otelcol.exporter.syslog
Public preview: This is a public preview component. Public preview components are subject to breaking changes, and may be replaced with equivalent functionality that cover the same use case. To enable and use a public preview component, you must set the
stability.levelflag topublic-previewor below.
otelcol.exporter.syslog accepts logs from other otelcol components and writes them over the network using the syslog protocol.
It supports syslog protocols
RFC5424 and
RFC3164 and can send data over TCP or UDP.
Note
otelcol.exporter.syslogis a wrapper over the upstream OpenTelemetry Collectorsyslogexporter. Bug reports or feature requests will be redirected to the upstream repository, if necessary.
You can specify multiple otelcol.exporter.syslog components by giving them different labels.
Usage
otelcol.exporter.syslog "LABEL" {
endpoint = "HOST"
}Supported Attributes
The exporter creates one syslog message for each log record based on the following attributes of the log record. If an attribute is missing, the default value is used. The log’s timestamp field is used for the syslog message’s time. RFC3164 only supports a subset of the attributes supported by RFC5424, and the default values aren’t the same between the two protocols. Refer to the OpenTelemetry documentation for the exporter for more details.
| Attribute name | Type | RFC5424 Default value | RFC3164 supported | RFC3164 Default value |
|---|---|---|---|---|
appname | string | - | yes | empty string |
hostname | string | - | yes | - |
message | string | empty string | yes | empty string |
msg_id | string | - | no | |
priority | int | 165 | yes | 165 |
proc_id | string | - | no | |
structured_data | map | - | no | |
version | int | 1 | no |
Arguments
You can use the following arguments with otelcol.exporter.syslog:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
endpoint | string | The endpoint to send syslog formatted logs to. | yes | |
network | string | The type of network connection to use to send logs. | "tcp" | no |
port | int | The port where the syslog server accepts connections. | 514 | no |
protocol | string | The syslog protocol that the syslog server supports. | "rfc5424" | no |
enable_octet_counting | bool | Whether to enable rfc6587 octet counting. | false | no |
timeout | duration | Time to wait before marking a request as failed. | "5s" | no |
The network argument specifies if the syslog endpoint is using the TCP or UDP protocol.
network must be one of tcp, udp.
The protocol argument specifies the syslog format supported by the endpoint.
protocol must be one of rfc5424, rfc3164.
Blocks
You can use the following blocks with otelcol.exporter.syslog:
| Block | Description | Required |
|---|---|---|
debug_metrics | Configures the metrics that this component generates to monitor its state. | no |
retry_on_failure | Configures retry mechanism for failed requests. | no |
sending_queue | Configures batching of data before sending. | no |
tls | Configures TLS for a TCP connection. | no |
debug_metrics
The debug_metrics block configures the metrics that this component generates to monitor its state.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
disable_high_cardinality_metrics | boolean | Whether to disable certain high cardinality metrics. | true | no |
disable_high_cardinality_metrics is the Alloy equivalent to the telemetry.disableHighCardinalityMetrics feature gate in the OpenTelemetry Collector.
It removes attributes that could cause high cardinality metrics.
For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.
Note
If configured,
disable_high_cardinality_metricsonly applies tootelcol.exporter.*andotelcol.receiver.*components.
retry_on_failure
The retry_on_failure block configures how failed requests to the syslog server are retried.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
enabled | boolean | Enables retrying failed requests. | true | no |
initial_interval | duration | Initial time to wait before retrying a failed request. | "5s" | no |
max_elapsed_time | duration | Maximum time to wait before discarding a failed batch. | "5m" | no |
max_interval | duration | Maximum time to wait between retries. | "30s" | no |
multiplier | number | Factor to grow wait time before retrying. | 1.5 | no |
randomization_factor | number | Factor to randomize wait time before retrying. | 0.5 | no |
When enabled is true, failed batches are retried after a given interval.
The initial_interval argument specifies how long to wait before the first retry attempt.
If requests continue to fail, the time to wait before retrying increases by the factor specified by the multiplier argument, which must be greater than 1.0.
The max_interval argument specifies the upper bound of how long to wait between retries.
The randomization_factor argument is useful for adding jitter between retrying Alloy instances.
If randomization_factor is greater than 0, the wait time before retries is multiplied by a random factor in the range [ I - randomization_factor * I, I + randomization_factor * I], where I is the current interval.
If a batch hasn’t been sent successfully, it’s discarded after the time specified by max_elapsed_time elapses.
If max_elapsed_time is set to "0s", failed requests are retried forever until they succeed.
sending_queue
The sending_queue block configures an in-memory buffer of batches before data is sent to the syslog server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
block_on_overflow | boolean | The behavior when the component’s TotalSize limit is reached. | false | no |
blocking | boolean | (Deprecated) If true, blocks until the queue has room for a new request. | false | no |
enabled | boolean | Enables a buffer before sending data to the client. | true | no |
num_consumers | number | Number of readers to send batches written to the queue in parallel. | 10 | no |
queue_size | number | Maximum number of unwritten batches allowed in the queue at the same time. | 1000 | no |
sizer | string | How the queue and batching is measured. | "requests" | no |
storage | capsule(otelcol.Handler) | Handler from an otelcol.storage component to use to enable a persistent queue mechanism. | no |
The blocking argument is deprecated in favor of the block_on_overflow argument.
When block_on_overflow is true, the component will wait for space. Otherwise, operations will immediately return a retryable error.
When enabled is true, data is first written to an in-memory buffer before sending it to the configured server.
Batches sent to the component’s input exported field are added to the buffer as long as the number of unsent batches doesn’t exceed the configured queue_size.
queue_size determines how long an endpoint outage is tolerated.
Assuming 100 requests/second, the default queue size 1000 provides about 10 seconds of outage tolerance.
To calculate the correct value for queue_size, multiply the average number of outgoing requests per second by the time in seconds that outages are tolerated. A very high value can cause Out Of Memory (OOM) kills.
The sizer argument could be set to:
requests: number of incoming batches of metrics, logs, traces (the most performant option).items: number of the smallest parts of each signal (spans, metric data points, log records).bytes: the size of serialized data in bytes (the least performant option).
The num_consumers argument controls how many readers read from the buffer and send data in parallel.
Larger values of num_consumers allow data to be sent more quickly at the expense of increased network traffic.
If an otelcol.storage.* component is configured and provided in the queue’s storage argument, the queue uses the
provided storage extension to provide a persistent queue and the queue is no longer stored in memory.
Any data persisted will be processed on startup if Alloy is killed or restarted.
Refer to the
exporterhelper documentation in the OpenTelemetry Collector repository for more details.
tls
The tls block configures TLS settings used for a connection to a TCP syslog server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
ca_file | string | Path to the CA file. | no | |
ca_pem | string | CA PEM-encoded text to validate the server with. | no | |
cert_file | string | Path to the TLS certificate. | no | |
cert_pem | string | Certificate PEM-encoded text for client authentication. | no | |
cipher_suites | list(string) | A list of TLS cipher suites that the TLS transport can use. | [] | no |
curve_preferences | list(string) | Set of elliptic curves to use in a handshake. | [] | no |
include_system_ca_certs_pool | boolean | Whether to load the system certificate authorities pool alongside the certificate authority. | false | no |
insecure_skip_verify | boolean | Ignores insecure server TLS certificates. | no | |
insecure | boolean | Disables TLS when connecting to the configured server. | no | |
key_file | string | Path to the TLS certificate key. | no | |
key_pem | secret | Key PEM-encoded text for client authentication. | no | |
max_version | string | Maximum acceptable TLS version for connections. | "TLS 1.3" | no |
min_version | string | Minimum acceptable TLS version for connections. | "TLS 1.2" | no |
reload_interval | duration | The duration after which the certificate is reloaded. | "0s" | no |
server_name | string | Verifies the hostname of server certificates when set. | no |
If the server doesn’t support TLS, you must set the insecure argument to true.
To disable tls for connections to the server, set the insecure argument to true.
If you set reload_interval to "0s", the certificate never reloaded.
The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:
ca_pemandca_filecert_pemandcert_filekey_pemandkey_file
If cipher_suites is left blank, a safe default list is used.
Refer to the
Go TLS documentation for a list of supported cipher suites.
The curve_preferences argument determines the set of
elliptic curves to prefer during a handshake in preference order.
If not provided, a default list is used.
The set of elliptic curves available are X25519, P521, P256, and P384.
Exported fields
The following fields are exported and can be referenced by other components:
| Name | Type | Description |
|---|---|---|
input | otelcol.Consumer | A value that other components can use to send telemetry data to. |
input accepts otelcol.Consumer data for logs. Other telemetry signals are ignored.
Component health
otelcol.exporter.syslog is only reported as unhealthy if given an invalid configuration.
Debug information
otelcol.exporter.syslog doesn’t expose any component-specific debug information.
Examples
TCP endpoint without TLS
This example creates an exporter to send data to a syslog server expecting RFC5424-compliant messages over TCP without TLS:
otelcol.exporter.syslog "default" {
endpoint = "localhost"
tls {
insecure = true
insecure_skip_verify = true
}
}Use the otelcol.processor.transform component to format logs from loki.source.syslog
This example shows one of the methods for annotating your Loki messages into the format expected by the exporter using a otelcol.receiver.loki component in addition to the otelcol.processor.transform component.
This example assumes that the log messages being parsed have come from a loki.source.syslog component.
This is just an example of some of the techniques that can be applied, and not a fully functioning example for a specific incoming log.
otelcol.receiver.loki "default" {
output {
logs = [otelcol.processor.transform.syslog.input]
}
}
otelcol.processor.transform "syslog" {
error_mode = "ignore"
log_statements {
context = "log"
statements = [
`set(attributes["message"], attributes["__syslog_message"])`,
`set(attributes["appname"], attributes["__syslog_appname"])`,
`set(attributes["hostname"], attributes["__syslog_hostname"])`,
// To set structured data you can chain index ([]) operations.
`set(attributes["structured_data"]["auth@32473"]["user"], attributes["__syslog_message_sd_auth_32473_user"])`,
`set(attributes["structured_data"]["auth@32473"]["user_host"], attributes["__syslog_message_sd_auth_32473_user_host"])`,
`set(attributes["structured_data"]["auth@32473"]["valid"], attributes["__syslog_message_sd_auth_32473_authenticated"])`,
]
}
output {
metrics = []
logs = [otelcol.exporter.syslog.default.input]
traces = []
}
}Use the otelcol.processor.transform component to format OpenTelemetry logs
This example shows one of the methods for annotating your messages in the OpenTelemetry log format into the format expected by the exporter using an otelcol.processor.transform component.
This example assumes that the log messages being parsed have come from another OpenTelemetry receiver in JSON format (or have been transformed to OpenTelemetry logs using an otelcol.receiver.loki component).
This is just an example of some of the techniques that can be applied, and not a fully functioning example for a specific incoming log format.
otelcol.processor.transform "syslog" {
error_mode = "ignore"
log_statements {
context = "log"
statements = [
// Parse body as JSON and merge the resulting map with the cache map, ignoring non-json bodies.
// cache is a field exposed by OTTL that is a temporary storage place for complex operations.
`merge_maps(cache, ParseJSON(body), "upsert") where IsMatch(body, "^\\{")`,
// Set some example syslog attributes using the values from a JSON message body
// If the attribute doesn't exist in cache then nothing happens.
`set(attributes["message"], cache["log"])`,
`set(attributes["appname"], cache["application"])`,
`set(attributes["hostname"], cache["source"])`,
// To set structured data you can chain index ([]) operations.
`set(attributes["structured_data"]["auth@32473"]["user"], attributes["user"])`,
`set(attributes["structured_data"]["auth@32473"]["user_host"], cache["source"])`,
`set(attributes["structured_data"]["auth@32473"]["valid"], cache["authenticated"])`,
// Example priority setting, using facility 1 (user messages) and default to Info
`set(attributes["priority"], 14)`,
`set(attributes["priority"], 12) where severity_number == SEVERITY_NUMBER_WARN`,
`set(attributes["priority"], 11) where severity_number == SEVERITY_NUMBER_ERROR`,
`set(attributes["priority"], 10) where severity_number == SEVERITY_NUMBER_FATAL`,
]
}
output {
metrics = []
logs = [otelcol.exporter.syslog.default.input]
traces = []
}
}Compatible components
otelcol.exporter.syslog has exports that can be consumed by the following components:
- Components that consume
OpenTelemetry
otelcol.Consumer
Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.
Was this page helpful?
Related resources from Grafana Labs
