The Syslog plugin is a dual-protocol (UDP + TCP) syslog receiver supporting both RFC 5424 (IETF) and RFC 3164 (BSD) message formats. It parses facility codes, severity levels, timestamps, and hostnames from incoming syslog messages.
- Binary:
logflux-agent-syslogd - Platform: Linux, macOS
- Entry type: Log
- Default port: 514 (UDP + TCP)
Command-Line Flags
| Flag | Default | Description |
|---|
-config FILE | – | Path to YAML configuration file |
-listen ADDR | 0.0.0.0:514 | Listen address |
-protocol PROTO | both | Protocol: udp, tcp, or both |
-max-msg-size N | 8192 | Maximum message size in bytes |
-verbose | false | Enable verbose output |
-version | – | Show version and exit |
Configuration File
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| name: syslogd
version: 1.0.0
source: syslogd-plugin
agent:
socket_path: /var/run/logflux-agent/agent.sock
network: unix
connect_timeout: 10s
max_retries: 3
retry_delay: 1s
plugin:
listen: "0.0.0.0:514"
protocol: "both" # udp, tcp, or both
max_msg_size: 8192
logging:
level: info
labels:
component: syslogd
plugin: syslogd
verbose: false
batch:
enabled: true
max_size: 100
flush_interval: 5s
auto_flush: true
|
RFC 3164 (BSD)
<PRI>Timestamp Hostname Tag[PID]: Message
Example:
<134>Mar 19 10:30:00 webserver nginx[12345]: GET /api/health 200
RFC 5424 (IETF)
<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID SD MESSAGE
Example:
<134>1 2026-03-19T10:30:00Z webserver nginx 12345 - - GET /api/health 200
Priority Decoding
The syslog priority value encodes both facility and severity:
- Facility = PRI / 8
- Severity = PRI % 8
Facility Codes
| Code | Name | Description |
|---|
| 0 | kern | Kernel messages |
| 1 | user | User-level messages |
| 2 | mail | Mail system |
| 3 | daemon | System daemons |
| 4 | auth | Security/authorization |
| 5 | syslog | Syslog internal |
| 6 | lpr | Line printer |
| 7 | news | Network news |
| 8-15 | – | Various system facilities |
| 16-23 | local0-local7 | Local use facilities |
Severity Levels
| Code | Name | LogFlux Level |
|---|
| 0 | Emergency | 1 (EMERGENCY) |
| 1 | Alert | 2 (ALERT) |
| 2 | Critical | 3 (CRITICAL) |
| 3 | Error | 4 (ERROR) |
| 4 | Warning | 5 (WARNING) |
| 5 | Notice | 6 (NOTICE) |
| 6 | Informational | 7 (INFO) |
| 7 | Debug | 8 (DEBUG) |
Usage Examples
1
2
3
4
5
6
7
8
9
10
11
| # Default (UDP + TCP on port 514)
sudo logflux-agent-syslogd
# TCP only on non-privileged port
logflux-agent-syslogd -protocol tcp -listen :1514
# UDP only with larger message size
logflux-agent-syslogd -protocol udp -max-msg-size 65535
# Test with logger
logger -n 127.0.0.1 -P 514 "Test syslog message"
|
| Label | Description |
|---|
source_type | Always plugin |
source_name | Always syslogd |
facility | Syslog facility name |
severity | Syslog severity name |
hostname | Source hostname |
app_name | Application name / tag |
transport | udp or tcp |
source_addr | Source IP address |
Redirecting System Syslog
To forward your system’s rsyslog to the plugin:
1
2
3
4
| # /etc/rsyslog.d/60-logflux.conf
*.* @@127.0.0.1:514 # TCP
# or
*.* @127.0.0.1:514 # UDP
|
Restart rsyslog:
1
| sudo systemctl restart rsyslog
|
Requirements
Port 514 requires root or CAP_NET_BIND_SERVICE. Use a non-privileged port (e.g., 1514) to run without elevated permissions.