Syslog receiver π
The Syslog receiver parses Syslogs received over TCP or UDP. The supported pipeline type is logs
. See Process your data with pipelines for more information.
Get started π
Follow these steps to configure and activate the component:
Deploy the Splunk Distribution of the OpenTelemetry Collector to your host or container platform:
Configure the Syslog receiver as described in the next section.
Restart the Collector.
Sample configuration π
To activate the Syslog receiver, add syslog
to the receivers
section of your configuration file, as in the following sample configurations. See Settings for more details.
receivers:
syslog:
To complete the configuration, include the receiver in the logs
pipeline of the service
section of your
configuration file:
service:
pipelines:
logs:
receivers: [syslog]
Configuration examples π
This example shows how to configure logs received using TCP:
receivers:
syslog:
tcp:
listen_address: "0.0.0.0:54526"
protocol: rfc5424
This example shows how to configure logs received using UDP:
receivers:
syslog:
udp:
listen_address: "0.0.0.0:54526"
protocol: rfc3164
location: UTC
Advanced configurations π
You can find more examples in the GitHub repository splunk-otel-collextor/examples .
Use cases π
Configure your connection π
Use the following fields to configure your connection. For more details, see the section Settings.
Configure TCP π
You can use the following fields to configure the Syslog receiver with a TCP connection:
listen_address
. A listening address with the format<ip>:<port>
. Required.max_buffer_size
. Maximum size of buffer that can be allocated while reading a TCP input.1024kib
by default.tls
. Optional TLS configuration for thetcp_input
operator:cert_file
. Path to the TLS certificate you want to use for TLS required connections.key_file
. Path to the TLS key you want to use for TLS required connections.ca_file
. Path to the CA certificate. For a client this verifies the server certificate. For a server this verifies client certificates. If empty, it uses the systemβs root CA.client_ca_file
. Optional. Path to the TLS certificate the server uses to verify a client certificate. This sets the ClientCAs and ClientAuth to RequireAndVerifyClientCert in the TLSConfig. See https://godoc.org/crypto/tls#Config for more information.
Configure UDP π
The following field is required:
listen_address
: A listening address with the format<ip>:<port>
.
Use operators to format logs π
The Syslog receiver uses operators to parse Syslogs into a desired format. Each operator fulfills a single responsibility, such as reading lines from a file, or parsing JSON from a field. You need to chain operators together in a pipeline to achieve your desired result.
All operators either create, modify, or consume entries.
An entry is the base representation of log data as it moves through a pipeline.
A field is used to reference values in an entry.
A common expression syntax is used in several operators. For example, expressions can be used to filter or route entries.
Available operators π
For a complete list of available operators, see What operators are available? in GitHub.
The following applies to operators:
Each operator has a
type
.You can give a unique Id to each operator.
If you use the same type of operator more than once in a pipeline, you must specify an Id.
Otherwise, the Id defaults to the value of
type
.
An operator outputs to the next operator in the pipeline.
The last operator in the pipeline emits from the receiver.
Optionally, you can use the output parameter to specify the Id of another operator to pass logs there directly.
Parsers with embedded operations π
You can configure many parsing operators to embed certain follow-up operations such as timestamp and severity parsing.
For more information, see the the GitHub entry on complex parsers at Parsers .
Settings π
The following table shows the configuration options for the Syslog receiver:
Troubleshooting π
If you are a Splunk Observability Cloud customer and are not able to see your data in Splunk Observability Cloud, you can get help in the following ways.
Available to Splunk Observability Cloud customers
Submit a case in the Splunk Support Portal .
Contact Splunk Support .
Available to prospective customers and free trial users
Ask a question and get answers through community support at Splunk Answers .
Join the Splunk #observability user group Slack channel to communicate with customers, partners, and Splunk employees worldwide. To join, see Chat groups in the Get Started with Splunk Community manual.