Cribl LogStream supports receiving of data over syslog.
Type: Push | TLS Support: YES | Event Breaker Support: No
Select Data > Sources, then select Syslog from the Data Sources page's tiles or left menu. Click Add New to open the New Syslog source pane, which provides the following fields.
Input ID: Enter a unique name to identify this Syslog Source definition.
Address: Enter the hostname/IP on which to listen for data., E.g.
UDP port: Enter the UDP port number to listen on. Not required if listening on TCP.
TCP port: Enter the TCP port number to listen on. Not required if listening on UDP.
Enabled: Defaults to
No. When toggled to
Certificate name: The name of the predefined certificate.
Private key path: Server path containing the private key (in PEM format) to use. Path can reference
Passphrase: Passphrase to use to decrypt private key.
Certificate path: Server path containing certificates in (PEM format) to use. Path can reference
CA certificate path: Server path containing CA certificates (in PEM format) to use. Path can reference
Authenticate client (mutual auth): Require clients to present their certificates. Used to perform mutual authentication using SSL certs. Defaults to
No. When toggled to
- Common name: Regex matching peer certificate subject common names allowed to connect. Defaults to
Validate client certs: Require server to reject any connection that is not authorized by a CA in the CA certificate path, or by another trusted CA (e.g., the system's CA). Defaults to No.
In this section, you can add fields/metadata to each event, using Eval-like functionality.
Name: Field name.
In this section's Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.
Enable proxy protocol: Defaults to
No. Toggle to
Yes if the connection is proxied by a device that supports Proxy Protocol v1 or v2.
IP whitelist regex: Regex matching IP addresses that are allowed to send data. Defaults to
.* (i.e., all IPs).
Max buffer size (events) : Maximum number of events to buffer when downstream is blocking. The buffer is only in memory. (This setting is applicable only to UDP syslog.)
Default timezone: Timezone to assign to timestamps that omit timezone info. Accept the default
Local value, or use the drop-down list to select a specific timezone by city name or GMT/UTC offset.
Single msg per UDP: Whether to treat UDP packet data received as a full Syslog message. Defaults to
No. (I.e., newlines in the packet will be treated as event delimiters.)
Cribl LogStream uses a set of internal fields to assist in handling of data. These "meta" fields are not part of an event, but are accessible and Functions can use them to make processing decisions.
Fields for this Source:
truefor data that fails RFC 3164/5424 validation as syslog format.
Updated about a month ago