This is documentation for the next version of Alloy. For the latest stable release, go to the latest version.
Public preview
otelcol.receiver.syslog
Public preview: This is a public preview component. Public preview components are subject to breaking changes, and may be replaced with equivalent functionality that cover the same use case. The
stability.levelflag must be set topublic-previewor below to use the component.
otelcol.receiver.syslog accepts syslog messages over the network and forwards them as logs to other otelcol.* components.
It supports syslog protocols RFC5424 and RFC3164 and can receive data over TCP or UDP.
Note
otelcol.receiver.syslogis a wrapper over the upstream OpenTelemetry Collectorsyslogreceiver. Bug reports or feature requests will be redirected to the upstream repository, if necessary.
You can specify multiple otelcol.receiver.syslog components by giving them different labels.
Usage
otelcol.receiver.syslog "LABEL" {
tcp { ... }
udp { ... }
output {
logs = [...]
}
}Arguments
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
protocol | string | The syslog protocol that the syslog server supports. | rfc5424 | no |
location | string | The geographic time zone to use when parsing an RFC3164 timestamp. | UTC | no |
enable_octet_counting | bool | Whether to enable RFC6587 octet counting. | false | no |
max_octets | int | The maximum octets for messages when octet counting is enabled. | 8192 | no |
allow_skip_pri_header | bool | Allow parsing records without a priority header. | false | no |
non_transparent_framing_trailer | string | The framing trailer when using RFC6587 Non-Transparent-Framing. | nil | no |
The protocol argument specifies the syslog format supported by the receiver.
protocol must be one of rfc5424 or rfc3164
The location argument specifies a Time Zone identifier. The available locations depend on the local IANA Time Zone database.
Refer to the list of tz database time zones in Wikipedia for a non-comprehensive list.
The non_transparent_framing_trailer and enable_octet_counting arguments specify TCP syslog behavior as defined in RFC6587.
These arguments are mutually exclusive.
They can’t be used with a UDP syslog listener configured.
If configured, the non_transparent_framing_trailer argument must be one of LF, NUL.
Blocks
The following blocks are supported inside the definition of
otelcol.receiver.syslog:
| Hierarchy | Block | Description | Required |
|---|---|---|---|
| udp | udp | Configures a UDP syslog server to receive syslog messages. | no* |
| udp > multiline | multiline | Configures rules for multiline parsing of incoming messages. | no |
| udp > async | async | Configures rules for asynchronous parsing of incoming messages. | no |
| tcp | tcp | Configures a TCP syslog server to receive syslog messages. | no* |
| tcp > multiline | multiline | Configures rules for multiline parsing of incoming messages | no |
| tcp > tls | tls | Configures TLS for the TCP syslog server. | no |
| retry_on_failure | retry_on_failure | Configures the retry behavior when the receiver encounters an error downstream in the pipeline. | no |
| debug_metrics | debug_metrics | Configures the metrics that this component generates to monitor its state. | no |
| output | output | Configures where to send received telemetry data. | yes |
A syslog receiver must have either a udp or tcp block configured.
The > symbol indicates deeper levels of nesting. For example, tcp > tls
refers to a tls block defined inside a tcp block.
udp block
The udp block configures a UDP syslog server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
listen_address | string | The <host:port> address to listen to for syslog messages. | yes | |
one_log_per_packet | bool | Skip log tokenization, improving performance when messages always contain one log and multiline is not used. | false | no |
add_attributes | bool | Add net.* attributes to log messages according to OpenTelemetry semantic conventions. | false | no |
encoding | string | The encoding of the syslog messages. | utf-8 | no |
preserve_leading_whitespaces | bool | Preserves leading whitespace in messages when set to true. | false | no |
preserve_trailing_whitespaces | bool | Preserves trailing whitespace in messages when set to true. | false | no |
The encoding argument specifies the encoding of the incoming syslog messages.
encoding must be one of utf-8, utf-16le, utf-16be, ascii, big5, or nop.
Refer to the upstream receiver documentation for more details.
multiline block
The multiline block configures logic for splitting incoming log entries.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
line_start_pattern | string | A regular expression that matches the beginning of a log entry. | no | |
line_end_pattern | string | A regular expression that matches the end of a log entry. | no | |
omit_pattern | bool | Omit the start/end pattern from the split log entries. | false | no |
A multiline block must contain either line_start_pattern or line_end_pattern.
If a multiline block is not set, log entries will not be split.
async block
The async block configures concurrent asynchronous readers for a UDP syslog server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
readers | int | The number of goroutines to concurrently read from the UDP syslog server. | 1 | no |
processors | int | The number of goroutines to concurrently process logs before sending downstream. | 1 | no |
max_queue_length | int | The maximum number of messages to wait for an available processor. | 100 | no |
If async is not set, a single goroutine will read and process messages synchronously.
tcp block
The tcp block configures a TCP syslog server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
listen_address | string | The <host:port> address to listen to for syslog messages. | yes | |
max_log_size | string | The maximum size of a log entry to read before failing. | 1MiB | no |
one_log_per_packet | bool | Skip log tokenization, improving performance when messages always contain one log and multiline is not used. | false | no |
add_attributes | bool | Add net.* attributes to log messages according to OpenTelemetry semantic conventions. | false | no |
encoding | string | The encoding of the syslog messages. | utf-8 | no |
preserve_leading_whitespaces | bool | Preserves leading whitespace in messages when set to true. | false | no |
preserve_trailing_whitespaces | bool | Preserves trailing whitespace in messages when set to true. | false | no |
The encoding argument specifies the encoding of the incoming syslog messages.
encoding must be one of utf-8, utf-16le, utf-16be, ascii, big5, nop.
See the upstream receiver documentation for more details.
The max_log_size argument has a minimum value of 64KiB
tls block
The tls block configures TLS settings used for a server. If the tls block
isn’t provided, TLS won’t be used for connections to the server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
ca_file | string | Path to the CA file. | no | |
ca_pem | string | CA PEM-encoded text to validate the server with. | no | |
cert_file | string | Path to the TLS certificate. | no | |
cert_pem | string | Certificate PEM-encoded text for client authentication. | no | |
include_system_ca_certs_pool | boolean | Whether to load the system certificate authorities pool alongside the certificate authority. | false | no |
key_file | string | Path to the TLS certificate key. | no | |
key_pem | secret | Key PEM-encoded text for client authentication. | no | |
max_version | string | Maximum acceptable TLS version for connections. | "TLS 1.3" | no |
min_version | string | Minimum acceptable TLS version for connections. | "TLS 1.2" | no |
cipher_suites | list(string) | A list of TLS cipher suites that the TLS transport can use. | [] | no |
reload_interval | duration | The duration after which the certificate is reloaded. | "0s" | no |
client_ca_file | string | Path to the TLS cert to use by the server to verify a client certificate. | no |
If reload_interval is set to "0s", the certificate never reloaded.
The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:
ca_pemandca_filecert_pemandcert_filekey_pemandkey_file
If cipher_suites is left blank, a safe default list is used.
Refer to the Go Cipher Suites documentation for a list of supported cipher suites.
client_ca_file sets the ClientCA and ClientAuth to RequireAndVerifyClientCert in the TLSConfig.
Refer to the Go TLS documentation for more information.
retry on failure block
The retry_on_failure block configures the retry behavior when the receiver encounters an error downstream in the pipeline.
A backoff algorithm is used to delay the retry upon subsequent failures.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
enabled | bool | If true, the receiver will pause reading a file and attempt to resend the current batch of logs on error. | false | no |
initial_interval | duration | The time to wait after first failure to retry. | 1s | no |
max_interval | duration | The maximum time to wait after applying backoff logic. | 30s | no |
max_elapsed_time | duration | The maximum age of a message before the data is discarded. | 5m | no |
If max_elapsed_time is set to 0 data will never be discarded.
debug_metrics block
The debug_metrics block configures the metrics that this component generates to monitor its state.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
disable_high_cardinality_metrics | boolean | Whether to disable certain high cardinality metrics. | true | no |
level | string | Controls the level of detail for metrics emitted by the wrapped collector. | "detailed" | no |
disable_high_cardinality_metrics is the Grafana Alloy equivalent to the telemetry.disableHighCardinalityMetrics feature gate in the OpenTelemetry Collector.
It removes attributes that could cause high cardinality metrics.
For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.
Note
If configured,disable_high_cardinality_metricsonly applies tootelcol.exporter.*andotelcol.receiver.*components.
level is the Alloy equivalent to the telemetry.metrics.level feature gate in the OpenTelemetry Collector.
Possible values are "none", "basic", "normal" and "detailed".
output block
The output block configures a set of components to forward resulting telemetry data to.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
logs | list(otelcol.Consumer) | List of consumers to send logs to. | [] | no |
metrics | list(otelcol.Consumer) | List of consumers to send metrics to. | [] | no |
traces | list(otelcol.Consumer) | List of consumers to send traces to. | [] | no |
You must specify the output block, but all its arguments are optional.
By default, telemetry data is dropped.
Configure the metrics, logs, and traces arguments accordingly to send telemetry data to other components.
Exported fields
otelcol.receiver.syslog does not export any fields.
Component health
otelcol.receiver.syslog is only reported as unhealthy if given an invalid
configuration.
Debug information
otelcol.receiver.syslog does not expose any component-specific debug
information.
Debug metrics
otelcol.receiver.syslog does not expose any component-specific debug metrics.
Example
This example proxies syslog messages from the otelcol.receiver.syslog receiver to the
otelcol.exporter.syslog component, and then sends them on to a loki.source.syslog component
before being logged by a loki.echo component. This shows how the otelcol syslog components
can be used to proxy syslog messages before sending them to another destination.
Using the otelcol syslog components in this way results in the messages being forwarded as sent,
attempting to use the loki.source.syslog component for a similar proxy use case requires
careful mapping of any structured data fields through the otelcol.processor.transform component. A
very simple example of that can be found in the otelcol.exporter.syslog documentation.
otelcol.receiver.syslog "default" {
protocol = "rfc5424"
tcp {
listen_address = "localhost:1515"
}
output {
logs = [otelcol.exporter.syslog.default.input]
}
}
otelcol.exporter.syslog "default" {
endpoint = "localhost"
network = "tcp"
port = 1514
protocol = "rfc5424"
enable_octet_counting = false
tls {
insecure = true
}
}
loki.source.syslog "default" {
listener {
address = "localhost:1514"
protocol = "tcp"
syslog_format = "rfc5424"
label_structured_data = true
use_rfc5424_message = true
}
forward_to = [loki.echo.default.receiver]
}
loki.echo "default" {}Compatible components
otelcol.receiver.syslog can accept arguments from the following components:
- Components that export OpenTelemetry
otelcol.Consumer
Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.
Was this page helpful?
Related resources from Grafana Labs
