  • raw Disables log line parsing. This format allows receiving non-RFC5424 compliant logs, such as CEF. Raw logs can be forwarded to loki.process component for parsing. loki.source.syslog drops messages with nil or empty body and increments the loki_source_syslog_empty_messages_total counter.

Note

The raw format is an experimental feature. Experimental features are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental feature, you must set the stability.level flag to experimental.

raw_format_options

EXPERIMENTAL: This is an experimental feature. Experimental features are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental feature, you must set the stability.level flag to experimental.

The raw_format_options block sets options for the raw syslog format.

Note

This block can only be used when you set syslog_format to raw.

The following argument is supported:

NameTypeDescriptionDefaultRequired
use_null_terminator_delimiterboolSplit log lines on \0 instead of \n.falseno

rfc3164_cisco_components

EXPERIMENTAL: This is an experimental feature. Experimental features are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental feature, you must set the stability.level flag to experimental.

The rfc3164_cisco_components block adds support for non-standard Cisco IOS syslog extensions.

Note

This block can only be used when you set syslog_format to rfc3164.

The following arguments are supported:

NameTypeDescriptionDefaultRequired
enable_allboolEnables all components below.falseno
message_counterboolEnables syslog message counter field parsing.falseno
sequence_numberboolEnables service sequence number field parsing.falseno
hostnameboolEnables origin hostname field parsing.falseno
second_fractionsboolEnables milliseconds parsing in timestamp field.falseno

Note

At least one option has to be enabled if enable_all is set to false.

Caution

The rfc3164_cisco_components configuration must match your Cisco device configuration. loki.source.syslog can’t auto-detect which components are present because they share similar formats.

Cisco Device Configuration

conf t

! Enable message counter (on by default for remote logging)
logging host 10.0.0.10

! Add service sequence numbers
service sequence-numbers

! Add origin hostname
logging origin-id hostname

! Enable millisecond timestamps
service timestamps log datetime msec localtime

! Recommended: Enable NTP to remove asterisk
ntp server <your-ntp-server>

Current Limitations

  • Component Ordering: When Cisco components are selectively disabled on the device but the parser expects them, parsing will fail or produce incorrect results. Always match your parser configuration to your device configuration.
  • Structured Data: Messages with RFC5424-style structured data blocks (from logging host X session-id or sequence-num-session) are not currently supported. See the upstream issue for details.

tls_config

NameTypeDescriptionDefaultRequired
ca_pemstringCA PEM-encoded text to validate the server with.no
ca_filestringCA certificate to validate the server with.no
cert_pemstringCertificate PEM-encoded text for client authentication.no
cert_filestringCertificate file for client authentication.no
insecure_skip_verifyboolDisables validation of the server certificate.no
key_filestringKey file for client authentication.no
key_pemsecretKey PEM-encoded text for client authentication.no
min_versionstringMinimum acceptable TLS version.no
server_namestringServerName extension to indicate the name of the server.no

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

  • ca_pem and ca_file
  • cert_pem and cert_file
  • key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

When min_version isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If min_version is provided, it must be set to one of the following strings:

  • "TLS10" (TLS 1.0)
  • "TLS11" (TLS 1.1)
  • "TLS12" (TLS 1.2)
  • "TLS13" (TLS 1.3)

Exported fields

loki.source.syslog doesn’t export any fields.

Component health

loki.source.syslog is only reported as unhealthy if given an invalid configuration.

Debug information

loki.source.syslog exposes some debug information per syslog listener:

  • Whether the listener is active.
  • The listen address.
  • The labels that the listener applies to log entries.

Debug metrics

  • loki_source_syslog_empty_messages_total counter: Total number of empty messages the syslog component received.
  • loki_source_syslog_entries_total counter: Total number of successful entries the syslog component sent.
  • loki_source_syslog_parsing_errors_total counter: Total number of parse errors from the syslog component.

Example

The following example listens for RFC5424 syslog messages over TCP and UDP and forwards them to a loki.write component.

Alloy 
loki.source.syslog "local" {
  listener {
    address  = "127.0.0.1:51893"
    labels   = { component = "loki.source.syslog", protocol = "tcp" }
  }

  listener {
    address  = "127.0.0.1:51898"
    protocol = "udp"
    labels   = { component = "loki.source.syslog", protocol = "udp"}
  }

  forward_to = [loki.write.local.receiver]
}

loki.write "local" {
  endpoint {
    url = "loki:3100/api/v1/push"
  }
}

Compatible components

loki.source.syslog can accept arguments from the following components:

Note

Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.