6.0 KiB
weight | title | disableToc | menu | ||||||
---|---|---|---|---|---|---|---|---|---|
10 | Syslog setup | true |
|
Syslog setup
VictoriaLogs can accept logs in Syslog formats at the specified TCP and UDP addresses
via -syslog.listenAddr.tcp
and -syslog.listenAddr.udp
command-line flags. The following syslog formats are supported:
- RFC3164 aka
<PRI>MMM DD hh:mm:ss HOSTNAME APP-NAME[PROCID]: MESSAGE
- RFC5424 aka
<PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [STRUCTURED-DATA] MESSAGE
For example, the following command starts VictoriaLogs, which accepts logs in Syslog format at TCP port 514 on all the network interfaces:
./victoria-logs -syslog.listenAddr.tcp=:514
It may be needed to run VictoriaLogs under root
user or to set CAP_NET_BIND_SERVICE
option if syslog messages must be accepted at TCP port below 1024.
The following command starts VictoriaLogs, which accepts logs in Syslog format at TCP and UDP ports 514:
./victoria-logs -syslog.listenAddr.tcp=:514 -syslog.listenAddr.udp=:514
VictoriaLogs can accept logs from the following syslog collectors:
- Rsyslog. See these docs.
- Syslog-ng. See these docs.
Multiple logs in Syslog format can be ingested via a single TCP connection or via a single UDP packet - just put every log on a separate line
and delimit them with \n
char.
VictoriaLogs automatically extracts the following log fields from the received Syslog lines:
_time
- log timestamp_msg
- theMESSAGE
field from the supported syslog formats abovehostname
,app_name
andproc_id
- stream fields for unique identification over every log streampriority
,factility
andseverity
- these fields are extracted from<PRI>
fieldformat
- this field is set to eitherrfc3164
orrfc5424
depending on the format of the parsed syslog linemsg_id
-MSGID
field from log line inRFC5424
format.
By default local timezone is used when parsing timestamps in rfc3164
lines. This can be changed to any desired timezone via -syslog.timezone
command-line flag.
See the list of supported timezone identifiers. For example, the following command starts VictoriaLogs,
which parses syslog timestamps in rfc3164
using Europe/Berlin
timezone:
./victoria-logs -syslog.listenAddr.tcp=:514 -syslog.timezone='Europe/Berlin'
See also:
Security
By default VictoriaLogs accepts plaintext data at -syslog.listenAddr.tcp
address. Run VictoriaLogs with -syslog.tls
command-line flag
in order to accept TLS-encrypted logs at -syslog.listenAddr.tcp
address. The -syslog.tlsCertFile
and -syslog.tlsKeyFile
command-line flags
must be set to paths to TLS certificate file and TLS key file if -syslog.tls
is set. For example, the following command
starts VictoriaLogs, which accepts TLS-encrypted syslog messages at TCP port 514:
./victoria-logs -syslog.listenAddr.tcp=:514 -syslog.tls -syslog.tlsCertFile=/path/to/tls/cert -syslog.tlsKeyFile=/path/to/tls/key
Compression
By default VictoriaLogs accepts uncompressed log messages in Syslog format at -syslog.listenAddr.tcp
and -syslog.listenAddr.udp
addresses.
It is possible configuring VictoriaLogs to accept compressed log messages via -syslog.compressMethod
command-line flag. The following
compression methods are supported:
none
- no compressiongzip
- gzip compressiondeflate
- deflate compression
For example, the following command starts VictoriaLogs, which accepts gzip-compressed syslog messages at TCP port 514:
./victoria-logs -syslog.listenAddr.tcp=:514 -syslog.compressMethod=gzip
Multitenancy
By default, the ingested logs are stored in the (AccountID=0, ProjectID=0)
tenant.
If you need storing logs in other tenant, then specify the needed tenant via -syslog.tenantID
command-line flag.
For example, the following command starts VictoriaLogs, which writes syslog messages received at TCP port 514, to (AccountID=12, ProjectID=34)
tenant:
./victoria-logs -syslog.listenAddr.tcp=:514 -syslog.tenantID=12:34
Rsyslog
- Run VictoriaLogs with
-syslog.listenAddr.tcp=:29514
command-line flag. - Put the following line to rsyslog config (this config is usually located at
/etc/rsyslog.conf
):
Where*.* @@victoria-logs-server:29514
victoria-logs-server
is the hostname where VictoriaLogs runs. See these docs for more details.
Syslog-ng
- Run VictoriaLogs with
-syslog.listenAddr.tcp=:29514
command-line flag. - Put the following line to syslog-ng config:
Wheredestination d_remote { tcp("victoria-logs-server" port(29514)); };
victoria-logs-server
is the hostname where VictoriaLogs runs. See these docs for details.