Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Syslog

Supported Platforms

PlatformMetricsLogsTraces
Linux
Windows
macOS

Configuration Table

ParameterTypeDefaultDescription
protocol*enum"rfc3164"The RFC protocol to use when parsing incoming syslog. Valid values are rfc3164 or rfc5424.
connection_typeenumudpThe transport protocol to use. Valid values are udp or tcp.
data_flowenumhighEnable high flow or reduced low flow.
listen_port*int5140The port to bind to and receive syslog. Collector must be running as root (Linux) or Administrator (windows) when binding to a port below 1024.
listen_ip*string"0.0.0.0"The IP address to bind to and receive syslog.
timezoneenumUTCRFC3164 only. The timezone to use when parsing timestamps.
enable_octet_countingboolfalseWhether or not to parse using a trailer character. This is a special character that will be the termination character for syslog messages. This is only applicable to tcp and rfc5424 configurations.
non_transparent_framing_trailerenumLFWhether or not to enable octet counting on syslog framing. This framing allows for the transmission of all characters inside a syslog message. This is only applicable to tcp and rfc5424 configurations.
enable_mutual_tlsboolfalseWhether or not to use mutual TLS.
cert_filestringPath to the TLS cert to use for TLS-required connections.
key_filestringPath to the TLS key to use for TLS-required connections.
ca_filestringWhen set, enforces mutual TLS authentication and verifies client certificates.
tls_min_versionenum"1.2"The minimum TLS version to support. 1.0 and 1.1 should not be considered secure.
max_log_sizestring"1Mib"When using tcp, the maximum size of a log entry to read. A log entry will be truncated if it is larger than max_log_size. Protects against reading large amounts of data into memory.
async_readersint1When using udp, determines how many workers read from UDP port and push to buffer. Generally this value should remain at 1 unless otherwise directed by observIQ support.
async_processorsint3When using udp, determines how many workers read from buffer (pushed by readers) and process logs before sending downstream. Increasing this value can be useful when the agent is under significant load.
max_queue_lengthint100When using udp, determines size of buffer being used by async reader workers. When buffer reaches max number, reader workers will block until buffer has room. Increasing this value can be useful if you anticipate short durations of increased log volume. Generally, you should increase async_processors before increasing this value.
*required field