Caution
Grafana Alloy is the new name for our distribution of the OTel collector. Grafana Agent has been deprecated and is in Long-Term Support (LTS) through October 31, 2025. Grafana Agent will reach an End-of-Life (EOL) on November 1, 2025. Read more about why we recommend migrating to Grafana Alloy.
Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.
loki.source.syslog
loki.source.syslog
listens for syslog messages over TCP or UDP connections
and forwards them to other loki.*
components. The messages must be compliant
with the RFC5424 format.
The component starts a new syslog listener for each of the given config
blocks and fans out incoming entries to the list of receivers in forward_to
.
Multiple loki.source.syslog
components can be specified by giving them
different labels.
Usage
loki.source.syslog "LABEL" {
listener {
address = "LISTEN_ADDRESS"
}
...
forward_to = RECEIVER_LIST
}
Arguments
loki.source.syslog
supports the following arguments:
Name | Type | Description | Default | Required |
---|---|---|---|---|
forward_to | list(LogsReceiver) | List of receivers to send log entries to. | yes | |
relabel_rules | RelabelRules | Relabeling rules to apply on log entries. | “{}” | no |
The relabel_rules
field can make use of the rules
export value from a
loki.relabel component to apply one or more relabeling rules to log entries
before they’re forwarded to the list of receivers in forward_to
.
Blocks
The following blocks are supported inside the definition of
loki.source.syslog
:
Hierarchy | Name | Description | Required |
---|---|---|---|
listener | listener | Configures a listener for IETF Syslog (RFC5424) messages. | no |
listener > tls_config | tls_config | Configures TLS settings for connecting to the endpoint for TCP connections. | no |
The >
symbol indicates deeper levels of nesting. For example, config > tls_config
refers to a tls_config
block defined inside a config
block.
listener block
The listener
block defines the listen address and protocol where the listener
expects syslog messages to be sent to, as well as its behavior when receiving
messages.
The following arguments can be used to configure a listener
. Only the
address
field is required and any omitted fields take their default
values.
Name | Type | Description | Default | Required |
---|---|---|---|---|
address | string | The <host:port> address to listen to for syslog messages. | yes | |
protocol | string | The protocol to listen to for syslog messages. Must be either tcp or udp . | tcp | no |
idle_timeout | duration | The idle timeout for tcp connections. | "120s" | no |
label_structured_data | bool | Whether to translate syslog structured data to loki labels. | false | no |
labels | map(string) | The labels to associate with each received syslog record. | {} | no |
use_incoming_timestamp | bool | Whether to set the timestamp to the incoming syslog record timestamp. | false | no |
use_rfc5424_message | bool | Whether to forward the full RFC5424-formatted syslog message. | false | no |
max_message_length | int | The maximum limit to the length of syslog messages. | 8192 | no |
By default, the component assigns the log entry timestamp as the time it was processed.
The labels
map is applied to every message that the component reads.
All header fields from the parsed RFC5424 messages are brought in as
internal labels, prefixed with __syslog_
.
If label_structured_data
is set, structured data in the syslog header is also
translated to internal labels in the form of
__syslog_message_sd_<ID>_<KEY>
. For example, a structured data entry of
[example@99999 test="yes"]
becomes the label
__syslog_message_sd_example_99999_test
with the value "yes"
.
tls_config block
Name | Type | Description | Default | Required |
---|---|---|---|---|
ca_file | string | CA certificate to validate the server with. | no | |
cert_file | string | Certificate file for client authentication. | no | |
key_file | string | Key file for client authentication. | no | |
server_name | string | ServerName extension to indicate the name of the server. | no | |
insecure_skip_verify | bool | Disables validation of the server certificate. | no | |
min_version | string | Minimum acceptable TLS version. | no |
When min_version
is not provided, the minimum acceptable TLS version is
inherited from Go’s default minimum version, TLS 1.2. If min_version
is
provided, it must be set to one of the following strings:
"TLS10"
(TLS 1.0)"TLS11"
(TLS 1.1)"TLS12"
(TLS 1.2)"TLS13"
(TLS 1.3)
Exported fields
loki.source.syslog
does not export any fields.
Component health
loki.source.syslog
is only reported as unhealthy if given an invalid
configuration.
Debug information
loki.source.syslog
exposes some debug information per syslog listener:
- Whether the listener is currently running.
- The listen address.
- The labels that the listener applies to incoming log entries.
Debug metrics
loki_source_syslog_entries_total
(counter): Total number of successful entries sent to the syslog component.loki_source_syslog_parsing_errors_total
(counter): Total number of parsing errors while receiving syslog messages.loki_source_syslog_empty_messages_total
(counter): Total number of empty messages received from the syslog component.
Example
This example listens for Syslog messages in valid RFC5424 format over TCP and
UDP in the specified ports and forwards them to a loki.write
component.
loki.source.syslog "local" {
listener {
address = "127.0.0.1:51893"
labels = { component = "loki.source.syslog", protocol = "tcp" }
}
listener {
address = "127.0.0.1:51898"
protocol = "udp"
labels = { component = "loki.source.syslog", protocol = "udp"}
}
forward_to = [loki.write.local.receiver]
}
loki.write "local" {
endpoint {
url = "loki:3100/api/v1/push"
}
}