Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

UDP

Supported Platforms

PlatformMetricsLogsTraces
Linux
Windows
macOS

Configuration Table

ParameterTypeDefaultDescription
listen_port*intPort to listen on.
listen_ipstring"0.0.0.0"IP Address to listen on.
log_typestringudpArbitrary for attribute 'log_type'. Useful for filtering between many udp sources.
parse_formatenumnoneMethod to use when parsing. Valid values are none, json, and regex. When regex is selected, 'Regex Pattern' must be set.
regex_patternstringThe regex pattern used when parsing log entries.
multiline_line_start_patternstringRegex pattern that matches the beginning of a log entry, for handling multiline logs.
multiline_line_end_patternstringRegex pattern that matches the end of a log entry, useful for terminating parsing of multiline logs.
parse_timestampboolfalseWhether to parse the timestamp from the log entry.
timestamp_fieldstringtimestampThe field containing the timestamp in the log entry.
parse_timestamp_formatenumISO8601The format of the timestamp in the log entry. Choose a common format, or specify a custom format. Options include "ISO8601", "RFC3339", "Epoch", and "Manual".
epoch_timestamp_formatenumsThe layout of the epoch-based timestamp. Required when parse_timestamp_format is set to "Epoch".. Options include "s", "ms", "us", "ns", "s.ms", "s.us", "s.ns".
manual_timestamp_formatstring'%Y-%m-%dT%H:%M:%S.%f%z'The strptime layout of the timestamp. Used when parse_timestamp_format is set to "Manual".
timezonetimezoneUTCThe timezone to use if the Timestamp Format doesn't include a timezone. Otherwise, the timezone in the Timestamp Format will be respected. NOTE: This is also required to parse timezone abbreviations, due to their ambiguity.
parse_severityboolfalseWhether to parse severity from the log entry.
severity_fieldstringseverityThe field containing the severity in the log entry.
parse_tostringbodyThe field that the log will be parsed to. Some exporters handle logs favorably when parsed to attributes over body and vice versa.
async_readersint1Determines how many workers read from UDP port and push to buffer. Generally this value should remain at 1 unless otherwise directed by observIQ support.
async_processorsint3Determines how many workers read from buffer (pushed by readers) and process logs before sending downstream. Increasing this value can be useful when the agent is under significant load.
max_queue_lengthint100Determines size of buffer being used by async reader workers. When buffer reaches max number, reader workers will block until buffer has room. Increasing this value can be useful if you anticipate short durations of increased log volume. Generally, you should increase async_processors before increasing this value.
*required field