Telegraf v1.7.0+

Syslog 输入插件

此服务插件侦听通过 Unix 域套接字、UDP、TCP 或 TLS（带或不带字节计数帧）传输的 syslog 消息。

Syslog 消息应根据 syslog 协议或 BSD syslog 协议进行格式化。

引入于： Telegraf v1.7.0 标签： logging 操作系统支持： all

服务输入

此插件是服务输入。普通插件收集由 interval 设置确定的指标。服务插件启动一个服务来监听并等待指标或事件发生。服务插件与普通插件的两个主要区别是：

全局或插件特定的 interval 设置可能不适用
--test、--test-wait 和 --once 的 CLI 选项可能不会为此插件生成输出

全局配置选项

插件支持其他全局和插件配置设置，用于修改指标、标签和字段，创建别名以及配置插件顺序等任务。更多详情请参阅 CONFIGURATION.md。

配置

[[inputs.syslog]]
  ## Protocol, address and port to host the syslog receiver.
  ## If no host is specified, then localhost is used.
  ## If no port is specified, 6514 is used (RFC5425#section-4.1).
  ##   ex: server = "tcp://:6514"
  ##       server = "udp://:6514"
  ##       server = "unix:///var/run/telegraf-syslog.sock"
  ## When using tcp, consider using 'tcp4' or 'tcp6' to force the usage of IPv4
  ## or IPV6 respectively. There are cases, where when not specified, a system
  ## may force an IPv4 mapped IPv6 address.
  server = "tcp://127.0.0.1:6514"

  ## Permission for unix sockets (only available on unix sockets)
  ## This setting may not be respected by some platforms. To safely restrict
  ## permissions it is recommended to place the socket into a previously
  ## created directory with the desired permissions.
  ##   ex: socket_mode = "777"
  # socket_mode = ""

  ## Maximum number of concurrent connections (only available on stream sockets like TCP)
  ## Zero means unlimited.
  # max_connections = 0

  ## Read timeout (only available on stream sockets like TCP)
  ## Zero means unlimited.
  # read_timeout = "0s"

  ## Optional TLS configuration (only available on stream sockets like TCP)
  # tls_cert = "/etc/telegraf/cert.pem"
  # tls_key  = "/etc/telegraf/key.pem"
  ## Enables client authentication if set.
  # tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"]

  ## Maximum socket buffer size (in bytes when no unit specified)
  ## For stream sockets, once the buffer fills up, the sender will start
  ## backing up. For datagram sockets, once the buffer fills up, metrics will
  ## start dropping. Defaults to the OS default.
  # read_buffer_size = "64KiB"

  ## Period between keep alive probes (only applies to TCP sockets)
  ## Zero disables keep alive probes. Defaults to the OS configuration.
  # keep_alive_period = "5m"

  ## Content encoding for message payloads
  ## Can be set to "gzip" for compressed payloads or "identity" for no encoding.
  # content_encoding = "identity"

  ## Maximum size of decoded packet (in bytes when no unit specified)
  # max_decompression_size = "500MB"

  ## List of allowed source IP addresses for incoming packets/messages.
  ## If not specified or empty, all sources are allowed.
  # allowed_sources = []

  ## Framing technique used for messages transport
  ## Available settings are:
  ##   octet-counting  -- see RFC5425#section-4.3.1 and RFC6587#section-3.4.1
  ##   non-transparent -- see RFC6587#section-3.4.2
  # framing = "octet-counting"

  ## The trailer to be expected in case of non-transparent framing (default = "LF").
  ## Must be one of "LF", or "NUL".
  # trailer = "LF"

  ## Whether to parse in best effort mode or not (default = false).
  ## By default best effort parsing is off.
  # best_effort = false

  ## The RFC standard to use for message parsing
  ## By default RFC5424 is used. RFC3164 only supports UDP transport (no streaming support)
  ## Must be one of "RFC5424", or "RFC3164".
  # syslog_standard = "RFC5424"

  ## Character to prepend to SD-PARAMs (default = "_").
  ## A syslog message can contain multiple parameters and multiple identifiers within structured data section.
  ## Eg., [id1 name1="val1" name2="val2"]()
  ## For each combination a field is created.
  ## Its name is created concatenating identifier, sdparam_separator, and parameter name.
  # sdparam_separator = "_"

  ## Maximum length allowed for a single message (in bytes when no unit specified)
  ## Only applies to octet-counting framing.
  # max_message_length = "8KiB"

消息传输

framing 选项仅适用于流。它决定了我们在流中接收消息的方式。即，使用 "octet counting" 技术（默认）或 "non-transparent" 帧。

当 framing 选项为 "non-transparent" 时，trailer 选项才适用。它必须是以下值之一："LF"（默认）或 "NUL"。

尽力模式

best_effort 选项指示解析器从 syslog 消息中提取部分但有效的信息。如果未设置，则只收集完整消息。

Rsyslog 集成

可以通过配置远程日志记录将日志消息转发到 Telegraf。

大多数系统都使用 /etc/rsyslog.conf 和 /etc/rsyslog.d/ 目录中的文件进行配置。建议将新配置添加到配置目录中，以简化主配置文件更新。

将以下行添加到 /etc/rsyslog.d/50-telegraf.conf，并根据需要调整目标地址

$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

# forward over tcp with octet framing according to RFC 5425
*.* @@(o)127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format

# uncomment to use udp according to RFC 5424
#*.* @127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format

您也可以使用 advanced 格式（又名 RainerScript）

# forward over tcp with octet framing according to RFC 5425
action(type="omfwd" Protocol="tcp" TCP_Framing="octet-counted" Target="127.0.0.1" Port="6514" Template="RSYSLOG_SyslogProtocol23Format")

# uncomment to use udp according to RFC 5424
#action(type="omfwd" Protocol="udp" Target="127.0.0.1" Port="6514" Template="RSYSLOG_SyslogProtocol23Format")

要完成 TLS 设置，请参阅 rsyslog 文档。

故障排除

# TCP with octet framing
echo "57 <13>1 2018-10-01T12:00:00.0Z example.org root - - - test" | nc 127.0.0.1 6514

# UDP
echo "<13>1 2018-10-01T12:00:00.0Z example.org root - - - test" | nc -u 127.0.0.1 6514

解析源 IP

source 标签存储 syslog 发送者的远程 IP 地址。要将这些 IP 解析为 DNS 名称，请使用 reverse_dns 处理器。

您可以使用 netcat 将调试消息直接发送到输入插件

RFC3164

RFC3164 编码的消息仅支持 UDP，但并非所有供应商默认都会输出有效的 RFC3164 消息。

例如 Cisco IOS

如果您看到以下错误，这是由于消息以该格式编码。

E! Error in plugin [inputs.syslog]: expecting a version value in the range 1-999 [col 5]

用户可以使用 rsyslog 将 RFC3164 syslog 消息转换为 RFC5424 格式。将以下行添加到 rsyslog 配置文件（例如 /etc/rsyslog.d/50-telegraf.conf）

# This makes rsyslog listen on 127.0.0.1:514 to receive RFC3164 udp
# messages which can them be forwarded to telegraf as RFC5424
$ModLoad imudp #loads the udp module
$UDPServerAddress 127.0.0.1
$UDPServerRun 514

根据需要调整目标地址，并将您的 RFC3164 消息发送到端口 514。

Metrics

syslog
- 标签 (tags)
  - severity (string)
  - facility (string)
  - hostname (string)
  - appname (string)
  - source (string)
- 字段 (fields)
  - version (integer)
  - severity_code (integer)
  - facility_code (integer)
  - timestamp (integer): syslog 消息中记录的时间
  - procid (string)
  - msgid (string)
  - sdid (bool)
  - 结构化数据 (string)
- timestamp: 消息接收时间

结构化数据会通过组合 SD_ID 和 PARAM_NAME 来生成字段键，使用 sdparam_separator 分隔，示例如下：

170 <165>1 2018-10-01:14:15.000Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] An application event log entry...

syslog,appname=evntslog,facility=local4,hostname=mymachine.example.com,severity=notice exampleSDID@32473_eventID="1011",exampleSDID@32473_eventSource="Application",exampleSDID@32473_iut="3",facility_code=20i,message="An application event log entry...",msgid="ID47",severity_code=5i,timestamp=1065910455003000000i,version=1i 1538421339749472344

示例输出

以下是此插件的示例输出：

syslog,appname=docker-compose,facility=daemon,host=bb8,hostname=droplet,location=home,severity=info,source=10.0.0.12 facility_code=3i,message="<redacted>",severity_code=6i,timestamp=1624643706396113000i,version=1i 1624643706400667198
syslog,appname=tailscaled,facility=daemon,host=bb8,hostname=dev,location=home,severity=info,source=10.0.0.15 facility_code=3i,message="<redacted>",severity_code=6i,timestamp=1624643706403394000i,version=1i 1624643706407850408
syslog,appname=docker-compose,facility=daemon,host=bb8,hostname=droplet,location=home,severity=info,source=10.0.0.12 facility_code=3i,message="<redacted>",severity_code=6i,timestamp=1624643706675853000i,version=1i 1624643706679251683
syslog,appname=telegraf,facility=daemon,host=bb8,hostname=droplet,location=home,severity=info,source=10.0.0.12 facility_code=3i,message="<redacted>",severity_code=6i,timestamp=1624643710005006000i,version=1i 1624643710008285426
syslog,appname=telegraf,facility=daemon,host=bb8,hostname=droplet,location=home,severity=info,source=10.0.0.12 facility_code=3i,message="<redacted>",severity_code=6i,timestamp=1624643710005696000i,version=1i 1624643710010754050
syslog,appname=docker-compose,facility=daemon,host=bb8,hostname=droplet,location=home,severity=info,source=10.0.0.12 facility_code=3i,message="<redacted>",severity_code=6i,timestamp=1624643715777813000i,version=1i 1624643715782158154
syslog,appname=docker-compose,facility=daemon,host=bb8,hostname=droplet,location=home,severity=info,source=10.0.0.12 facility_code=3i,message="<redacted>",severity_code=6i,timestamp=1624643716396547000i,version=1i 1624643716400395788
syslog,appname=tailscaled,facility=daemon,host=bb8,hostname=dev,location=home,severity=info,source=10.0.0.15 facility_code=3i,message="<redacted>",severity_code=6i,timestamp=1624643716404931000i,version=1i 1624643716416947058
syslog,appname=docker-compose,facility=daemon,host=bb8,hostname=droplet,location=home,severity=info,source=10.0.0.12 facility_code=3i,message="<redacted>",severity_code=6i,timestamp=1624643716676633000i,version=1i 1624643716680157558

此页面是否有帮助？

感谢您的反馈！

支持和反馈

感谢您成为我们社区的一员！我们欢迎并鼓励您对 Telegraf 和本文档提出反馈和 bug 报告。要获取支持，请使用以下资源

具有年度合同或支持合同的客户可以联系 InfluxData 支持。

编辑此页提交文档问题提交 Telegraf 问题

Syslog 输入插件

服务输入

全局配置选项

配置

消息传输

尽力模式

Rsyslog 集成

故障排除

解析源 IP

RFC3164

Metrics

示例输出

支持和反馈

InfluxDB 3.8 新特性

InfluxDB Docker 的 latest 标签将指向 InfluxDB 3 Core

Syslog 输入插件

服务输入

全局配置选项

配置

消息传输

尽力模式

Rsyslog 集成

故障排除

解析源 IP

RFC3164

Metrics

示例输出

Related

支持和反馈

您在哪里运行 InfluxDB？

AWS

GCP

Azure

默认

自定义

感谢您的反馈！

InfluxDB 3.8 新特性

InfluxDB Docker 的 latest 标签将指向 InfluxDB 3 Core