loki.source.syslog
loki.source.syslog
listens for syslog messages over TCP or UDP connections and forwards them to other loki.*
components.
The messages must be compliant with the RFC5424 syslog protocol or the RFC3164 BSD syslog protocol.
The component starts a new syslog listener for each of the given config
blocks and fans out incoming entries to the list of receivers in forward_to
.
You can specify multiple loki.source.syslog
components by giving them different labels.
Usage
loki.source.syslog "<LABEL>" {
listener {
address = "<LISTEN_ADDRESS>"
}
...
forward_to = <RECEIVER_LIST>
}
Arguments
You can use the following arguments with loki.source.syslog
:
The relabel_rules
field can make use of the rules
export value from a loki.relabel
component to apply one or more relabeling rules to log entries before they’re forwarded to the list of receivers in forward_to
.
Blocks
You can use the following blocks with loki.source.syslog
:
The > symbol indicates deeper levels of nesting.
For example, listener
> tls_config
refers to a tls_config
block defined inside a listener
block.
listener
The listener
block defines the listen address and protocol where the listener expects syslog messages to be sent to, as well as its behavior when receiving messages.
The following arguments can be used to configure a listener
.
Only the address
field is required and any omitted fields take their default values.
By default, the component assigns the log entry timestamp as the time it was processed.
The labels
map is applied to every message that the component reads.
All header fields from the parsed RFC5424 messages are brought in as internal labels, prefixed with __syslog_
.
If label_structured_data
is set, structured data in the syslog header is also translated to internal labels in the form of __syslog_message_sd_<ID>_<KEY>
.
For example, a structured data entry of [example@99999 test="yes"]
becomes the label __syslog_message_sd_example_99999_test
with the value "yes"
.
tls_config
The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:
ca_pem
andca_file
cert_pem
andcert_file
key_pem
andkey_file
When configuring client authentication, both the client certificate (using cert_pem
or cert_file
) and the client key (using key_pem
or key_file
) must be provided.
When min_version
isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2.
If min_version
is provided, it must be set to one of the following strings:
"TLS10"
(TLS 1.0)"TLS11"
(TLS 1.1)"TLS12"
(TLS 1.2)"TLS13"
(TLS 1.3)
Exported fields
loki.source.syslog
doesn’t export any fields.
Component health
loki.source.syslog
is only reported as unhealthy if given an invalid
configuration.
Debug information
loki.source.syslog
exposes some debug information per syslog listener:
- Whether the listener is running.
- The listen address.
- The labels that the listener applies to incoming log entries.
Debug metrics
loki_source_syslog_empty_messages_total
(counter): Total number of empty messages received from the syslog component.loki_source_syslog_entries_total
(counter): Total number of successful entries sent to the syslog component.loki_source_syslog_parsing_errors_total
(counter): Total number of parsing errors while receiving syslog messages.
Example
This example listens for syslog messages in valid RFC5424 format over TCP and UDP in the specified ports and forwards them to a loki.write
component.
Compatible components
loki.source.syslog
can accept arguments from the following components:
- Components that export Loki
LogsReceiver
Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.