Docs » Supported integrations in Splunk Observability Cloud » Collector components: Receivers » Syslog receiver

Syslog receiver πŸ”—

The Syslog receiver parses Syslogs received over TCP or UDP. The supported pipeline type is logs. See Process your data with pipelines for more information.

Get started πŸ”—

Follow these steps to configure and activate the component:

  1. Deploy the Splunk Distribution of the OpenTelemetry Collector to your host or container platform:

  1. Configure the Syslog receiver as described in the next section.

  2. Restart the Collector.

Sample configuration πŸ”—

To activate the Syslog receiver, add syslog to the receivers section of your configuration file, as in the following sample configurations. See Settings for more details.

receivers:
  syslog:

To complete the configuration, include the receiver in the logs pipeline of the service section of your configuration file:

service:
  pipelines:
    logs:
      receivers: [syslog]

Configuration examples πŸ”—

This example shows how to configure logs received using TCP:

receivers:
  syslog:
    tcp:
      listen_address: "0.0.0.0:54526"
    protocol: rfc5424

This example shows how to configure logs received using UDP:

receivers:
  syslog:
    udp:
      listen_address: "0.0.0.0:54526"
    protocol: rfc3164
    location: UTC

Advanced configurations πŸ”—

You can find more examples in the GitHub repository splunk-otel-collextor/examples .

Use cases πŸ”—

Configure your connection πŸ”—

Use the following fields to configure your connection. For more details, see the section Settings.

Configure TCP πŸ”—

You can use the following fields to configure the Syslog receiver with a TCP connection:

  • listen_address. A listening address with the format <ip>:<port>. Required.

  • max_buffer_size. Maximum size of buffer that can be allocated while reading a TCP input. 1024kib by default.

  • tls. Optional TLS configuration for the tcp_input operator:

    • cert_file. Path to the TLS certificate you want to use for TLS required connections.

    • key_file. Path to the TLS key you want to use for TLS required connections.

    • ca_file. Path to the CA certificate. For a client this verifies the server certificate. For a server this verifies client certificates. If empty, it uses the system’s root CA.

    • client_ca_file. Optional. Path to the TLS certificate the server uses to verify a client certificate. This sets the ClientCAs and ClientAuth to RequireAndVerifyClientCert in the TLSConfig. See https://godoc.org/crypto/tls#Config for more information.

Configure UDP πŸ”—

The following field is required:

  • listen_address: A listening address with the format <ip>:<port>.

Use operators to format logs πŸ”—

The Syslog receiver uses operators to parse Syslogs into a desired format. Each operator fulfills a single responsibility, such as reading lines from a file, or parsing JSON from a field. You need to chain operators together in a pipeline to achieve your desired result.

All operators either create, modify, or consume entries.

  • An entry is the base representation of log data as it moves through a pipeline.

  • A field is used to reference values in an entry.

  • A common expression syntax is used in several operators. For example, expressions can be used to filter or route entries.

Available operators πŸ”—

For a complete list of available operators, see What operators are available? in GitHub.

The following applies to operators:

  • Each operator has a type.

  • You can give a unique Id to each operator.

    • If you use the same type of operator more than once in a pipeline, you must specify an Id.

    • Otherwise, the Id defaults to the value of type.

  • An operator outputs to the next operator in the pipeline.

    • The last operator in the pipeline emits from the receiver.

    • Optionally, you can use the output parameter to specify the Id of another operator to pass logs there directly.

Parsers with embedded operations πŸ”—

You can configure many parsing operators to embed certain follow-up operations such as timestamp and severity parsing.

For more information, see the the GitHub entry on complex parsers at Parsers .

Settings πŸ”—

The following table shows the configuration options for the Syslog receiver:

Troubleshooting πŸ”—

If you are a Splunk Observability Cloud customer and are not able to see your data in Splunk Observability Cloud, you can get help in the following ways.

Available to Splunk Observability Cloud customers

Available to prospective customers and free trial users

  • Ask a question and get answers through community support at Splunk Answers .

  • Join the Splunk #observability user group Slack channel to communicate with customers, partners, and Splunk employees worldwide. To join, see Chat groups in the Get Started with Splunk Community manual.

This page was last updated on Sep 18, 2024.