Class: LogStash::Outputs::Syslog

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/outputs/syslog.rb

Overview

Send events to a syslog server.

You can send messages compliant with RFC3164 or RFC5424 using either UDP or TCP as the transport protocol.

By default the contents of the ‘message` field will be shipped as the free-form message text part of the emitted syslog message. If your messages don’t have a ‘message` field or if you for some other reason want to change the emitted message, modify the `message` configuration option.

Constant Summary collapse

FACILITY_LABELS = 
[
  "kernel",
  "user-level",
  "mail",
  "daemon",
  "security/authorization",
  "syslogd",
  "line printer",
  "network news",
  "uucp",
  "clock",
  "ftp",
  "ntp",
  "log audit",
  "log alert",
  "local0",
  "local1",
  "local2",
  "local3",
  "local4",
  "local5",
  "local6",
  "local7",
]
SEVERITY_LABELS = 
[
  "emergency",
  "alert",
  "critical",
  "error",
  "warning",
  "notice",
  "informational",
  "debug",
]

Instance Method Summary collapse

Instance Method Details

#publish(event, payload) ⇒ Object 



165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
 
# File 'lib/logstash/outputs/syslog.rb', line 165

def publish(event, payload)
  appname = event.sprintf(@appname)
  procid = event.sprintf(@procid)
  sourcehost = event.sprintf(@sourcehost)
  tag = event.sprintf(@tag)

  message = payload.to_s.rstrip.gsub(/[\r][\n]/, "\n").gsub(/[\n]/, '\n')
  tags = tag.split(",").map { |value| "tag=\"#{value}\""}.join(" ")

  # fallback to pri 13 (facility 1, severity 5)
  if @use_labels
    facility_code = (FACILITY_LABELS.index(event.sprintf(@facility)) || 1)
    severity_code = (SEVERITY_LABELS.index(event.sprintf(@severity)) || 5)
    priority = (facility_code * 8) + severity_code
  else
    priority = Integer(event.sprintf(@priority)) rescue 13
    priority = 13 if (priority < 0 || priority > 191)
  end

  if @is_rfc3164
    timestamp = event.sprintf("%{+MMM dd HH:mm:ss}")
    syslog_msg = "<#{priority.to_s}>#{timestamp} #{sourcehost} #{appname}[#{procid}]: #{message}"
  else
    msgid = event.sprintf(@msgid)
    timestamp = event.sprintf("%{+YYYY-MM-dd'T'HH:mm:ss.SSSZZ}")
    syslog_msg = "<#{priority.to_s}>1 #{timestamp} #{sourcehost} #{appname} #{procid} #{msgid} [#{key}@#{pen} #{tags}] #{message}"
  end

  counter = 0
  begin
    @client_socket ||= connect
    @client_socket.write(syslog_msg + "\n")
  rescue => e
    # We don't expect udp connections to fail because they are stateless, but ...
    # udp connections may fail/raise an exception if used with localhost/127.0.0.1
    return if udp?
 
    @logger.warn("Attempt - #{counter} syslog " + @protocol + " output exception: closing, reconnecting and resending event", :host => @host, :port => @port, :exception => e, :backtrace => e.backtrace, :event => event)
 @logger.warn("Contents: " )
 @logger.warn("#{syslog_msg}")
 @client_socket.close rescue nil
    @client_socket = nil
 counter = counter + 1
    sleep(@reconnect_interval)
    retry if counter <= retry_count 
  end
end

#receive(event) ⇒ Object 



161
162
163
 
# File 'lib/logstash/outputs/syslog.rb', line 161

def receive(event)
  @codec.encode(event)
end

#registerObject 



143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
 
# File 'lib/logstash/outputs/syslog.rb', line 143

def register
  @client_socket = nil

  if ssl?
    @ssl_context = setup_ssl
  end
  
  if @codec.instance_of? LogStash::Codecs::Plain
    if @codec.config["format"].nil?
      @codec = LogStash::Codecs::Plain.new({"format" => @message})
    end
  end
  @codec.on_event(&method(:publish))

  # use instance variable to avoid string comparison for each event
  @is_rfc3164 = (@rfc == "rfc3164")
end