Syslog Server Reference

refer to the following configuration information for the syslog server driver parameter description browse devices supported no browse tags supported no driver settings logprotocol rfc5424 > current syslog protocol, rfc3164 > original bsd syslog protocol udp, tcp, tls endpoint configuration (must enable at least 1) allowmultimatch keep scanning and processing log matches, even after one is found stringifyintfields publish keywords for facility (0 > "kern") & severity (0 > "emerg") replaceemptyfields replaces any empty values within published payload maxworkers increases throughput and cpu usage tag settings severity inclusive limit (at least as severe) facility exact match, or "any" wildcard character used to indicate string matching pattern hostname, appname, msgid, message string matching, described below structured data field matching, described below (rfc5424 only) client address address matching, described below order logs processed in specified order (low >high) format format directives to define the published payload, described below tag types string published payload is string type, using format directives json published payload is json type, using format directives (note only pre defined variable characters accepted) ignore no publish payload always scanned before non ignore tags overrides "allowmultimatch" setting severity limit setting is reversed (atmost as severe) should only be used to improve performance when most logs can easily be ignored (i e , ignoring all debug level logs) string matching pattern matching string fields if this wildcard is changed from default " ", all string match settings must be updated to reflect the active wildcard the wildcard cannot be escaped it must not appear anywhere in the string as a literal character string match types isexact ("value") beginswith ("prefix ") endswith (" suffix") contains (" middle ") isempty ("") isany (" ") field matching structured data matching (two exact key matches, delimited by wildcard, followed by a string match) isany (" ") isempty ("") hasfield ("key") hasparam ("key1 key2") fieldisempty ("key ") paramisempty ("key1 key2 ") string matching applies to the value of a data match ("key1 key2 ") valueisexact ("key1 key2 value") valuebeginswith ("key1 key2 prefix ") valueendswith ("key1 key2 suffix") valuecontains ("key1 key2 middle ") valueisempty ("key1 key2 ") valueisany ("key1 key2 ") < equivalent to hasparam address matching address matching requires a valid cidr block 172 22 0 1/16 > matches client ips starting with "172 22" address matches starting with a wildcard are negated 172 22 0 1/16 > matches client ips which do not start with "172 22" note that any unmasked bits in the specified cidr range have no effect 172 22 0 1/16 == 172 22 99 99/16 format directives custom publish payloads symbol definition type $ a special character that indicates that a variable character will follow a variable represents some dynamic string value supported variables are defined below $f facility uint8 (<=23) or keyword string $s severity uint8 (<=7) or keyword string $p priority (facility 8 + severity) uint8 (<=191) $t timestamp rfc3339 string $h hostname string $a appname string $x processid string $i messageid string $d structured data string or json object (string\ string\ string, rfc5424 only) $m message string $v version uint16 (>=1 && <=999, rfc5424 only) $c client string (ip from connection, not log) string format directive notes to use a special character in its literal form, enter symbol twice ($$ > $) example "$$$h $a" > "$hostabc appxyz" a special character must be followed by either itself, or one of the supported characters in the table above any other condition will result in an error example1 "$h $a$z" > error example2 "$h $a$" > error example3 "$h $a$#" > error