---
title: "loki.source.syslog | Grafana Cloud documentation"
description: "Learn about loki.source.syslog"
---

# `loki.source.syslog`

`loki.source.syslog` listens for syslog messages over TCP or UDP connections and forwards them to other `loki.*` components. The messages must be compliant with the [RFC5424](https://www.rfc-editor.org/rfc/rfc5424) syslog protocol or the [RFC3164](https://datatracker.ietf.org/doc/html/rfc3164) BSD syslog protocol. For a detailed example, refer to the [Monitor RFC5424-compliant syslog messages with Grafana Alloy](/docs/grafana-cloud/send-data/alloy/monitor/monitor-syslog-messages/) scenario.

> Note
> 
> If your messages don’t conform to either RFC5424 or RFC3164, for example CEF logs, you can use the `raw` syslog format with the [`loki.process`](/docs/grafana-cloud/send-data/alloy/reference/components/loki/loki.process.md) component to parse non-standard content.
> 
> If you receive RFC3164 messages from Cisco IOS devices that include non-standard Cisco extensions, use `syslog_format = "rfc3164"` with the [`rfc3164_cisco_components`](#rfc3164_cisco_components) block.
> 
> The `raw` syslog format is an [experimental](/docs/release-life-cycle/) feature.

The component starts a new syslog listener for each `listener` block and fans out entries to the list of receivers in `forward_to`.

You can run multiple `loki.source.syslog` components with different labels.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.source.syslog "<LABEL>" {
  listener {
    address = "<LISTEN_ADDRESS>"
  }
  ...

  forward_to = <RECEIVER_LIST>
}
```

## Arguments

You can use the following arguments with `loki.source.syslog`:

Expand table

| Name            | Type                 | Description                               | Default | Required |
|-----------------|----------------------|-------------------------------------------|---------|----------|
| `forward_to`    | `list(LogsReceiver)` | List of receivers to send log entries to. |         | yes      |
| `relabel_rules` | `RelabelRules`       | Relabel rules for log entries.            | `{}`    | no       |

The `relabel_rules` field accepts the `rules` export from a [`loki.relabel`](/docs/grafana-cloud/send-data/alloy/reference/components/loki/loki.relabel) component. It applies the rules to log entries before `loki.source.syslog` forwards them to `forward_to`.

`loki.source.syslog` applies the following labels to log entries from the client information if possible.

- `__syslog_connection_ip_address`
- `__syslog_connection_hostname`

`loki.source.syslog` applies the following labels to log entries when the syslog message contains them.

- `__syslog_message_severity`
- `__syslog_message_facility`
- `__syslog_message_hostname`
- `__syslog_message_app_name`
- `__syslog_message_proc_id`
- `__syslog_message_msg_id`
- `__syslog_message_msg_counter`
- `__syslog_message_sequence`

If `label_structured_data` is `true` and the parsed message has [RFC5424](https://www.rfc-editor.org/rfc/rfc5424) structured data, the component adds labels with the prefix `__syslog_message_sd_` to the log entry. For example, structured data of `[example@99999 test="value"]` produces the label `__syslog_message_sd_example_99999_test` with a value of `value`.

The syslog source removes all labels with a `__` prefix before it passes log entries to the next component in the pipeline. To keep the `__syslog_` labels, use rules in the `relabel_rules` argument to move them to labels that don’t have a `__` prefix. The following relabel example keeps all `__syslog_` labels when `loki.source.syslog` passes entries to the next component in the pipeline.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.relabel "syslog" {
  rule {
    action = "labelmap"
    regex = "__syslog_(.+)"
  }
}
```

## Blocks

You can use the following blocks with `loki.source.syslog`:

No valid configuration blocks found.

### `listener`

The `listener` block defines the listen address and protocol for syslog messages, and sets behavior options for how the component handles them.

You can configure a `listener` with the following arguments. Only the `address` field is required. Omitted fields take their default values.

Expand table

| Name                              | Type          | Description                                                                                                                                          | Default     | Required |
|-----------------------------------|---------------|------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|
| `address`                         | `string`      | The `<host:port>` address to listen to for syslog messages.                                                                                          |             | yes      |
| `idle_timeout`                    | `duration`    | The idle timeout for TCP connections.                                                                                                                | `"120s"`    | no       |
| `label_structured_data`           | `bool`        | Whether to translate syslog structured data to Loki labels.                                                                                          | `false`     | no       |
| `labels`                          | `map(string)` | The labels to associate with each received syslog record.                                                                                            | `{}`        | no       |
| `max_message_length`              | `int`         | The maximum limit to the length of syslog messages.                                                                                                  | `8192`      | no       |
| `protocol`                        | `string`      | The protocol to listen to for syslog messages. Must be either `tcp` or `udp`.                                                                        | `"tcp"`     | no       |
| `rfc3164_default_to_current_year` | `bool`        | Whether to default the incoming timestamp of an `rfc3164` message to the current year.                                                               | `false`     | no       |
| `rfc5424_allow_empty_msg`         | `bool`        | Whether to forward RFC5424 messages with empty MSG content. When `false`, such messages are dropped. Only applies when `syslog_format` is `rfc5424`. | `false`     | no       |
| `syslog_format`                   | `string`      | The format for incoming messages. See [supported formats](#supported-formats).                                                                       | `"rfc5424"` | no       |
| `use_incoming_timestamp`          | `bool`        | Whether to set the timestamp to the incoming syslog record timestamp.                                                                                | `false`     | no       |
| `use_rfc5424_message`             | `bool`        | Whether to forward the full RFC5424-formatted syslog message.                                                                                        | `false`     | no       |

By default, the component uses the time it processes the log entry as the timestamp.

The `labels` map is applied to every message that the component reads.

All header fields from parsed RFC5424 and RFC3164 messages become internal labels, prefixed with `__syslog_`.

If you set `label_structured_data` to `true`, the component also translates structured data in the syslog header to internal labels in the form `__syslog_message_sd_<ID>_<KEY>`. For example, a structured data entry of `[example@99999 test="yes"]` becomes the label `__syslog_message_sd_example_99999_test` with the value `"yes"`.

The `rfc3164_default_to_current_year` argument is only relevant when `use_incoming_timestamp` is also `true`. `rfc3164` message timestamps don’t contain a year. By default, the component leaves the year as `0` to match Promtail behavior. When `rfc3164_default_to_current_year` is `true`, the component sets the year of the received timestamp to the current year, using the local time of the Alloy instance.

> Note
> 
> You can’t use the `rfc3164_default_to_current_year`, `use_incoming_timestamp`, and `use_rfc5424_message` fields when `syslog_format` is `raw`.

#### Supported formats

- **`rfc3164`** A legacy syslog format, also known as BSD syslog. Example: `<34>Oct 11 22:14:15 my-server-01 sshd[1234]: Failed password for root from 192.168.1.10 port 22 ssh2`. `loki.source.syslog` drops messages with empty MSG content and increments the `loki_source_syslog_empty_messages_total` counter.
- **`rfc5424`** A modern, structured syslog format. Uses ISO 8601 for timestamps. Example: `<165>1 2025-12-18T00:33:00Z web01 nginx - - [audit@123 id="456"] Login failed`. `loki.source.syslog` drops messages with empty MSG content by default. Set `rfc5424_allow_empty_msg` to `true` to forward them. `loki.source.syslog` increments the `loki_source_syslog_empty_messages_total` counter in both cases for debugging.
- **`raw`** Disables log line parsing. This format allows receiving non-RFC5424 compliant logs, such as [CEF](https://www.splunk.com/en_us/blog/learn/common-event-format-cef.html). Raw logs can be forwarded to [`loki.process`](/docs/alloy/latest/reference/components/loki/loki.source.syslog/loki.process.md) component for parsing. `loki.source.syslog` drops messages with nil or empty body and increments the `loki_source_syslog_empty_messages_total` counter.

> Note
> 
> The `raw` format is an [experimental](/docs/release-life-cycle/) feature. Experimental features are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental feature, you must set the `stability.level` [flag](/docs/grafana-cloud/send-data/alloy/reference/cli/run/) to `experimental`.

### `raw_format_options`

> **EXPERIMENTAL**: This is an [experimental](/docs/release-life-cycle/) feature. Experimental features are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental feature, you must set the `stability.level` [flag](/docs/alloy/latest/reference/cli/run/) to `experimental`.

The `raw_format_options` block sets options for the `raw` syslog format.

> Note
> 
> This block can only be used when you set `syslog_format` to `raw`.

The following argument is supported:

Expand table

| Name                            | Type   | Description                              | Default | Required |
|---------------------------------|--------|------------------------------------------|---------|----------|
| `use_null_terminator_delimiter` | `bool` | Split log lines on `\0` instead of `\n`. | `false` | no       |

### `rfc3164_cisco_components`

> **EXPERIMENTAL**: This is an [experimental](/docs/release-life-cycle/) feature. Experimental features are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental feature, you must set the `stability.level` [flag](/docs/alloy/latest/reference/cli/run/) to `experimental`.

The `rfc3164_cisco_components` block adds support for non-standard Cisco IOS syslog extensions.

> Note
> 
> This block can only be used when you set `syslog_format` to `rfc3164`.

The following arguments are supported:

Expand table

| Name               | Type   | Description                                      | Default | Required |
|--------------------|--------|--------------------------------------------------|---------|----------|
| `enable_all`       | `bool` | Enables all components below.                    | `false` | no       |
| `message_counter`  | `bool` | Enables syslog message counter field parsing.    | `false` | no       |
| `sequence_number`  | `bool` | Enables service sequence number field parsing.   | `false` | no       |
| `hostname`         | `bool` | Enables origin hostname field parsing.           | `false` | no       |
| `second_fractions` | `bool` | Enables milliseconds parsing in timestamp field. | `false` | no       |

> Note
> 
> At least one option has to be enabled if `enable_all` is set to `false`.

> Caution
> 
> The `rfc3164_cisco_components` configuration must match your Cisco device configuration. `loki.source.syslog` can’t auto-detect which components are present because they share similar formats.

#### Cisco Device Configuration

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
conf t

! Enable message counter (on by default for remote logging)
logging host 10.0.0.10

! Add service sequence numbers
service sequence-numbers

! Add origin hostname
logging origin-id hostname

! Enable millisecond timestamps
service timestamps log datetime msec localtime

! Recommended: Enable NTP to remove asterisk
ntp server <your-ntp-server>
```

#### Current Limitations

- **Component Ordering**: When Cisco components are selectively disabled on the device but the parser expects them, parsing will fail or produce incorrect results. Always match your parser configuration to your device configuration.
- **Structured Data**: Messages with RFC5424-style structured data blocks (from `logging host X session-id` or `sequence-num-session`) are not currently supported. See the [upstream issue](https://github.com/leodido/go-syslog/issues/35) for details.

### `tls_config`

Expand table

| Name                   | Type     | Description                                              | Default | Required |
|------------------------|----------|----------------------------------------------------------|---------|----------|
| `ca_pem`               | `string` | CA PEM-encoded text to validate the server with.         |         | no       |
| `ca_file`              | `string` | CA certificate to validate the server with.              |         | no       |
| `cert_pem`             | `string` | Certificate PEM-encoded text for client authentication.  |         | no       |
| `cert_file`            | `string` | Certificate file for client authentication.              |         | no       |
| `insecure_skip_verify` | `bool`   | Disables validation of the server certificate.           |         | no       |
| `key_file`             | `string` | Key file for client authentication.                      |         | no       |
| `key_pem`              | `secret` | Key PEM-encoded text for client authentication.          |         | no       |
| `min_version`          | `string` | Minimum acceptable TLS version.                          |         | no       |
| `server_name`          | `string` | ServerName extension to indicate the name of the server. |         | no       |

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

When configuring client authentication, both the client certificate (using `cert_pem` or `cert_file`) and the client key (using `key_pem` or `key_file`) must be provided.

When `min_version` isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If `min_version` is provided, it must be set to one of the following strings:

- `"TLS10"` (TLS 1.0)
- `"TLS11"` (TLS 1.1)
- `"TLS12"` (TLS 1.2)
- `"TLS13"` (TLS 1.3)

## Exported fields

`loki.source.syslog` doesn’t export any fields.

## Component health

`loki.source.syslog` is only reported as unhealthy if given an invalid configuration.

## Debug information

`loki.source.syslog` exposes some debug information per syslog listener:

- Whether the listener is active.
- The listen address.
- The labels that the listener applies to log entries.

## Debug metrics

- `loki_source_syslog_empty_messages_total` `counter`: Total number of empty messages the syslog component received.
- `loki_source_syslog_entries_total` `counter`: Total number of successful entries the syslog component sent.
- `loki_source_syslog_parsing_errors_total` `counter`: Total number of parse errors from the syslog component.

## Example

The following example listens for RFC5424 syslog messages over TCP and UDP and forwards them to a `loki.write` component.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.source.syslog "local" {
  listener {
    address  = "127.0.0.1:51893"
    labels   = { component = "loki.source.syslog", protocol = "tcp" }
  }

  listener {
    address  = "127.0.0.1:51898"
    protocol = "udp"
    labels   = { component = "loki.source.syslog", protocol = "udp"}
  }

  forward_to = [loki.write.local.receiver]
}

loki.write "local" {
  endpoint {
    url = "loki:3100/api/v1/push"
  }
}
```

## Compatible components

`loki.source.syslog` can accept arguments from the following components:

- Components that export [Loki `LogsReceiver`](/docs/grafana-cloud/send-data/alloy/reference/compatibility/#loki-logsreceiver-exporters)

> Note
> 
> Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.