otelcol.receiver.syslog
Public preview: This is a public preview component. Public preview components are subject to breaking changes, and may be replaced with equivalent functionality that cover the same use case. To enable and use a public preview component, you must set the
stability.levelflag topublic-previewor below.
otelcol.receiver.syslog accepts syslog messages over the network and forwards them as logs to other otelcol.* components.
It supports syslog protocols RFC5424 and RFC3164 and can receive data over TCP or UDP.
Note
otelcol.receiver.syslogis a wrapper over the upstream OpenTelemetry Collectorsyslogreceiver. Bug reports or feature requests will be redirected to the upstream repository, if necessary.
You can specify multiple otelcol.receiver.syslog components by giving them different labels.
Usage
otelcol.receiver.syslog "<LABEL>" {
tcp { ... }
udp { ... }
output {
logs = [...]
}
}Arguments
You can use the following arguments with otelcol.receiver.syslog:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
allow_skip_pri_header | bool | Allow parsing records without a priority header. | false | no |
enable_octet_counting | bool | Whether to enable RFC6587 octet counting. | false | no |
location | string | The geographic time zone to use when parsing an RFC3164 timestamp. | "UTC" | no |
max_octets | int | The maximum octets for messages when octet counting is enabled. | 8192 | no |
non_transparent_framing_trailer | string | The framing trailer when using RFC6587 Non-Transparent-Framing. | no | |
on_error | string | The action to take when an error occurs. | "send" | no |
protocol | string | The syslog protocol that the syslog server supports. | "rfc5424" | no |
The protocol argument specifies the syslog format supported by the receiver.
protocol must be one of rfc5424 or rfc3164
The location argument specifies a Time Zone identifier. The available locations depend on the local IANA Time Zone database.
Refer to the list of tz database time zones in Wikipedia for a non-comprehensive list.
The non_transparent_framing_trailer and enable_octet_counting arguments specify TCP syslog behavior as defined in RFC6587.
These arguments are mutually exclusive.
They can’t be used with a UDP syslog listener configured.
If configured, the non_transparent_framing_trailer argument must be one of LF, NUL.
The on_error argument can take the following values:
drop: Drop the message.drop_quiet: Same asdropbut logs are emitted at debug level.send: Send the message even if it failed to process. This may result in an error downstream.send_quiet: Same assendbut logs are emitted at debug level.
Blocks
You can use the following blocks with otelcol.receiver.syslog:
| Block | Description | Required |
|---|---|---|
output | Configures where to send received telemetry data. | yes |
debug_metrics | Configures the metrics that this component generates to monitor its state. | no |
retry_on_failure | Configures the retry behavior when the receiver encounters an error downstream in the pipeline. | no |
tcp | Configures a TCP syslog server to receive syslog messages. | no* |
tcp > multiline | Configures rules for multiline parsing of incoming messages | no |
tcp > tls | Configures TLS for the TCP syslog server. | no |
tcp > tls > tpm | Configures TPM settings for the TLS key_file. | no |
udp | Configures a UDP syslog server to receive syslog messages. | no* |
udp > async | Configures rules for asynchronous parsing of incoming messages. | no |
udp > multiline | Configures rules for multiline parsing of incoming messages. | no |
The > symbol indicates deeper levels of nesting.
For example, tcp > tls refers to a tls block defined inside a tcp block.
A syslog receiver must have either a udp or tcp block configured.
output
RequiredThe output block configures a set of components to forward resulting telemetry data to.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
logs | list(otelcol.Consumer) | List of consumers to send logs to. | [] | no |
metrics | list(otelcol.Consumer) | List of consumers to send metrics to. | [] | no |
traces | list(otelcol.Consumer) | List of consumers to send traces to. | [] | no |
You must specify the output block, but all its arguments are optional.
By default, telemetry data is dropped.
Configure the metrics, logs, and traces arguments accordingly to send telemetry data to other components.
debug_metrics
The debug_metrics block configures the metrics that this component generates to monitor its state.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
disable_high_cardinality_metrics | boolean | Whether to disable certain high cardinality metrics. | true | no |
disable_high_cardinality_metrics is the Alloy equivalent to the telemetry.disableHighCardinalityMetrics feature gate in the OpenTelemetry Collector.
It removes attributes that could cause high cardinality metrics.
For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.
Note
If configured,
disable_high_cardinality_metricsonly applies tootelcol.exporter.*andotelcol.receiver.*components.
retry_on_failure
The retry_on_failure block configures the retry behavior when the receiver encounters an error downstream in the pipeline.
A backoff algorithm is used to delay the retry upon subsequent failures.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
enabled | bool | If true, the receiver will pause reading a file and attempt to resend the current batch of logs on error. | false | no |
initial_interval | duration | The time to wait after first failure to retry. | 1s | no |
max_elapsed_time | duration | The maximum age of a message before the data is discarded. | 5m | no |
max_interval | duration | The maximum time to wait after applying backoff logic. | 30s | no |
If max_elapsed_time is set to 0, data will never be discarded.
tcp
The tcp block configures a TCP syslog server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
listen_address | string | The <host:port> address to listen to for syslog messages. | yes | |
add_attributes | bool | Add net.* attributes to log messages according to OpenTelemetry semantic conventions. | false | no |
encoding | string | The encoding of the syslog messages. | utf-8 | no |
max_log_size | string | The maximum size of a log entry to read before failing. | 1MiB | no |
one_log_per_packet | bool | Skip log tokenization, improving performance when messages always contain one log and multiline isn’t used. | false | no |
preserve_leading_whitespaces | bool | Preserves leading whitespace in messages when set to true. | false | no |
preserve_trailing_whitespaces | bool | Preserves trailing whitespace in messages when set to true. | false | no |
The encoding argument specifies the encoding of the incoming syslog messages.
encoding must be one of utf-8, utf-16le, utf-16be, ascii, big5, nop.
Refer to the upstream receiver documentation for more details.
The max_log_size argument has a minimum value of 64KiB
multiline
The multiline block configures logic for splitting incoming log entries.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
line_end_pattern | string | A regular expression that matches the end of a log entry. | no | |
line_start_pattern | string | A regular expression that matches the beginning of a log entry. | no | |
omit_pattern | bool | Omit the start/end pattern from the split log entries. | false | no |
A multiline block must contain either line_start_pattern or line_end_pattern.
If a multiline block isn’t set, log entries won’t be split.
tls
The tls block configures TLS settings used for a server. If the tls block
isn’t provided, TLS won’t be used for connections to the server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
ca_file | string | Path to the CA file. | no | |
ca_pem | string | CA PEM-encoded text to validate the server with. | no | |
cert_file | string | Path to the TLS certificate. | no | |
cert_pem | string | Certificate PEM-encoded text for client authentication. | no | |
cipher_suites | list(string) | A list of TLS cipher suites that the TLS transport can use. | [] | no |
client_ca_file | string | Path to the TLS cert to use by the server to verify a client certificate. | no | |
curve_preferences | list(string) | Set of elliptic curves to use in a handshake. | [] | no |
include_system_ca_certs_pool | boolean | Whether to load the system certificate authorities pool alongside the certificate authority. | false | no |
key_file | string | Path to the TLS certificate key. | no | |
key_pem | secret | Key PEM-encoded text for client authentication. | no | |
max_version | string | Maximum acceptable TLS version for connections. | "TLS 1.3" | no |
min_version | string | Minimum acceptable TLS version for connections. | "TLS 1.2" | no |
reload_interval | duration | The duration after which the certificate is reloaded. | "0s" | no |
If reload_interval is set to "0s", the certificate never reloaded.
The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:
ca_pemandca_filecert_pemandcert_filekey_pemandkey_file
If cipher_suites is left blank, a safe default list is used.
Refer to the Go Cipher Suites documentation for a list of supported cipher suites.
client_ca_file sets the ClientCA and ClientAuth to RequireAndVerifyClientCert in the TLSConfig.
Refer to the Go TLS documentation for more information.
The curve_preferences argument determines the set of elliptic curves to prefer during a handshake in preference order.
If not provided, a default list is used.
The set of elliptic curves available are X25519, P521, P256, and P384.
tpm
The tpm block configures retrieving the TLS key_file from a trusted device.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
auth | string | The authorization value used to authenticate the TPM device. | "" | no |
enabled | bool | Load the tls.key_file from TPM. | false | no |
owner_auth | string | The owner authorization value used to authenticate the TPM device. | "" | no |
path | string | Path to the TPM device or Unix domain socket. | "" | no |
The trusted platform module (TPM) configuration can be used for loading TLS key from TPM. Currently only TSS2 format is supported.
The path attribute is not supported on Windows.
Example
otelcol.example.component "<LABEL>" {
...
tls {
...
key_file = "my-tss2-key.key"
tpm {
enabled = true
path = "/dev/tpmrm0"
}
}
}In the above example, the private key my-tss2-key.key in TSS2 format will be loaded from the TPM device /dev/tmprm0.
udp
The udp block configures a UDP syslog server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
listen_address | string | The <host:port> address to listen to for syslog messages. | yes | |
add_attributes | bool | Add net.* attributes to log messages according to OpenTelemetry semantic conventions. | false | no |
encoding | string | The encoding of the syslog messages. | utf-8 | no |
one_log_per_packet | bool | Skip log tokenization, improving performance when messages always contain one log and multiline isn’t used. | false | no |
preserve_leading_whitespaces | bool | Preserves leading whitespace in messages when set to true. | false | no |
preserve_trailing_whitespaces | bool | Preserves trailing whitespace in messages when set to true. | false | no |
The encoding argument specifies the encoding of the incoming syslog messages.
encoding must be one of utf-8, utf-16le, utf-16be, ascii, big5, or nop.
Refer to the upstream receiver documentation for more details.
async
The async block configures concurrent asynchronous readers for a UDP syslog server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
max_queue_length | int | The maximum number of messages to wait for an available processor. | 100 | no |
processors | int | The number of goroutines to concurrently process logs before sending downstream. | 1 | no |
readers | int | The number of goroutines to concurrently read from the UDP syslog server. | 1 | no |
If async isn’t set, a single goroutine will read and process messages synchronously.
Exported fields
otelcol.receiver.syslog doesn’t export any fields.
Component health
otelcol.receiver.syslog is only reported as unhealthy if given an invalid configuration.
Debug information
otelcol.receiver.syslog doesn’t expose any component-specific debug information.
Debug metrics
otelcol.receiver.syslog doesn’t expose any component-specific debug metrics.
Example
This example proxies syslog messages from the otelcol.receiver.syslog receiver to the otelcol.exporter.syslog component, and then sends them on to a loki.source.syslog component before being logged by a loki.echo component.
This shows how the otelcol syslog components can be used to proxy syslog messages before sending them to another destination.
Using the otelcol syslog components in this way results in the messages being forwarded as sent, attempting to use the loki.source.syslog component for a similar proxy use case requires careful mapping of any structured data fields through the otelcol.processor.transform component.
A very simple example of that can be found in the otelcol.exporter.syslog documentation.
otelcol.receiver.syslog "default" {
protocol = "rfc5424"
tcp {
listen_address = "localhost:1515"
}
output {
logs = [otelcol.exporter.syslog.default.input]
}
}
otelcol.exporter.syslog "default" {
endpoint = "localhost"
network = "tcp"
port = 1514
protocol = "rfc5424"
enable_octet_counting = false
tls {
insecure = true
}
}
loki.source.syslog "default" {
listener {
address = "localhost:1514"
protocol = "tcp"
syslog_format = "rfc5424"
label_structured_data = true
use_rfc5424_message = true
}
forward_to = [loki.echo.default.receiver]
}
loki.echo "default" {}Compatible components
otelcol.receiver.syslog can accept arguments from the following components:
- Components that export OpenTelemetry
otelcol.Consumer
Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.
