Syslog Source
yaml
## This is YAML, so structure and indentation is important.
## Lines can be uncommented by removing the #. You should not need to change the number of spaces after that.
## Configuration options have a single #, comments have a ##. Only uncomment the single # lines if you need them.
#####
# Define the sink (destination) for the logs
sinks:
  logscale_sink:
    type: logscale  # Using LogScale as the destination
    url: "https://cloud.humio.com/"  # Replace with your LogScale instance URL
    token: "${LOGSCALE_TOKEN}"  # Use environment variable for the ingest token
    # Configure the queue for buffering events
    queue:
      # It is recommended to use a disk queue to persist syslog messages,
      # ensuring data integrity during network issues or system restarts.
      type: disk  # Use a disk-based queue for persistence
      maxLimitInMB: 10240  # Set the queue size to 10 GB (10 * 1024 MB)
      # A large disk queue is used to ensure data persistence and handle
      # high volumes of incoming syslog data, providing a robust buffer
      # against network issues or temporary outages.

      # fullAction: deleteOldest
      # Uncomment the line above to delete the oldest events when the queue is full.
      # This can be useful in high-volume environments where it's preferable to
      # lose some old data rather than pause ingestion of new data. However, use
      # this option with caution as it can result in data loss.

# Define the sources for syslog data
sources:
  syslog_udp:
    type: syslog
    mode: udp  # UDP syslog
    port: 514  # Standard syslog port
    sink: logscale_sink

    # Optional: Bind to a specific address
    # bind: "0.0.0.0"

    # Optional: Set the maximum event size (in bytes)
    # maxEventSize: 1048576  # 1 MB
    # The default maxEventSize is 2048 bytes. Increase this value if you expect
    # larger syslog messages. Be cautious when increasing this value, as it
    # affects memory usage and network bandwidth.

    # Optional: Set the number of worker threads (Linux only)
    # workers: 4
    # The 'workers' option controls the number of threads used to read syslog messages.
    # By default, it uses the number of CPU cores available on the system.
    # Adjust this value based on your system's capabilities and the expected message volume.

    # Optional: Configure the parser to be used in LogScale
    # parser: "syslog_rfc5424"

    # Optional: Add static fields
    # transforms:
    #   - type: static_fields
    #     fields:
    #       source_type: "syslog_udp"
    #       environment: "${ENV}"

  syslog_tcp:
    type: syslog
    mode: tcp  # TCP syslog
    port: 1514  # Using a different port for TCP
    sink: logscale_sink

    # Optional: Bind to a specific address
    # bind: "0.0.0.0"

    # Optional: Set the maximum event size (in bytes)
    # maxEventSize: 1048576  # 1 MB
    # The default maxEventSize is 2048 bytes. Increase this value if you expect
    # larger syslog messages. Be cautious when increasing this value, as it
    # affects memory usage and network bandwidth.

    # Optional: Enable strict parsing for TCP
    # strict: true
    # When strict parsing is enabled, the connection will be closed if an
    # invalid message is encountered. This helps maintain data integrity
    # but may result in lost messages if the client doesn't handle reconnection properly.

    # Optional: Support RFC6587 octet counting
    # supportsOctetCounting: true

    # Optional: Configure the parser to be used in LogScale
    # parser: "syslog_rfc5424"

    # Optional: Add static fields
    # transforms:
    #   - type: static_fields
    #     fields:
    #       source_type: "syslog_tcp"
    #       environment: "${ENV}"

Table: Syslog source

ParameterTypeRequiredDefault ValueDescription
bindstringoptional[a]   Specify the address to bind to.
joiningsourcesyslogudpjoiningoptional[a]   Controls how syslog entries are joined together during processing or grouping. (added in 1.10)
maxEventSizeintegeroptional[a]   Maximum allowed syslog event size; syslog events larger than this will be truncated. If maxEventSize is also defined at sinks level the lower of the two values will be applied. Set this to the max value to avoid truncation issues.
modesyslogmoderequired   Specify the protocol to listen to.
   Values
   tcp
   udp
parserstringoptional[a]   Specify the parser within LogScale to use to parse the logs, if you install the parser through a package you must specify the type and name as displayed on the parsers page for example linux-systemlogs:linux-systemlogs. If a parser is assigned to the ingest token being used this parser will be ignored.
portintegeroptional[a] 514 Specify the number of the port on which to listen.
receiveBufferSizeintegeroptional[a] 64 times maxEventSize The receiveBufferSize is the size of the read buffer used to copy the received messages into the applications memory. This read buffer has to be able to contain at least one message (the largest). If it is too small, the message gets truncated. If the read buffer is large, it will be able to read several messages at once.
sinkstringrequired   Specify the name of the sink to which the collected events will be sent.
strictbooleanoptional[a] false Enable strict parsing of events. If an invalid event is encountered the connection will be closed. Only relevant when mode is tcp.
supportsOctetCountingbooleanoptional[a] false Enable handling of octet counting framing as per RFC6587. Only relevant when mode is tcp.
transformstransformoptional[a]   Specify transforms to use for this source (optional), see All sources: How to use Transforms for information on how to use transforms.
typesyslogrequired   The sources block configures the sources of data that the log collector will send to LogScale.
workersintegeroptional[a]   The number of workers to use to read from the network. Defaults to number of CPU cores. Only relevant when mode is UDP.

[a] Optional parameters use their default value unless explicitly set.