Syslog

Syslog (`syslog`)

Emit events as syslog messages to remote or local syslog receivers. Supported endpoint schemes: - udp://host:port - tcp://host:port - tls://host:port - unix:///path (unix stream) - unixgram:///path (unix datagram).

Observability json

Minimal example

output:
  syslog:
    endpoint: ""

JSON

{
  "output": {
    "syslog": {
      "endpoint": ""
    }
  }
}

Minimal example
Fields
Batching
Reliability
Endpoint
Format
Framing
Security
Payload
Priority
Headers
Structured Data
Schema

Fields

Field	Type	Required	Description
`endpoint` Endpoint	`hostname` (`string`)	✅	Syslog destination endpoint (selects transport by scheme). Examples: `example.com`, `localhost`
`batch` Batching	`Batch`		Optional batching hints (still emits one syslog message per event).
`retry` Reliability	`Retry`		Retry policy for connection and send failures (TCP/TLS/Unix stream).
`format` Format	`Format`		Syslog message format to emit. Allowed values: `rfc5424`, `rfc3164`
`framing` Framing	`Framing`		TCP/TLS/Unix-stream framing mode. Allowed values: `octet-counting`, `newline`
`tls` Security	`Tls`		TLS configuration (applies to `tls://` endpoints only).
`input-field` Payload	`field` (`string`)		If set, this field’s value becomes the syslog payload (and is also used for field-derived syslog properties like facility/severity). Examples: `data_field`
`facility` Priority	`Facility`		Syslog facility (static value or event field).
`severity` Priority	`Severity`		Syslog severity (static value or event field).
`hostname` Headers	`Hostname`		RFC 5424 hostname (static value or event field). Defaults to `-` (NILVALUE).
`app-name` Headers	`App Name`		RFC 5424 app-name (static value or event field). Defaults to `-` (NILVALUE).
`procid` Headers	`Procid`		RFC 5424 procid (static value or event field). Defaults to `-` (NILVALUE).
`msgid` Headers	`Msgid`		RFC 5424 msgid (static value or event field). Defaults to `-` (NILVALUE).
`structured-data` Structured Data	`Structured Data`		Optional RFC 5424 structured-data encoding. When enabled, the (possibly `input_field` selected) payload must be a JSON object, or a JSON string that can be parsed into an object when `parse_json_string=true`.

Batching

Show fields

Field	Type	Required	Description
`batch`	`Batch`		Optional batching hints (still emits one syslog message per event).

Reliability

Show fields

Field	Type	Required	Description
`retry`	`Retry`		Retry policy for connection and send failures (TCP/TLS/Unix stream).

Endpoint

Show fields

Field	Type	Required	Description
`endpoint`	`hostname` (`string`)	✅	Syslog destination endpoint (selects transport by scheme). Examples: `example.com`, `localhost`

Format

Show fields

Field	Type	Required	Description
`format`	`Format`		Syslog message format to emit. Allowed values: `rfc5424`, `rfc3164`

Framing

Show fields

Field	Type	Required	Description
`framing`	`Framing`		TCP/TLS/Unix-stream framing mode. Allowed values: `octet-counting`, `newline`

Security

Show fields

Field	Type	Required	Description
`tls`	`Tls`		TLS configuration (applies to `tls://` endpoints only).

Payload

Show fields

Field	Type	Required	Description
`input-field`	`field` (`string`)		If set, this field’s value becomes the syslog payload (and is also used for field-derived syslog properties like facility/severity). Examples: `data_field`

Priority

Show fields

Field	Type	Required	Description
`facility`	`Facility`		Syslog facility (static value or event field).
`severity`	`Severity`		Syslog severity (static value or event field).

Headers

Show fields

Field	Type	Description
`hostname`	`Hostname`	RFC 5424 hostname (static value or event field). Defaults to `-` (NILVALUE).
`app-name`	`App Name`	RFC 5424 app-name (static value or event field). Defaults to `-` (NILVALUE).
`procid`	`Procid`	RFC 5424 procid (static value or event field). Defaults to `-` (NILVALUE).
`msgid`	`Msgid`	RFC 5424 msgid (static value or event field). Defaults to `-` (NILVALUE).

Structured Data

Show fields

Field	Type	Required	Description
`structured-data`	`Structured Data`		Optional RFC 5424 structured-data encoding. When enabled, the (possibly `input_field` selected) payload must be a JSON object, or a JSON string that can be parsed into an object when `parse_json_string=true`.

Facility Options

Option	Name	Type	Description
`facility-value`	Facility Value	`string`
`facility-field`	Facility Field	`string`

Severity Options

Option	Name	Type	Description
`severity-value`	Severity Value	`string`
`severity-field`	Severity Field	`string`

Hostname Options

Option	Name	Type	Description
`hostname-value`	Hostname Value	`string`
`hostname-field`	Hostname Field	`string`

App Name Options

Option	Name	Type	Description
`app-name-value`	App Name Value	`string`
`app-name-field`	App Name Field	`string`

Procid Options

Option	Name	Type	Description
`proc-id-value`	Proc Id Value	`string`
`proc-id-field`	Proc Id Field	`string`

Msgid Options

Option	Name	Type	Description
`msg-id-value`	Msg Id Value	`string`
`msg-id-field`	Msg Id Field	`string`

Batch Fields

Field	Type	Required	Description
`fixed-size`	`number` (`integer`)		maximum number of events in an output batch. Examples: `42`, `1.2e-10`
`mode`	`Mode`	✅	If ‘document’ send on end of document generated by input. If ‘fixed’, use `fixed_size`. Allowed values: `fixed`, `document`
`timeout`	`time-interval` (`string`)	✅	interval after which the batch is sent, to keep throughput going (default 100ms). Examples: `500ms`, `2h`
`header`	`multiline-text` (`string`)		put a header line before the batch.
`footer`	`multiline-text` (`string`)		put a header line after the last line of the batch.
`use-document-marker`	`boolean` (`bool`)		Enrich the job metadata with a document marker (for document handling in batch mode).
`wrap-as-json`	`boolean` (`bool`)		Format the output batch as a JSON array.

Retry Fields

Field	Type	Required	Description
`timeout`	`time-interval` (`string`)	✅	timeout (e.g. 500ms, 2s etc. - default is 30). Examples: `500ms`, `2h`
`retries`	`number` (`integer`)		number of retries. Examples: `42`, `1.2e-10`

Tls Fields

Field	Type	Description
`ca-certificate`	`string`	Custom CA certificate bundle (PEM or path).
`client-certificate`	`string`	Client certificate for mutual TLS (PEM or path).
`client-key`	`string`	Client private key for mutual TLS (PEM or path).
`server-name`	`string`	Override the TLS server name used for certificate validation (SNI).
`insecure-skip-verify`	`boolean` (`bool`)	Skip certificate validation (development only).

Structured Data Fields

Field	Type	Required	Description
`sd-id`	`string`	✅	SD-ID used for the RFC 5424 structured data element (example: `lyftdata@32473`).
`parse-json-string`	`boolean` (`bool`)		If the payload is a JSON string, parse it as JSON (must decode to an object) before encoding into structured data.

Batch - Mode Options

Value	Description
`fixed`	Fixed
`document`	Document

Format Options

Value	Description
`rfc5424`	Rfc5424
`rfc3164`	Rfc3164

Framing Options

Value	Description
`octet-counting`	RFC 6587 octet-counting framing: `<len> <message>`.
`newline`	Newline-delimited framing (LF).

Syslog

Syslog (syslog)

Minimal example

Contents

Fields

Batching

Reliability

Endpoint

Format

Framing

Security

Payload

Priority

Headers

Structured Data

Schema

Facility Options

Severity Options

Hostname Options

App Name Options

Procid Options

Msgid Options

Batch Fields

Retry Fields

Tls Fields

Structured Data Fields

Batch - Mode Options

Format Options

Framing Options

Syslog (`syslog`)