You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*Description:* This option specifies the log parsing option of the source. The following flags are available:
7
+
*`assume-utf8`: This flag expects UTF-8 encoded incoming messages, but does not verify the encoding. If the UTF-8 encoding of the incoming message must be validated, use the `validate-utf8` flag.
8
+
*`empty-lines`: Use the empty-lines flag to keep the empty lines of the messages. Otherwise, these lines are automatically removed.
9
+
*`expect-hostname`: When this flag is used syslog-ng OSE expects a log message that contains a hostname and parses the message accordingly. This is the default behavior for TCP sources. Note that pipe sources use the `no-hostname` flag by default.
10
+
*`guess-timezone`: This flag allows the source to attempt to guess the timezone of the message if this information is not available in the message. Works when the incoming message stream is close to real time, and the timezone information is missing from the timestamp.
11
+
*`kernel`: This flag sets the source default to the `LOG_KERN | LOG_NOTICE` priority if not specified otherwise.
12
+
*`no-header`: This flag triggers syslog-ng OSE to parse only the PRI field of incoming messages, and put the rest of the message contents into `$MSG`.
13
+
The functionality of `no-header` is similar to the `no-parse` flag, but the `no-header` flag does not skip the `PRI` field. The `no-header` flag signals syslog-ng OSE that the syslog header is not present (or does not adhere to the conventions / RFCs), so the entire message (except from the PRI field) is put into `$MSG`.
14
+
```config
15
+
parser p_syslog {
16
+
syslog-parser(
17
+
flags(no-header)
18
+
);
19
+
};
20
+
```
21
+
22
+
*`no-hostname`: Enable this flag if the log message does not include the hostname of the sender host. This results in syslog-ng OSE assuming that the first part of the message header is `${PROGRAM}` instead of `${HOST}`.
23
+
```config
24
+
source s_dell {
25
+
network(
26
+
port(2000)
27
+
flags(no-hostname)
28
+
);
29
+
};
30
+
```
31
+
32
+
*`no-multi-line`: This flag disables line-breaking in the messages and converts the entire message into a single line. Note that this happens only if the underlying transport method supports multi-line messages. Currently only the `file()` and `pipe()` drivers support multi-line messages.
33
+
*`no-parse`: By default, syslog-ng OSE parses incoming messages as syslog messages. The `no-parse` flag disables syslog message parsing and processes the complete line as the message part of a syslog message. The syslog-ng OSE application generates a new syslog header (timestamp, host, and so on) automatically and puts the entire incoming message into the `MESSAGE` part of the syslog message (available using the `${MESSAGE}` macro). This flag is useful for parsing messages that do not complying to the syslog format.
34
+
*`dont-store-legacy-msghdr`: During default operation, syslog-ng OSE stores the original incoming header of the log message. This is useful if the original format of a non-syslog-compliant message must be retained. The syslog-ng OSE application automatically corrects minor header errors, for example, it adds a whitespace before "msg" in the following message: `Jan 22 10:06:11 host program:msg`. If storage of the original header of the message is not needed, enable the `dont-store-legacy-msghdr` flag.
35
+
*`sanitize-utf8`: When this flag is used, syslog-ng OSE converts non-UTF-8 input to an escaped format, adhering to UTF-8.
36
+
Prior to version 4.6, this only worked with parsing RFC3164 messages. In syslog-ng OSE 4.6 and later versions, RFC5424 and raw messages can also be parsed using this flag.
37
+
*`store-raw-message`: This flag saves the original message as received from the client in the `${RAWMSG}` macro. This raw message can be forwarded in its original form to another syslog-ng OSE node using the `syslog-ng()` destination, or to a SIEM system, making sure that the SIEM can process it. This flag is available in syslog-ng OSE 3.16 and later versions.
38
+
*`syslog-protocol`: This flag specifies that incoming messages are expected to be formatted according to the new IETF syslog protocol standard (RFC5424), but without the frame header. Note that this flag is not needed for the syslog driver, which handles only messages that have a frame header.
39
+
*`validate-utf8`: This flag enables encoding-verification for messages.
40
+
Prior to version 4.6, this only worked with parsing RFC3164 messages. In syslog-ng OSE 4.6 and later versions, RFC5424 and raw messages can also be parsed using this flag.
41
+
In the case of RFC5424 formatted messages, if the byte order mark (BOM) character is missing, but the message is otherwise UTF-8 compliant, syslog-ng OSE automatically adds the BOM character to the message.
Copy file name to clipboardExpand all lines: doc/_admin-guide/060_Sources/175_syslog-otlp/000_otlp_source_options.md
+12-43Lines changed: 12 additions & 43 deletions
Original file line number
Diff line number
Diff line change
@@ -78,7 +78,7 @@ destination {
78
78
| Type:| integer|
79
79
|Default:| 2|
80
80
81
-
*Description:* This option configures the upper limit of in-flight gRPC requests per worker. It is advisd to set this value in the range of 10s or 100s when there are a high number of clients sending simultaneously. In an optimzed solution, the number of `workers()` and `concurrent-requests()` is greater than or equal to the number of clients. However, this can cause an increase in memory usage.
81
+
*Description:* This option configures the upper limit of in-flight gRPC requests per worker. It is advisd to set this value in the range of 10s or 100s when there are a high number of clients sending simultaneously. In an optimized solution, the number of `workers()` and `concurrent-requests()` is greater than or equal to the number of clients. However, this can cause an increase in memory usage.
82
82
83
83
## default-facility()
84
84
@@ -94,12 +94,7 @@ destination {
94
94
95
95
*Description:* This option defines the default level value if the `PRIORITY` entry does not exist.
96
96
97
-
## default-priority()
98
-
99
-
| Type:| priority string|
100
-
|Default:||
101
-
102
-
*Description:* This option assigns an emergency level to messages received from the file source if the message does not specify one, for example, `default-priority(warning)`.
97
+
{% include doc/admin-guide/options/default-priority.md %}
103
98
104
99
## dns-cache()
105
100
@@ -114,47 +109,21 @@ Available in syslog-ng OSE 4.2 and later versions.
114
109
115
110
If this option is not used, the kernel chooses the receive socket for a specific UDP randomly based on the source IP/port of the sender. It is possible to customize this algorithm using the Extended Berkeley Packet Filter (eBPF) plugin. The `ebpf()` option changes the `SO_REUSEPORT` algorithm of the kernel, to place messages randomly into one of the UDP sockets. The decision which UDP socket buffer a datagram is placed is made for every datagram, and not once for every stream. This results in the percet load-balancing of messages across the set of UDP sockets. While this resolves the imbalance between the sockets and results in perfect load balancing, the order of messages from the same sender is lost, which is the drawback of increased throughput.
116
111
117
-
##flags()
112
+
### Example: Configure a syslog-ng-otlp() source with ebpf()
*Description:* This option specifies the log parsing option of the source. The following flags are available:
123
-
*`assume-utf8`: This flag expects UTF-8 encoded incoming messages, but does not verify the encoding. If the UTF-8 encoding of the incoming message must be validated, use the `validate-utf8` flag.
124
-
*`empty-lines`: Use the empty-lines flag to keep the empty lines of the messages. Otherwise, these lines are automatically removed.
125
-
*`expect-hostname`: When this flag is used syslog-ng OSE expects a log message that contains a hostname and parses the message accordingly. This is the default behavior for TCP sources. Note that pipe sources use the `no-hostname` flag by default.
126
-
*`guess-timezone`: This flag allows the source to attempt to guess the timezone of the message if this information is not available in the message. Works when the incoming message stream is close to real time, and the timezone information is missing from the timestamp.
127
-
*`kernel`: This flag sets the source default to the `LOG_KERN | LOG_NOTICE` priority if not specified otherwise.
128
-
*`no-header`: This flag triggers syslog-ng OSE to parse only the PRI field of incoming messages, and put the rest of the message contents into `$MSG`.
129
-
The functionality of `no-header` is similar to the `no-parse` flag, but the `no-header` flag does not skip the `PRI` field. The `no-header` flag signals syslog-ng OSE that the syslog header is not present (or does not adhere to the conventions / RFCs), so the entire message (except from the PRI field) is put into `$MSG`.
*`no-hostname`: Enable this flag if the log message does not include the hostname of the sender host. This results in syslog-ng OSE assuming that the first part of the message header is `${PROGRAM}` instead of `${HOST}`.
139
-
```config
140
-
source s_dell {
141
-
network(
142
-
port(2000)
143
-
flags(no-hostname)
144
-
);
145
-
};
123
+
};
146
124
```
147
125
148
-
*`no-multi-line`: This flag disables line-breaking in the messages and converts the entire message into a single line. Note that this happens only if the underlying transport method supports multi-line messages. Currently only the `file()` and `pipe()` drivers support multi-line messages.
149
-
*`no-parse`: By default, syslog-ng OSE parses incoming messages as syslog messages. The `no-parse` flag disables syslog message parsing and processes the complete line as the message part of a syslog message. The syslog-ng OSE application generates a new syslog header (timestamp, host, and so on) automatically and puts the entire incoming message into the `MESSAGE` part of the syslog message (available using the `${MESSAGE}` macro). This flag is useful for parsing messages that do not complying to the syslog format.
150
-
*`dont-store-legacy-msghdr`: During default operation, syslog-ng OSE stores the original incoming header of the log message. This is useful if the original format of a non-syslog-compliant message must be retained. The syslog-ng OSE application automatically corrects minor header errors, for example, it adds a whitespace before "msg" in the following message: `Jan 22 10:06:11 host program:msg`. If storage of the original header of the message is not needed, enable the `dont-store-legacy-msghdr` flag.
151
-
*`sanitize-utf8`: When this flag is used, syslog-ng OSE converts non-UTF-8 input to an escaped format, adhering to UTF-8.
152
-
Prior to version 4.6, this only worked with parsing RFC3164 messages. In syslog-ng OSE 4.6 and later versions, RFC5424 and raw messages can also be parsed using this flag.
153
-
*`store-raw-message`: This flag saves the original message as received from the client in the `${RAWMSG}` macro. This raw message can be forwarded in its original form to another syslog-ng OSE node using the `syslog-ng()` destination, or to a SIEM system, making sure that the SIEM can process it. This flag is available in syslog-ng OSE 3.16 and later versions.
154
-
*`syslog-protocol`: This flag specifies that incoming messages are expected to be formatted according to the new IETF syslog protocol standard (RFC5424), but without the frame header. Note that this flag is not needed for the syslog driver, which handles only messages that have a frame header.
155
-
*`validate-utf8`: This flag enables encoding-verification for messages.
156
-
Prior to version 4.6, this only worked with parsing RFC3164 messages. In syslog-ng OSE 4.6 and later versions, RFC5424 and raw messages can also be parsed using this flag.
157
-
In the case of RFC5424 formatted messages, if the byte order mark (BOM) character is missing, but the message is otherwise UTF-8 compliant, syslog-ng OSE automatically adds the BOM character to the message.
126
+
{% include doc/admin-guide/options/flags.md %}
158
127
159
128
{% include doc/admin-guide/options/host-override.md %}
0 commit comments