| protocol* | enum | "rfc3164" | The RFC protocol to use when parsing incoming syslog. Valid values are rfc3164 or rfc5424. |
| connection_type | enum | udp | The transport protocol to use. Valid values are udp or tcp. |
| data_flow | enum | high | Enable high flow or reduced low flow. |
| listen_port* | int | 5140 | The port to bind to and receive syslog. Collector must be running as root (Linux) or Administrator (windows) when binding to a port below 1024. |
| listen_ip* | string | "0.0.0.0" | The IP address to bind to and receive syslog. |
| timezone | enum | UTC | RFC3164 only. The timezone to use when parsing timestamps. |
| enable_octet_counting | bool | false | Whether or not to parse using a trailer character. This is a special character that will be the termination character for syslog messages. This is only applicable to tcp and rfc5424 configurations. |
| non_transparent_framing_trailer | enum | LF | Whether or not to enable octet counting on syslog framing. This framing allows for the transmission of all characters inside a syslog message. This is only applicable to tcp and rfc5424 configurations. |
| enable_mutual_tls | bool | false | Whether or not to use mutual TLS. |
| cert_file | string | | Path to the TLS cert to use for TLS-required connections. |
| key_file | string | | Path to the TLS key to use for TLS-required connections. |
| ca_file | string | | When set, enforces mutual TLS authentication and verifies client certificates. |
| tls_min_version | enum | "1.2" | The minimum TLS version to support. 1.0 and 1.1 should not be considered secure. |
| max_log_size | string | "1Mib" | When using tcp, the maximum size of a log entry to read. A log entry will be truncated if it is larger than max_log_size. Protects against reading large amounts of data into memory. |
| async_readers | int | 1 | When using udp, determines how many workers read from UDP port and push to buffer. Generally this value should remain at 1 unless otherwise directed by observIQ support. |
| async_processors | int | 3 | When using udp, determines how many workers read from buffer (pushed by readers) and process logs before sending downstream. Increasing this value can be useful when the agent is under significant load. |
| max_queue_length | int | 100 | When using udp, determines size of buffer being used by async reader workers. When buffer reaches max number, reader workers will block until buffer has room. Increasing this value can be useful if you anticipate short durations of increased log volume. Generally, you should increase async_processors before increasing this value. |
