Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Syslog

Supported Platforms

Platform	Metrics	Logs	Traces
Linux		✓
Windows		✓
macOS		✓
Kubernetes Gateway		✓
OpenShift Gateway		✓

Configuration Table

Parameter	Type	Default	Description
protocol*	`enum`	"rfc3164"	The RFC protocol to use when parsing incoming syslog. Valid values are `rfc3164` or `rfc5424`.
connection_type	`enum`	udp	The transport protocol to use. Valid values are `udp` or `tcp`.
data_flow	`enum`	high	Enable high flow or reduced low flow.
listen_port*	`int`	5140	The port to bind to and receive syslog. Collector must be running as root (Linux) or Administrator (windows) when binding to a port below 1024.
listen_ip*	`string`	"0.0.0.0"	The IP address to bind to and receive syslog.
timezone	`enum`	UTC	RFC3164 only. The timezone to use when parsing timestamps.
enable_octet_counting	`bool`	false	Whether or not to parse using a trailer character. This is a special character that will be the termination character for syslog messages. This is only applicable to `tcp` and `rfc5424` configurations.
non_transparent_framing_trailer	`enum`	LF	Whether or not to enable octet counting on syslog framing. This framing allows for the transmission of all characters inside a syslog message. This is only applicable to `tcp` and `rfc5424` configurations.
enable_mutual_tls	`bool`	false	Whether or not to use mutual TLS.
cert_file	`string`		Path to the TLS cert to use for TLS-required connections.
key_file	`string`		Path to the TLS key to use for TLS-required connections.
ca_file	`string`		When set, enforces mutual TLS authentication and verifies client certificates.
tls_min_version	`enum`	"1.2"	The minimum TLS version to support. 1.0 and 1.1 should not be considered secure.
max_log_size	`string`	"1Mib"	When using `tcp`, the maximum size of a log entry to read. A log entry will be truncated if it is larger than max_log_size. Protects against reading large amounts of data into memory.
async_readers	`int`	1	When using `udp`, determines how many workers read from UDP port and push to buffer. Generally this value should remain at `1` unless otherwise directed by observIQ support.
async_processors	`int`	3	When using `udp`, determines how many workers read from buffer (pushed by readers) and process logs before sending downstream. Increasing this value can be useful when the collector is under significant load.
max_queue_length	`int`	100	When using `udp`, determines size of buffer being used by async reader workers. When buffer reaches max number, reader workers will block until buffer has room. Increasing this value can be useful if you anticipate short durations of increased log volume. Generally, you should increase `async_processors` before increasing this value.

*required field

Kubernetes

When using this source with Kubernetes or OpenShift, you must create a custom Service resource to route traffic to the collector. See the Kubernetes Service for more information.

Updated 9 days ago