Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.
loki.source.syslog
loki.source.syslog listens for syslog messages over TCP or UDP connections and forwards them to other loki.* components.
The messages must be compliant with the RFC5424 format.
The component starts a new syslog listener for each of the given config blocks and fans out incoming entries to the list of receivers in forward_to.
You can specify multiple loki.source.syslog components by giving them different labels.
Usage
loki.source.syslog "<LABEL>" {
listener {
address = "<LISTEN_ADDRESS>"
}
...
forward_to = <RECEIVER_LIST>
}Arguments
You can use the following arguments with loki.source.syslog:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
forward_to | list(LogsReceiver) | List of receivers to send log entries to. | yes | |
relabel_rules | RelabelRules | Relabeling rules to apply on log entries. | “{}” | no |
The relabel_rules field can make use of the rules export value from a loki.relabel component to apply one or more relabeling rules to log entries before they’re forwarded to the list of receivers in forward_to.
Blocks
You can use the following blocks with loki.source.syslog:
| Name | Description | Required |
|---|---|---|
listener | Configures a listener for IETF Syslog (RFC5424) messages. | no |
listener > tls_config | Configures TLS settings for connecting to the endpoint for TCP connections. | no |
The > symbol indicates deeper levels of nesting.
For example, listener > tls_config refers to a tls_config block defined inside a listener block.
listener
The listener block defines the listen address and protocol where the listener expects syslog messages to be sent to, as well as its behavior when receiving messages.
The following arguments can be used to configure a listener.
Only the address field is required and any omitted fields take their default values.
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
address | string | The <host:port> address to listen to for syslog messages. | yes | |
idle_timeout | duration | The idle timeout for tcp connections. | "120s" | no |
label_structured_data | bool | Whether to translate syslog structured data to loki labels. | false | no |
labels | map(string) | The labels to associate with each received syslog record. | {} | no |
max_message_length | int | The maximum limit to the length of syslog messages. | 8192 | no |
protocol | string | The protocol to listen to for syslog messages. Must be either tcp or udp. | tcp | no |
use_incoming_timestamp | bool | Whether to set the timestamp to the incoming syslog record timestamp. | false | no |
use_rfc5424_message | bool | Whether to forward the full RFC5424-formatted syslog message. | false | no |
By default, the component assigns the log entry timestamp as the time it was processed.
The labels map is applied to every message that the component reads.
All header fields from the parsed RFC5424 messages are brought in as internal labels, prefixed with __syslog_.
If label_structured_data is set, structured data in the syslog header is also translated to internal labels in the form of __syslog_message_sd_<ID>_<KEY>.
For example, a structured data entry of [example@99999 test="yes"] becomes the label __syslog_message_sd_example_99999_test with the value "yes".
tls_config
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
ca_pem | string | CA PEM-encoded text to validate the server with. | no | |
ca_file | string | CA certificate to validate the server with. | no | |
cert_pem | string | Certificate PEM-encoded text for client authentication. | no | |
cert_file | string | Certificate file for client authentication. | no | |
insecure_skip_verify | bool | Disables validation of the server certificate. | no | |
key_file | string | Key file for client authentication. | no | |
key_pem | secret | Key PEM-encoded text for client authentication. | no | |
min_version | string | Minimum acceptable TLS version. | no | |
server_name | string | ServerName extension to indicate the name of the server. | no |
The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:
ca_pemandca_filecert_pemandcert_filekey_pemandkey_file
When configuring client authentication, both the client certificate (using
cert_pem or cert_file) and the client key (using key_pem or key_file)
must be provided.
When min_version is not provided, the minimum acceptable TLS version is
inherited from Go’s default minimum version, TLS 1.2. If min_version is
provided, it must be set to one of the following strings:
"TLS10"(TLS 1.0)"TLS11"(TLS 1.1)"TLS12"(TLS 1.2)"TLS13"(TLS 1.3)
Exported fields
loki.source.syslog doesn’t export any fields.
Component health
loki.source.syslog is only reported as unhealthy if given an invalid
configuration.
Debug information
loki.source.syslog exposes some debug information per syslog listener:
- Whether the listener is running.
- The listen address.
- The labels that the listener applies to incoming log entries.
Debug metrics
loki_source_syslog_empty_messages_total(counter): Total number of empty messages received from the syslog component.loki_source_syslog_entries_total(counter): Total number of successful entries sent to the syslog component.loki_source_syslog_parsing_errors_total(counter): Total number of parsing errors while receiving syslog messages.
Example
This example listens for syslog messages in valid RFC5424 format over TCP and UDP in the specified ports and forwards them to a loki.write component.
loki.source.syslog "local" {
listener {
address = "127.0.0.1:51893"
labels = { component = "loki.source.syslog", protocol = "tcp" }
}
listener {
address = "127.0.0.1:51898"
protocol = "udp"
labels = { component = "loki.source.syslog", protocol = "udp"}
}
forward_to = [loki.write.local.receiver]
}
loki.write "local" {
endpoint {
url = "loki:3100/api/v1/push"
}
}Compatible components
loki.source.syslog can accept arguments from the following components:
- Components that export Loki
LogsReceiver
Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.
