Description:

Listens for Syslog messages being sent to a given port over TCP or UDP. Incoming messages are checked against regular expressions for RFC5424 and RFC3164 formatted messages. The format of each message is: (<PRIORITY>)(VERSION )(TIMESTAMP) (HOSTNAME) (BODY) where version is optional. The timestamp can be an RFC5424 timestamp with a format of "yyyy-MM-dd'T'HH:mm:ss.SZ" or "yyyy-MM-dd'T'HH:mm:ss.S+hh:mm", or it can be an RFC3164 timestamp with a format of "MMM d HH:mm:ss". If an incoming messages matches one of these patterns, the message will be parsed and the individual pieces will be placed in FlowFile attributes, with the original message in the content of the FlowFile. If an incoming message does not match one of these patterns it will not be parsed and the syslog.valid attribute will be set to false with the original message in the content of the FlowFile. Valid messages will be transferred on the success relationship, and invalid messages will be transferred on the invalid relationship.

Tags:

syslog, listen, udp, tcp, logs

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.

NameDefault ValueAllowable ValuesDescription
ProtocolUDP
  • TCP
  • UDP
The protocol for Syslog communication, either TCP or UDP.
PortThe port for Syslog communication.
SSL Context ServiceController Service API:
SSLContextService
Implementation:
StandardSSLContextService
The Controller Service to use in order to obtain an SSL Context. If this property is set, syslog messages will be received over a secure connection.
Receive Buffer Size65507 BThe size of each buffer used to receive Syslog messages. Adjust this value appropriately based on the expected size of the incoming Syslog messages. When UDP is selected each buffer will hold one Syslog message. When TCP is selected messages are read from an incoming connection until the buffer is full, or the connection is closed.
Max Size of Socket Buffer1 MBThe maximum size of the socket buffer that should be used. This is a suggestion to the Operating System to indicate how big the socket buffer should be. If this value is set too low, the buffer may fill up before the data can be read, and incoming data will be dropped.
Max Number of TCP Connections2The maximum number of concurrent connections to accept Syslog messages in TCP mode.
Max Batch Size1The maximum number of Syslog events to add to a single FlowFile. If multiple events are available, they will be concatenated along with the <Message Delimiter> up to this configured maximum number of messages
Message Delimiter\nSpecifies the delimiter to place between Syslog messages when multiple messages are bundled together (see <Max Batch Size> property).
Parse Messagestrue
  • true
  • false
Indicates if the processor should parse the Syslog messages. If set to false, each outgoing FlowFile will only contain the sender, protocol, and port, and no additional attributes.
Character SetUTF-8Specifies which character set of the Syslog messages

Relationships:

NameDescription
invalidSyslog messages that do not match one of the expected formats will be sent out this relationship as a FlowFile per message.
successSyslog messages that match one of the expected formats will be sent out this relationship as a FlowFile per message.

Reads Attributes:

None specified.

Writes Attributes:

NameDescription
syslog.priorityThe priority of the Syslog message.
syslog.severityThe severity of the Syslog message derived from the priority.
syslog.facilityThe facility of the Syslog message derived from the priority.
syslog.versionThe optional version from the Syslog message.
syslog.timestampThe timestamp of the Syslog message.
syslog.hostnameThe hostname of the Syslog message.
syslog.senderThe hostname of the Syslog server that sent the message.
syslog.bodyThe body of the Syslog message, everything after the hostname.
syslog.validAn indicator of whether this message matched the expected formats. If this value is false, the other attributes will be empty and only the original message will be available in the content.
syslog.protocolThe protocol over which the Syslog message was received.
syslog.portThe port over which the Syslog message was received.
mime.typeThe mime.type of the FlowFile which will be text/plain for Syslog messages.

See Also:

PutSyslog, ParseSyslog