ListenSyslog

Description:

Listens for Syslog messages being sent to a given port over TCP or UDP. Incoming messages are checked against regular expressions for RFC5424 and RFC3164 formatted messages. The format of each message is: (<PRIORITY>)(VERSION )(TIMESTAMP) (HOSTNAME) (BODY) where version is optional. The timestamp can be an RFC5424 timestamp with a format of "yyyy-MM-dd'T'HH:mm:ss.SZ" or "yyyy-MM-dd'T'HH:mm:ss.S+hh:mm", or it can be an RFC3164 timestamp with a format of "MMM d HH:mm:ss". If an incoming messages matches one of these patterns, the message will be parsed and the individual pieces will be placed in FlowFile attributes, with the original message in the content of the FlowFile. If an incoming message does not match one of these patterns it will not be parsed and the syslog.valid attribute will be set to false with the original message in the content of the FlowFile. Valid messages will be transferred on the success relationship, and invalid messages will be transferred on the invalid relationship.

Tags:

syslog, listen, udp, tcp, logs

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property supports the NiFi Expression Language.

Display NameAPI NameDefault ValueAllowable ValuesDescription
ProtocolProtocolUDP
  • TCP
  • UDP
The protocol for Syslog communication.
PortPortThe port for Syslog communication. Note that Expression language is not evaluated per FlowFile.
Supports Expression Language: true (will be evaluated using variable registry only)
Local Network InterfaceLocal Network InterfaceThe name of a local network interface to be used to restrict listening to a specific LAN.
Supports Expression Language: true (will be evaluated using variable registry only)
Socket Keep Alivesocket-keep-alivefalse
  • true
  • false
Whether or not to have TCP socket keep alive turned on. Timing details depend on operating system properties.

This Property is only considered if the [Protocol] Property has a value of "TCP".
SSL Context ServiceSSL Context ServiceController Service API:
RestrictedSSLContextService
Implementation: StandardRestrictedSSLContextService
The Controller Service to use in order to obtain an SSL Context. If this property is set, syslog messages will be received over a secure connection.

This Property is only considered if the [Protocol] Property has a value of "TCP".
Client AuthClient AuthREQUIRED
  • WANT
  • REQUIRED
  • NONE
The client authentication policy to use for the SSL Context. Only used if an SSL Context Service is provided.

This Property is only considered if the [SSL Context Service] Property has a value specified.
Receive Buffer SizeReceive Buffer Size65507 BThe size of each buffer used to receive Syslog messages. Adjust this value appropriately based on the expected size of the incoming Syslog messages. When UDP is selected each buffer will hold one Syslog message. When TCP is selected messages are read from an incoming connection until the buffer is full, or the connection is closed.
Max Size of Message QueueMax Size of Message Queue10000The maximum size of the internal queue used to buffer messages being transferred from the underlying channel to the processor. Setting this value higher allows more messages to be buffered in memory during surges of incoming messages, but increases the total memory used by the processor.
Max Size of Socket BufferMax Size of Socket Buffer1 MBThe maximum size of the socket buffer that should be used. This is a suggestion to the Operating System to indicate how big the socket buffer should be. If this value is set too low, the buffer may fill up before the data can be read, and incoming data will be dropped.

This Property is only considered if the [Protocol] Property has a value of "TCP".
Max Number of TCP ConnectionsMax Number of TCP Connections2The maximum number of concurrent connections to accept Syslog messages in TCP mode.

This Property is only considered if the [Protocol] Property has a value of "TCP".
Max Batch SizeMax Batch Size1The maximum number of Syslog events to add to a single FlowFile. If multiple events are available, they will be concatenated along with the <Message Delimiter> up to this configured maximum number of messages
Message DelimiterMessage Delimiter\nSpecifies the delimiter to place between Syslog messages when multiple messages are bundled together (see <Max Batch Size> property).
Parse MessagesParse Messagestrue
  • true
  • false
Indicates if the processor should parse the Syslog messages. If set to false, each outgoing FlowFile will only contain the sender, protocol, and port, and no additional attributes.
Character SetCharacter SetUTF-8Specifies the character set of the Syslog messages. Note that Expression language is not evaluated per FlowFile.
Supports Expression Language: true (will be evaluated using variable registry only)

Relationships:

NameDescription
successSyslog messages that match one of the expected formats will be sent out this relationship as a FlowFile per message.
invalidSyslog messages that do not match one of the expected formats will be sent out this relationship as a FlowFile per message.

Reads Attributes:

None specified.

Writes Attributes:

NameDescription
syslog.priorityThe priority of the Syslog message.
syslog.severityThe severity of the Syslog message derived from the priority.
syslog.facilityThe facility of the Syslog message derived from the priority.
syslog.versionThe optional version from the Syslog message.
syslog.timestampThe timestamp of the Syslog message.
syslog.hostnameThe hostname or IP address of the Syslog message.
syslog.senderThe hostname of the Syslog server that sent the message.
syslog.bodyThe body of the Syslog message, everything after the hostname.
syslog.validAn indicator of whether this message matched the expected formats. If this value is false, the other attributes will be empty and only the original message will be available in the content.
syslog.protocolThe protocol over which the Syslog message was received.
syslog.portThe port over which the Syslog message was received.
mime.typeThe mime.type of the FlowFile which will be text/plain for Syslog messages.

State management:

This component does not store state.

Restricted:

This component is not restricted.

Input requirement:

This component does not allow an incoming relationship.

System Resource Considerations:

None specified.

See Also:

PutSyslog, ParseSyslog