Syslog Inputs
Syslog is one of the most widely used protocols for collecting and centralizing log messages across network devices, servers, and applications. Graylog is able to accept and parse RFC 5424 and RFC 3164 compliant syslog messages and supports TCP transport with both the octet counting or termination character methods. UDP is also supported and the recommended way to send log messages in most architectures.
In addition to TCP and UDP, Graylog provides the option to ingest syslog data from Kafka and AMQP queuing systems.
Input Type
Syslog inputs can support the following types:
-
Syslog AMQP: Pull input
-
Syslog Kafka: Pull input
-
Syslog TCP:
-
Syslog UDP:
See Inputs to learn about input types.
Input Configuration
Follow the input setup instructions. During setup of this input, you can configure the following options:
Syslog AMQP (Advanced Message Queuing Protocol) is an integration that allows syslog messages to be transmitted over a message-oriented middleware system. Instead of sending logs directly over traditional protocols such as UDP or TCP, Syslog AMQP uses message brokers like RabbitMQ to reliably queue, route, and deliver syslog events.
| Configuration Option | Description |
|---|---|
|
Global |
Select this check box to enable the input on all Graylog nodes, or keep it unchecked to enable the input on a specific node. |
| Node | Select the AWS region the queue is in. |
| Title | Assign a title to the input. Example: Syslog AMQP Input for XYZ Source. |
|
Broker hostname |
The hostname or IP address of the message broker (e.g. RabbitMQ server). |
|
Broker virtual host |
The logical namespace within the broker used to separate applications or tenants. |
|
Prefetch count |
The maximum number of messages a consumer can receive before acknowledging them. |
|
Queue |
The name of the queue from which messages will be consumed. |
|
Exchange |
The exchange to which the input should bind in order to receive messages. |
|
Routing key |
The key used by the exchange to route messages into the specified queue. |
|
Number of consumers/queues |
Defines how many consumers or queues should be created for message processing. |
|
Allow throttling this input (Checkbox) |
Enables message rate limiting to control ingestion speed and prevent system overload. |
|
Broker port (optional) |
The port number used by the message broker. |
|
Username (optional) |
The username for authenticating against the message broker, if required. |
|
Password (optional) |
The password associated with the broker username for authentication. |
|
Passive queue declaration (Checkbox) |
Declares the queue in passive mode, ensuring it exists without modifying or creating it. |
|
Bind to exchange (Checkbox) |
Binds the input to a specific exchange in the broker to receive messages from it. |
|
Heartbeat timeout (optional) |
Interval (in seconds) for client–broker heartbeat checks to detect lost connections. |
|
Enable TLS? |
Enable secure TLS for encrypted message transport (requires certificates). Select if this input should use TLS. |
|
Re-queue invalid messages? |
Determines whether invalid/unprocessable messages are placed back into the queue. |
|
Connection recovery interval (optional) |
Time interval (in seconds) to wait before retrying a broker connection after failure. |
|
Override source (optional) |
By default, messages parse the source field as the provided hostname in the log message. However, if you want to override this setting for devices that output non-standard or unconfigurable hostnames, you can set an alternate source name here. |
|
Encoding (optional) |
All messages need to support the encoding configured for the input. For example, UTF-8 encoded messages should not be sent to an input configured to support UTF-16. |
|
Force rDNS? (Checkbox) |
Forces a reverse DNS lookup on incoming messages to resolve the hostname from the IP address. |
|
Allow overriding date? (Checkbox) |
Permits incoming messages to use their own timestamp instead of the system’s received time. |
|
Store full message? (Checkbox) |
Keeps the entire raw message in addition to the parsed fields for future reference or troubleshooting. |
|
Expand structured data? (Checkbox) |
Expands structured data elements (e.g. key-value pairs in syslog) into individual fields. |
| Timezone (optional) | Select the timestamp configured on the system that is sending CEF messages. If the sender does not include the timezone information, you can configure the timezone applied to the messages on arrival. That configuration does not overwrite the timezone included in the timestamp; however, it is the assumed timezone for messages that do not include timezone information. |
Syslog Kafka enables the transport of syslog messages through Apache Kafka rather than traditional protocols like UDP or TCP. Kafka is a distributed event streaming platform that provides high throughput, fault tolerance, and horizontal scalability, making it well-suited for large-scale log processing pipelines.
| Configuration Option | Description |
|---|---|
|
Global (Checkbox) |
Select this check box to enable the input on all Graylog nodes, or keep it unchecked to enable the input on a specific node. |
| Node | Select the AWS region the queue is in. |
| Title | Assign a title to the input. Example: Syslog Kafka Input for XYZ Source. |
|
Legacy mode (Checkbox) |
A compatibility setting that allows the input to parse messages formatted according to older syslog standards or non-RFC-compliant message structures. |
|
Bootstrap Servers (optional) |
Enter the IP address and port on which the Kafka server is running. |
|
ZooKeeper address (legacy mode only) (optional) |
The IP address and port on which the Zookeeper server is running. |
|
Topic filter regex |
Enter the topic name filter that is configured in the filebeats.yml file. |
|
Fetch minimum bytes |
Minimum byte size a message batch should reach before fetching. |
|
Fetch maximum wait time (ms) |
Enter the maximum time (in milliseconds) to wait before fetching. |
|
Processor threads |
Enter the number of threads to process. This setting is based on the number of partitions available for the topic. |
|
Allow throttling this input (Checkbox) |
Permits incoming messages to use their own timestamp instead of the system’s received time. |
|
Auto offset reset (optional) |
Choose the appropriate selection from the drop-down menu if there is no initial offset in Kafka or if an offset is out of range. |
|
Consumer group id (optional) |
The name of the consumer group the Kafka input belongs to. |
|
Override source (optional) |
Enter the default hostname derived from the received packet. Only set this source if you want to override it with a custom string. |
|
Encoding (optional) |
Default encoding is UTF-8. Set this to a standard charset name if you want to override the default. |
|
Force rDNS? (Checkbox) |
Forces a reverse DNS lookup on incoming messages to resolve the hostname from the IP address. |
|
Allow overriding date? (Checkbox) |
Permits incoming messages to use their own timestamp instead of the system’s received time. |
|
Store full message? (Checkbox) |
Keeps the entire raw message in addition to the parsed fields for future reference or troubleshooting. |
|
Expand structured data? (Checkbox) |
Expands structured data elements (e.g. key-value pairs in Syslog) into individual fields. |
| Timezone (optional) | Select the timestamp configured on the system that is sending CEF messages. If the sender does not include the timezone information, you can configure the timezone applied to the messages on arrival. That configuration does not overwrite the timezone included in the timestamp; however, it is the assumed timezone for messages that do not include timezone information. |
| Custom Kafka properties (optional) |
Provide additional properties to Kafka by separating them in a new line. |
Syslog TCP uses the Transmission Control Protocol (TCP) as the transport mechanism for delivering syslog messages.
| Configuration Option | Description |
|---|---|
|
Global (Checkbox) |
Select this check box to enable the input on all Graylog nodes, or keep it unchecked to enable the input on a specific node. |
| Node | Select the AWS region the queue is in. |
| Title | Assign a title to the input. Example: Syslog TCP Input for XYZ Source. |
| Bind address | Enter an IP address for this input to listen on. The source system/data sends logs to this IP/input. |
| Port |
Enter a port to use in conjunction with the IP address. |
| Receive Buffer Size (optional) | Depending on the amount of traffic being ingested by the input, this value should be large enough to ensure proper flow of data but small enough to prevent the system from spending resources trying to process the buffered data. |
| No. of worker threads |
This setting controls how many concurrent threads are used to process incoming data. Increasing the number of threads can enhance data processing speed, resulting in improved throughput. The ideal number of threads to configure depends on the available CPU cores on your Graylog server. A common starting point is to align the number of worker threads with the number of CPU cores. However, it is crucial to strike a balance with other server demands. |
|
TLS cert file (optional) |
The certificate file that is stored on a Graylog system. The value of this field is a path (/path/to/file) that Graylog should have access to, and etc/graylog/tls is recommended. Ensure this path is readable by the user running the Graylog service. |
|
TLS private key file (optional) |
The certificate private key file that is stored on a Graylog system. The value of this field is a path ( |
|
Enable TLS (Checkbox) |
Select this option if this input should use TLS. |
|
TLS key password (optional) |
The private key password. |
|
TLS client authentication (optional) |
If you want to require authentication, set this value to optional or required. |
|
TLS Client Auth Trusted Certs (optional) |
The path where client (source) certificates are located on a Graylog system. The value of this field is a path ( |
|
TCP keepalive (Checkbox) |
Enable this option if you want the input to support TCP keep-alive packets to prevent idle connections. |
|
Null frame delimeter? (Checkbox) |
This option is typically left unchecked, as new line is the delimiter for each message. |
|
Maximum message size (optional) |
The maximum message size of the message. The default value should suffice but can be modified depending on message length. Each input type usually has specifications that note the maximum length of a message. |
|
Override source (optional) |
Enter the default hostname derived from the received packet. Only set this source if you want to override it with a custom string. |
|
Encoding (optional) |
Default encoding is UTF-8. Set this to a standard charset name if you want to override the default. |
|
Force rDNS? (Checkbox) |
Forces a reverse DNS lookup on incoming messages to resolve the hostname from the IP address. |
|
Store full message? (Checkbox) |
Keeps the entire raw message in addition to the parsed fields for future reference or troubleshooting. |
|
Expand structured data? (Checkbox) |
Expands structured data elements (e.g. key-value pairs in syslog) into individual fields. |
| Timezone (optional) | Select the timestamp configured on the system that is sending CEF messages. If the sender does not include the timezone information, you can configure the timezone applied to the messages on arrival. That configuration does not overwrite the timezone included in the timestamp; however, it is the assumed timezone for messages that do not include timezone information. |
Syslog UDP uses the User Datagram Protocol (UDP) as the transport mechanism for syslog messages. UDP is lightweight and connectionless, making it efficient for transmitting log data with minimal overhead.
| Configuration Option | Description |
|---|---|
|
Global (Checkbox) |
Select this check box to enable the input on all Graylog nodes, or keep it unchecked to enable the input on a specific node. |
| Node | Select the AWS region the queue is in. |
| Title | Assign a title to the input. Example: Syslog UDP Input for XYZ Source. |
| Bind address | Enter an IP address for this input to listen on. The source system/data sends logs to this IP/input. |
| Port |
Enter a port to use in conjunction with the IP address. |
| Receive Buffer Size (optional) | Depending on the amount of traffic being ingested by the input, this value should be large enough to ensure proper flow of data but small enough to prevent the system from spending resources trying to process the buffered data. |
| No. of worker threads (optional) |
This setting controls how many concurrent threads are used to process incoming data. Increasing the number of threads can enhance data processing speed, resulting in improved throughput. The ideal number of threads to configure depends on the available CPU cores on your Graylog server. A common starting point is to align the number of worker threads with the number of CPU cores. However, it is crucial to strike a balance with other server demands. |
|
Override source (optional) |
Enter the default hostname derived from the received packet. Only set this source if you want to override it with a custom string. |
|
Encoding (optional) |
Default encoding is UTF-8. Set this to a standard charset name if you want to override the default. |
|
Force rDNS? (Checkbox) |
Forces a reverse DNS lookup on incoming messages to resolve the hostname from the IP address. |
|
Allow overriding date? (Checkbox) |
Permits incoming messages to use their own timestamp instead of the system’s received time. |
|
Store full message? (Checkbox) |
Keeps the entire raw message in addition to the parsed fields for future reference or troubleshooting. |
|
Expand structured data? (Checkbox) |
Expands structured data elements (e.g. key-value pairs in syslog) into individual fields. |
| Timezone | Select the timestamp configured on the system that is sending CEF messages. If the sender does not include the timezone information, you can configure the timezone applied to the messages on arrival. That configuration does not overwrite the timezone included in the timestamp; however, it is the assumed timezone for messages that do not include timezone information. |
Next Steps
After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
