---
title: "loki.source.syslog | Grafana Alloy documentation"
description: "Learn about loki.source.syslog"
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

# `loki.source.syslog`

`loki.source.syslog` listens for syslog messages over TCP or UDP connections and forwards them to other `loki.*` components. The messages must be compliant with the [RFC5424](https://www.rfc-editor.org/rfc/rfc5424) syslog protocol or the [RFC3164](https://datatracker.ietf.org/doc/html/rfc3164) BSD syslog protocol. For a detailed example, refer to the [Monitor RFC5424-compliant syslog messages with Grafana Alloy](/docs/alloy/latest/monitor/monitor-syslog-messages/) scenario.

> Note
> 
> If your messages don’t conform to either RFC5424 or RFC3164, for example CEF logs, you can use the `raw` syslog format with the [`loki.process`](../loki.process.md) component to parse non-standard content.
> 
> If you receive RFC3164 messages from Cisco IOS devices that include non-standard Cisco extensions, use `syslog_format = "rfc3164"` with the [`rfc3164_cisco_components`](#rfc3164_cisco_components) block.
> 
> The `raw` syslog format is an [experimental](/docs/release-life-cycle/) feature.

The component starts a new syslog listener for each `listener` block and fans out entries to the list of receivers in `forward_to`.

You can run multiple `loki.source.syslog` components with different labels.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.source.syslog "<LABEL>" {
  listener {
    address = "<LISTEN_ADDRESS>"
  }
  ...

  forward_to = <RECEIVER_LIST>
}
```

## Arguments

You can use the following arguments with `loki.source.syslog`:

Expand table

| Name            | Type                 | Description                               | Default | Required |
|-----------------|----------------------|-------------------------------------------|---------|----------|
| `forward_to`    | `list(LogsReceiver)` | List of receivers to send log entries to. |         | yes      |
| `relabel_rules` | `RelabelRules`       | Relabel rules for log entries.            | `{}`    | no       |

The `relabel_rules` field accepts the `rules` export from a [`loki.relabel`](../loki.relabel/) component. It applies the rules to log entries before `loki.source.syslog` forwards them to `forward_to`.

`loki.source.syslog` applies the following labels to log entries from the client information if possible.

- `__syslog_connection_ip_address`
- `__syslog_connection_hostname`

`loki.source.syslog` applies the following labels to log entries when the syslog message contains them.

- `__syslog_message_severity`
- `__syslog_message_facility`
- `__syslog_message_hostname`
- `__syslog_message_app_name`
- `__syslog_message_proc_id`
- `__syslog_message_msg_id`
- `__syslog_message_msg_counter`
- `__syslog_message_sequence`

If `label_structured_data` is `true` and the parsed message has [RFC5424](https://www.rfc-editor.org/rfc/rfc5424) structured data, the component adds labels with the prefix `__syslog_message_sd_` to the log entry. For example, structured data of `[example@99999 test="value"]` produces the label `__syslog_message_sd_example_99999_test` with a value of `value`.

The syslog source removes all labels with a `__` prefix before it passes log entries to the next component in the pipeline. To keep the `__syslog_` labels, use rules in the `relabel_rules` argument to move them to labels that don’t have a `__` prefix. The following relabel example keeps all `__syslog_` labels when `loki.source.syslog` passes entries to the next component in the pipeline.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.relabel "syslog" {
  rule {
    action = "labelmap"
    regex = "__syslog_(.+)"
  }
}
```

## Blocks

You can use the following blocks with `loki.source.syslog`:

No valid configuration blocks found.

### `listener`

The `listener` block defines the listen address and protocol for syslog messages, and sets behavior options for how the component handles them.

You can configure a `listener` with the following arguments. Only the `address` field is required. Omitted fields take their default values.

Expand table

| Name                              | Type          | Description                                                                                                                                           | Default     | Required |
|-----------------------------------|---------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|
| `address`                         | `string`      | The `<host:port>` address to listen to for syslog messages.                                                                                           |             | yes      |
| `idle_timeout`                    | `duration`    | The idle timeout for TCP connections.                                                                                                                 | `"120s"`    | no       |
| `label_structured_data`           | `bool`        | Whether to translate syslog structured data to Loki labels.                                                                                           | `false`     | no       |
| `labels`                          | `map(string)` | The labels to associate with each received syslog record.                                                                                             | `{}`        | no       |
| `max_message_length`              | `int`         | The maximum limit to the length of syslog messages.                                                                                                   | `8192`      | no       |
| `protocol`                        | `string`      | The protocol to listen to for syslog messages. Must be either `tcp` or `udp`.                                                                         | `"tcp"`     | no       |
| `rfc3164_default_to_current_year` | `bool`        | Whether to default the incoming timestamp of an `rfc3164` message to the current year.                                                                | `false`     | no       |
| `rfc5424_allow_empty_msg`         | `bool`        | Whether to forward RFC5424 messages with empty MSG content. When `false`, such messages are dropped. Only applies when `syslog_format` is `rfc5424`.  | `false`     | no       |
| `syslog_format`                   | `string`      | The format for incoming messages. See [supported formats](#supported-formats).                                                                        | `"rfc5424"` | no       |
| `udp_host_cache_size`             | `int`         | The capacity of the LRU cache for reverse-DNS hostname lookups. Only applies when `protocol` is `udp`.                                                | `128`       | no       |
| `udp_queue_size`                  | `int`         | The maximum number of UDP datagrams that can wait in the internal processing queue before the listener blocks. Only applies when `protocol` is `udp`. | `10`        | no       |
| `use_incoming_timestamp`          | `bool`        | Whether to set the timestamp to the incoming syslog record timestamp.                                                                                 | `false`     | no       |
| `use_rfc5424_message`             | `bool`        | Whether to forward the full RFC5424-formatted syslog message.                                                                                         | `false`     | no       |

By default, the component uses the time it processes the log entry as the timestamp.

The `labels` map is applied to every message that the component reads.

When `protocol` is `udp`, `udp_queue_size` sets how many datagrams can wait for processing. The UDP listener waits to read more datagrams when the queue is full.

When `protocol` is `udp`, `udp_host_cache_size` sets the capacity of the LRU cache for reverse-DNS hostname lookups. Caching reduces DNS query overhead when many datagrams arrive from the same source addresses.

All header fields from parsed RFC5424 and RFC3164 messages become internal labels, prefixed with `__syslog_`.

If you set `label_structured_data` to `true`, the component also translates structured data in the syslog header to internal labels in the form `__syslog_message_sd_<ID>_<KEY>`. For example, a structured data entry of `[example@99999 test="yes"]` becomes the label `__syslog_message_sd_example_99999_test` with the value `"yes"`.

The `rfc3164_default_to_current_year` argument is only relevant when `use_incoming_timestamp` is also `true`. `rfc3164` message timestamps don’t contain a year. By default, the component leaves the year as `0` to match Promtail behavior. When `rfc3164_default_to_current_year` is `true`, the component sets the year of the received timestamp to the current year, using the local time of the Alloy instance.

> Note
> 
> You can’t use the `rfc3164_default_to_current_year`, `use_incoming_timestamp`, and `use_rfc5424_message` fields when `syslog_format` is `raw`.

#### Supported formats

- **`rfc3164`** A legacy syslog format, also known as BSD syslog. Example: `<34>Oct 11 22:14:15 my-server-01 sshd[1234]: Failed password for root from 192.168.1.10 port 22 ssh2`. `loki.source.syslog` drops messages with empty MSG content and increments the `loki_source_syslog_empty_messages_total` counter.
- **`rfc5424`** A modern, structured syslog format. Uses ISO 8601 for timestamps. Example: `<165>1 2025-12-18T00:33:00Z web01 nginx - - [audit@123 id="456"] Login failed`. `loki.source.syslog` drops messages with empty MSG content by default. Set `rfc5424_allow_empty_msg` to `true` to forward them. `loki.source.syslog` increments the `loki_source_syslog_empty_messages_total` counter in both cases for debugging.
- **`raw`** Disables log line parsing. This format allows receiving non-RFC5424 compliant logs, such as [CEF](https://www.splunk.com/en_us/blog/learn/common-event-format-cef.html). Raw logs can be forwarded to [`loki.process`](./loki.process.md) component for parsing. `loki.source.syslog` drops messages with nil or empty body and increments the `loki_source_syslog_empty_messages_total` counter.

> Note
> 
> The `raw` format is an [experimental](/docs/release-life-cycle/) feature. Experimental features are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental feature, you must set the `stability.level` [flag](/docs/alloy/next/reference/cli/run/) to `experimental`.

### `raw_format_options`

> **EXPERIMENTAL**: This is an [experimental](/docs/release-life-cycle/) feature. Experimental features are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental feature, you must set the `stability.level` [flag](/docs/alloy/next/reference/cli/run/) to `experimental`.

The `raw_format_options` block sets options for the `raw` syslog format.

> Note
> 
> This block can only be used when you set `syslog_format` to `raw`.

The following argument is supported:

Expand table

| Name                            | Type   | Description                              | Default | Required |
|---------------------------------|--------|------------------------------------------|---------|----------|
| `use_null_terminator_delimiter` | `bool` | Split log lines on `\0` instead of `\n`. | `false` | no       |

### `rfc3164_cisco_components`

> **EXPERIMENTAL**: This is an [experimental](/docs/release-life-cycle/) feature. Experimental features are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental feature, you must set the `stability.level` [flag](/docs/alloy/next/reference/cli/run/) to `experimental`.

The `rfc3164_cisco_components` block adds support for non-standard Cisco IOS syslog extensions.

> Note
> 
> This block can only be used when you set `syslog_format` to `rfc3164`.

The following arguments are supported:

Expand table

| Name               | Type   | Description                                      | Default | Required |
|--------------------|--------|--------------------------------------------------|---------|----------|
| `enable_all`       | `bool` | Enables all components below.                    | `false` | no       |
| `message_counter`  | `bool` | Enables syslog message counter field parsing.    | `false` | no       |
| `sequence_number`  | `bool` | Enables service sequence number field parsing.   | `false` | no       |
| `hostname`         | `bool` | Enables origin hostname field parsing.           | `false` | no       |
| `second_fractions` | `bool` | Enables milliseconds parsing in timestamp field. | `false` | no       |

> Note
> 
> At least one option has to be enabled if `enable_all` is set to `false`.

> Caution
> 
> The `rfc3164_cisco_components` configuration must match your Cisco device configuration. `loki.source.syslog` can’t auto-detect which components are present because they share similar formats.

#### Cisco Device Configuration

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
conf t

! Enable message counter (on by default for remote logging)
logging host 10.0.0.10

! Add service sequence numbers
service sequence-numbers

! Add origin hostname
logging origin-id hostname

! Enable millisecond timestamps
service timestamps log datetime msec localtime

! Recommended: Enable NTP to remove asterisk
ntp server <your-ntp-server>
```

#### Current Limitations

- **Component Ordering**: When Cisco components are selectively disabled on the device but the parser expects them, parsing will fail or produce incorrect results. Always match your parser configuration to your device configuration.
- **Structured Data**: Messages with RFC5424-style structured data blocks (from `logging host X session-id` or `sequence-num-session`) are not currently supported. See the [upstream issue](https://github.com/leodido/go-syslog/issues/35) for details.

### `tls_config`

Expand table

| Name                   | Type     | Description                                              | Default | Required |
|------------------------|----------|----------------------------------------------------------|---------|----------|
| `ca_pem`               | `string` | CA PEM-encoded text to validate the server with.         |         | no       |
| `ca_file`              | `string` | CA certificate to validate the server with.              |         | no       |
| `cert_pem`             | `string` | Certificate PEM-encoded text for client authentication.  |         | no       |
| `cert_file`            | `string` | Certificate file for client authentication.              |         | no       |
| `insecure_skip_verify` | `bool`   | Disables validation of the server certificate.           |         | no       |
| `key_file`             | `string` | Key file for client authentication.                      |         | no       |
| `key_pem`              | `secret` | Key PEM-encoded text for client authentication.          |         | no       |
| `min_version`          | `string` | Minimum acceptable TLS version.                          |         | no       |
| `server_name`          | `string` | ServerName extension to indicate the name of the server. |         | no       |

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

When configuring client authentication, both the client certificate (using `cert_pem` or `cert_file`) and the client key (using `key_pem` or `key_file`) must be provided.

When `min_version` isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If `min_version` is provided, it must be set to one of the following strings:

- `"TLS10"` (TLS 1.0)
- `"TLS11"` (TLS 1.1)
- `"TLS12"` (TLS 1.2)
- `"TLS13"` (TLS 1.3)

## Exported fields

`loki.source.syslog` doesn’t export any fields.

## Component health

`loki.source.syslog` is only reported as unhealthy if given an invalid configuration.

## Debug information

`loki.source.syslog` exposes some debug information per syslog listener:

- Whether the listener is active.
- The listen address.
- The labels that the listener applies to log entries.

## Debug metrics

- `loki_source_syslog_empty_messages_total` `counter`: Total number of empty messages the syslog component received.
- `loki_source_syslog_entries_total` `counter`: Total number of successful entries the syslog component sent.
- `loki_source_syslog_parsing_errors_total` `counter`: Total number of parse errors from the syslog component.

## Example

The following example listens for RFC5424 syslog messages over TCP and UDP and forwards them to a `loki.write` component.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.source.syslog "local" {
  listener {
    address  = "127.0.0.1:51893"
    labels   = { component = "loki.source.syslog", protocol = "tcp" }
  }

  listener {
    address  = "127.0.0.1:51898"
    protocol = "udp"
    labels   = { component = "loki.source.syslog", protocol = "udp"}
  }

  forward_to = [loki.write.local.receiver]
}

loki.write "local" {
  endpoint {
    url = "loki:3100/api/v1/push"
  }
}
```

## Compatible components

`loki.source.syslog` can accept arguments from the following components:

- Components that export [Loki `LogsReceiver`](../../../compatibility/#loki-logsreceiver-exporters)

> Note
> 
> Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.