Class: LogStash::Outputs::Syslog

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/outputs/syslog.rb

Overview

Send events to a syslog server.

You can send messages compliant with RFC3164 or RFC5424 using either UDP or TCP as the transport protocol.

By default the contents of the ‘message` field will be shipped as the free-form message text part of the emitted syslog message. If your messages don’t have a ‘message` field or if you for some other reason want to change the emitted message, modify the `message` configuration option.

Constant Summary collapse

FACILITY_LABELS = 
[
  "kernel",
  "user-level",
  "mail",
  "daemon",
  "security/authorization",
  "syslogd",
  "line printer",
  "network news",
  "uucp",
  "clock",
  "ftp",
  "ntp",
  "log audit",
  "log alert",
  "local0",
  "local1",
  "local2",
  "local3",
  "local4",
  "local5",
  "local6",
  "local7",
]
SEVERITY_LABELS = 
[
  "emergency",
  "alert",
  "critical",
  "error",
  "warning",
  "notice",
  "informational",
  "debug",
]

Instance Method Summary collapse

Instance Method Details

#publish(event, payload) ⇒ Object 



150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
 
# File 'lib/logstash/outputs/syslog.rb', line 150

def publish(event, payload)
  appname = event.sprintf(@appname)
  procid = event.sprintf(@procid)
  sourcehost = event.sprintf(@sourcehost)

  message = payload.to_s.rstrip.gsub(/[\r][\n]/, "\n").gsub(/[\n]/, '\n')

  # fallback to pri 13 (facility 1, severity 5)
  if @use_labels
    facility_code = (FACILITY_LABELS.index(event.sprintf(@facility)) || 1)
    severity_code = (SEVERITY_LABELS.index(event.sprintf(@severity)) || 5)
    priority = (facility_code * 8) + severity_code
  else
    priority = Integer(event.sprintf(@priority)) rescue 13
    priority = 13 if (priority < 0 || priority > 191)
  end

  if @is_rfc3164
    timestamp = event.sprintf("%{+MMM dd HH:mm:ss}")
    syslog_msg = "<#{priority.to_s}>#{timestamp} #{sourcehost} #{appname}[#{procid}]: #{message}"
  else
    msgid = event.sprintf(@msgid)
    timestamp = event.sprintf("%{+YYYY-MM-dd'T'HH:mm:ss.SSSZZ}")
    syslog_msg = "<#{priority.to_s}>1 #{timestamp} #{sourcehost} #{appname} #{procid} #{msgid} - #{message}"
  end

  begin
    @client_socket ||= connect
    @client_socket.write(syslog_msg + "\n")
  rescue => e
    # We don't expect udp connections to fail because they are stateless, but ...
    # udp connections may fail/raise an exception if used with localhost/127.0.0.1
    return if udp?

    @logger.warn("syslog " + @protocol + " output exception: closing, reconnecting and resending event", :host => @host, :port => @port, :exception => e, :backtrace => e.backtrace, :event => event)
    @client_socket.close rescue nil
    @client_socket = nil

    sleep(@reconnect_interval)
    retry
  end
end

#receive(event) ⇒ Object 



146
147
148
 
# File 'lib/logstash/outputs/syslog.rb', line 146

def receive(event)
  @codec.encode(event)
end

#registerObject 



128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
 
# File 'lib/logstash/outputs/syslog.rb', line 128

def register
  @client_socket = nil

  if ssl?
    @ssl_context = setup_ssl
  end
  
  if @codec.instance_of? LogStash::Codecs::Plain
    if @codec.config["format"].nil?
      @codec = LogStash::Codecs::Plain.new({"format" => @message})
    end
  end
  @codec.on_event(&method(:publish))

  # use instance variable to avoid string comparison for each event
  @is_rfc3164 = (@rfc == "rfc3164")
end