Syslog

Syslog (`syslog`)

Emit events as syslog messages to remote or local syslog receivers. Supported endpoint schemes: - udp://host:port - tcp://host:port - tls://host:port - unix:///path (unix stream) - unixgram:///path (unix datagram).

Observability json

Minimal example

output:
  syslog:
    endpoint: ""

JSON

{
  "output": {
    "syslog": {
      "endpoint": ""
    }
  }
}

Minimal example
Batching
Endpoint
Format
Framing
Headers
Payload
Priority
Reliability
Security
Structured Data
Schema

Batching

Field	Type	Required	Description
`batch`	`Batch`		Optional batching hints (still emits one syslog message per event).

Endpoint

Field	Type	Required	Description
`endpoint`	`hostname` (`string`)	✅	Syslog destination endpoint (selects transport by scheme). Examples: `example.com`, `localhost`

Format

Field	Type	Required	Description
`format`	`Format`		Syslog message format to emit. Default: `rfc5424` Allowed values: `rfc5424`, `rfc3164`

Framing

Field	Type	Required	Description
`framing`	`Framing`		TCP/TLS/Unix-stream framing mode. Default: `octet-counting` Allowed values: `octet-counting`, `newline`

Headers

Field	Type	Description
`hostname`	`Hostname`	RFC 5424 hostname (static value or event field). Defaults to `-` (NILVALUE). Allowed values: `hostname-value`, `hostname-field`
`app-name`	`App Name`	RFC 5424 app-name (static value or event field). Defaults to `-` (NILVALUE). Allowed values: `app-name-value`, `app-name-field`
`procid`	`Procid`	RFC 5424 procid (static value or event field). Defaults to `-` (NILVALUE). Allowed values: `proc-id-value`, `proc-id-field`
`msgid`	`Msgid`	RFC 5424 msgid (static value or event field). Defaults to `-` (NILVALUE). Allowed values: `msg-id-value`, `msg-id-field`

Payload

Field	Type	Required	Description
`input-field`	`field` (`string`)		If set, this field’s value becomes the syslog payload (and is also used for field-derived syslog properties like facility/severity). Examples: `data_field`

Priority

Field	Type	Required	Description
`facility`	`Facility`		Syslog facility (static value or event field). Allowed values: `facility-value`, `facility-field`
`severity`	`Severity`		Syslog severity (static value or event field). Allowed values: `severity-value`, `severity-field`

Reliability

Field	Type	Required	Description
`retry`	`Retry`		Retry policy for connection and send failures (TCP/TLS/Unix stream).

Security

Field	Type	Required	Description
`tls`	`Tls`		TLS configuration (applies to `tls://` endpoints only).

Structured Data

Field	Type	Required	Description
`structured-data`	`Structured Data`		Optional RFC 5424 structured-data encoding. When enabled, the (possibly `input_field` selected) payload must be a JSON object, or a JSON string that can be parsed into an object when `parse_json_string=true`.

Hostname Options

Option	Name	Type	Description
`hostname-value`	Hostname Value	`string`
`hostname-field`	Hostname Field	`string`	Examples: `data_field`

App Name Options

Option	Name	Type	Description
`app-name-value`	App Name Value	`string`
`app-name-field`	App Name Field	`string`	Examples: `data_field`

Procid Options

Option	Name	Type	Description
`proc-id-value`	Proc Id Value	`string`
`proc-id-field`	Proc Id Field	`string`	Examples: `data_field`

Msgid Options

Option	Name	Type	Description
`msg-id-value`	Msg Id Value	`string`
`msg-id-field`	Msg Id Field	`string`	Examples: `data_field`

Facility Options

Option	Name	Type	Description
`facility-value`	Facility Value	`string`
`facility-field`	Facility Field	`string`	Examples: `data_field`

Severity Options

Option	Name	Type	Description
`severity-value`	Severity Value	`string`
`severity-field`	Severity Field	`string`	Examples: `data_field`

Batch Fields

Field	Type	Required	Description
`fixed-size` ✓	`number` (`integer`)		maximum number of events in an output batch. Examples: `42`, `1.2e-10`
`mode`	`Mode`	✅	If ‘document’ send on end of document generated by input. If ‘fixed’, use `fixed_size`. Allowed values: `fixed`, `document`
`timeout`	`time-interval` (`string`)	✅	interval after which the batch is sent, to keep throughput going (default 100ms). Default: `100ms` Examples: `500ms`, `2h`
`header`	`multiline-text` (`string`)		put a header line before the batch.
`footer`	`multiline-text` (`string`)		put a header line after the last line of the batch.
`use-document-marker` ✓	`boolean` (`bool`)		Enrich the job metadata with a document marker (for document handling in batch mode). Default: `false`
`wrap-as-json` ✓	`boolean` (`bool`)		Format the output batch as a JSON array. Default: `false`

Retry Fields

Field	Type	Required	Description
`timeout`	`time-interval` (`string`)	✅	timeout (e.g. 500ms, 2s etc. - default is 30). Examples: `500ms`, `2h`
`retries`	`number` (`integer`)		number of retries. Examples: `42`, `1.2e-10`

Tls Fields

Field	Type	Description
`ca-certificate`	`string`	Custom CA certificate bundle (PEM or path).
`client-certificate`	`string`	Client certificate for mutual TLS (PEM or path).
`client-key`	`string`	Client private key for mutual TLS (PEM or path).
`server-name`	`string`	Override the TLS server name used for certificate validation (SNI).
`insecure-skip-verify` ✓	`boolean` (`bool`)	Skip certificate validation (development only). Default: `false`

Structured Data Fields

Field	Type	Required	Description
`sd-id`	`string`	✅	SD-ID used for the RFC 5424 structured data element (example: `lyftdata@32473`).
`parse-json-string` ✓	`boolean` (`bool`)		If the payload is a JSON string, parse it as JSON (must decode to an object) before encoding into structured data. Default: `false`

Batch - Mode Options

Value	Name	Description
`fixed`	fixed	Fixed
`document`	document	Document

Format Options

Value	Name	Description
`rfc5424`	rfc5424	Rfc5424
`rfc3164`	rfc3164	Rfc3164

Framing Options

Value	Name	Description
`octet-counting`	octet-counting	RFC 6587 octet-counting framing: `<len> <message>`.
`newline`	newline	Newline-delimited framing (LF).