syslog-ng-otlp(): Receive logs from another node using OpenTelemetry
Available in AxoSyslog version 4.4 and later.
The syslog-ng-otlp()
source and destination allows you to transfer the internal representation of log messages between AxoSyslog instances using the OpenTelemetry protocol. Unlike the traditional syslog-ng() drivers that rely on simple TCP connections, syslog-ng-otlp()
leverages the OpenTelemetry protocol for efficient and reliable log message transmission.
The key benefits of the syslog-ng-otlp()
drivers are:
- scalability (via the
workers()
option), - built-in application layer acknowledgement,
- support for Google service authentication (ADC or ALTS), and
- improved load balancing capabilities.
To use it, configure a syslog-ng-otlp()
destination on the sender node, and a syslog-ng-otlp()
source on the receiver node, like this:
destination d_syslog_ng_otlp {
syslog-ng-otlp(url("your-receiver-syslog-ng-instance:4317"));
};
source s_syslog_ng_otlp {
syslog-ng-otlp(port(4317));
};
Options
The syslog-ng-otlp()
source has the following options.
auth()
You can set authentication in the auth()
option of the driver. By default, authentication is disabled (auth(insecure())
).
The following authentication methods are available in the auth()
block:
adc()
Application Default Credentials (ADC). This authentication method is only available for destinations.
alts()
Application Layer Transport Security (ALTS) is a simple to use authentication, only available within Google’s infrastructure. It accepts the target-service-account()
option, where you can list service accounts to match against when authenticating the server.
source {
opentelemetry(
port(4317)
auth(alts())
);
};
destination {
loki(
port(12345)
auth(alts())
);
};
source {
syslog-ng-otlp(
port(4317)
auth(alts())
);
};
insecure()
This is the default method, authentication is disabled (auth(insecure())
).
tls()
tls()
accepts the key-file()
, cert-file()
, ca-file()
and peer-verify()
(possible values:
required-trusted
, required-untrusted
, optional-trusted
and optional-untrusted
) options.
destination {
opentelemetry(
url("your-otel-server:12346")
auth(
tls(
ca-file("/path/to/ca.pem")
key-file("/path/to/key.pem")
cert-file("/path/to/cert.pem")
)
)
);
};
destination {
loki(
url("your-loki-server:12346")
auth(
tls(
ca-file("/path/to/ca.pem")
key-file("/path/to/key.pem")
cert-file("/path/to/cert.pem")
)
)
);
};
destination {
syslog-ng-otlp(
url("your-otel-server:12346")
auth(
tls(
ca-file("/path/to/ca.pem")
key-file("/path/to/key.pem")
cert-file("/path/to/cert.pem")
)
)
);
};
Note:
tls(peer-verify())
is not available for theopentelemetry()
andloki()
destination.- The gRPC-based drivers (
opentelemetry()
andloki()
) have a differenttls()
block implementation from thenetwork()
orhttp()
drivers. Most features are the same.
chain-hostnames()
Accepted values: | yes , no |
Default: | no |
Description: Enable or disable the chained hostname format. For details, see the chain-hostnames() global option.
channel-args()
Type: | arrow list |
Default: | - |
Description: The channel-args()
option is available in gRPC-based drivers. It accepts name-value pairs and sets channel arguments defined in the GRPC Core library documentation. For example:
channel-args(
"grpc.loadreporting" => 1
"grpc.minimal_stack" => 0
)
concurrent-requests()
Type: | integer |
Default: | 2 |
Description: Configures the maximal number of in-flight gRPC requests per worker. Setting this value in the range of 10s or 100s is recommended when there are a high number of clients sending simultaneously. Ideally, workers() * concurrent-requests()
should be greater than or equal to the number of clients, but this can increase the memory usage.
default-facility()
Type: | facility string |
Default: | kern |
Description: This parameter assigns a facility value to the messages received from the file source if the message does not specify one.
default-level()
Type: | string |
Default: | notice |
Description: The default level value if the PRIORITY entry does not exist.
default-priority()
Type: | priority string |
Default: |
Description: This parameter assigns an emergency level to the messages received from the file source if the message does not specify one. For example, default-priority(warning)
.
dns-cache()
Accepted values: | yes , no |
Default: | no |
Description: Enable or disable DNS cache usage.
ebpf()
Available in AxoSyslog version 4.2 and newer.
By default, the kernel chooses the receive socket for a specific UDP randomly based on the source IP/port of the sender. You can customize this algorithm using the Extended Berkeley Packet Filter (eBPF) plugin. The ebpf()
option changes the kernel’s SO_REUSEPORT algorithm so that all messages are randomly placed into one of the UDP sockets. The decision which UDP socket buffer a datagram is placed is made for every datagram, and not once for every stream. This means that messages are perfectly load-balanced across your set of UDP sockets. While this resolves the imbalance between the sockets and results in perfect load balancing, you will lose ordering between messages from the same sender, which is the price to pay for increased throughput.
source s_network {
network(
transport("udp")
so-reuseport(1) persist-name("udp1")
ebpf(reuseport(sockets(4)))
);
network(transport("udp") so-reuseport(1) persist-name("udp2"));
network(transport("udp") so-reuseport(1) persist-name("udp3"));
network(transport("udp") so-reuseport(1) persist-name("udp4"));
};
For a detailed introduction, see the Scaling syslog to 1M EPS with eBPF blog post.
flags()
Type: | assume-utf8, dont-store-legacy-msghdr, empty-lines, expect-hostname, kernel, no-hostname, no-multi-line, no-parse, sanitize-utf8, store-legacy-msghdr, store-raw-message, syslog-protocol, validate-utf8 |
Default: | empty set |
Description: Specifies the log parsing options of the source.
-
assume-utf8: The
assume-utf8
flag assumes that the incoming messages are UTF-8 encoded, but does not verify the encoding. If you explicitly want to validate the UTF-8 encoding of the incoming message, use thevalidate-utf8
flag. -
dont-store-legacy-msghdr: By default, AxoSyslog stores the original incoming header of the log message. This is useful if the original format of a non-syslog-compliant message must be retained (AxoSyslog automatically corrects minor header errors, for example, adds a whitespace before
msg
in the following message:Jan 22 10:06:11 host program:msg
). If you do not want to store the original header of the message, enable thedont-store-legacy-msghdr
flag. -
empty-lines: Use the
empty-lines
flag to keep the empty lines of the messages. By default, AxoSyslog removes empty lines automatically. -
exit-on-eof: If this flag is set on a source, AxoSyslog stops when an EOF (end of file) is received. Available in version 4.9 and later.
-
expect-hostname: If the
expect-hostname
flag is enabled, AxoSyslog will assume that the log message contains a hostname and parse the message accordingly. This is the default behavior for TCP sources. Note that pipe sources use theno-hostname
flag by default. -
guess-timezone: Attempt to guess the timezone of the message if this information is not available in the message. Works when the incoming message stream is close to real time, and the timezone information is missing from the timestamp.
-
kernel: The
kernel
flag makes the source default to theLOG_KERN | LOG_NOTICE
priority if not specified otherwise. -
no-header: The
no-header
flag triggers AxoSyslog to parse only thePRI
field of incoming messages, and put the rest of the message contents into$MSG
.Its functionality is similar to that of the
no-parse
flag, except theno-header
flag does not skip thePRI
field.Note Essentially, theno-header
flag signals AxoSyslog that thesyslog
header is not present (or does not adhere to the conventions / RFCs), so the entire message (except from thePRI
field) is put into$MSG
.Example: using the no-header flag with the syslog-parser() parser
The following example illustrates using the
no-header
flag with thesyslog-parser()
parser:parser p_syslog { syslog-parser( flags(no-header) ); };
-
no-hostname: Enable the
no-hostname
flag if the log message does not include the hostname of the sender host. That way AxoSyslog assumes that the first part of the message header is ${PROGRAM} instead of ${HOST}. For example:source s_dell { network( port(2000) flags(no-hostname) ); };
-
no-multi-line: The
no-multi-line
flag disables line-breaking in the messages: the entire message is converted to a single line. Note that this happens only if the underlying transport method actually supports multi-line messages. Currently thefile()
andpipe()
drivers support multi-line messages. -
no-parse: By default, AxoSyslog parses incoming messages as syslog messages. The
no-parse
flag completely disables syslog message parsing and processes the complete line as the message part of a syslog message. The AxoSyslog application will generate a new syslog header (timestamp, host, and so on) automatically and put the entire incoming message into the MESSAGE part of the syslog message (available using the${MESSAGE}
macro). This flag is useful for parsing messages not complying to the syslog format.If you are using the
flags(no-parse)
option, then syslog message parsing is completely disabled, and the entire incoming message is treated as the ${MESSAGE} part of a syslog message. In this case, AxoSyslog generates a new syslog header (timestamp, host, and so on) automatically. Note that even thoughflags(no-parse)
disables message parsing, some flags can still be used, for example, theno-multi-line
flag. -
sanitize-utf8: When using the
sanitize-utf8
flag, AxoSyslog converts non-UTF-8 input to an escaped form, which is valid UTF-8.Prior to version 4.6, this flag worked only when parsing RFC3164 messages. Starting with version 4.6, it works also for RFC5424 and raw messages.
-
store-legacy-msghdr: By default, AxoSyslog stores the original incoming header of the log message, so this flag is active. To disable it, use the
dont-store-legacy-msghdr
flag. -
store-raw-message: Save the original message as received from the client in the
${RAWMSG}
macro. You can forward this raw message in its original form to another AxoSyslog node using thesyslog-ng()
destination, or to a SIEM system, ensuring that the SIEM can process it. Available only in 3.16 and later. -
syslog-protocol: The
syslog-protocol
flag specifies that incoming messages are expected to be formatted according to the new IETF syslog protocol standard (RFC5424), but without the frame header. Note that this flag is not needed for thesyslog
driver, which handles only messages that have a frame header. -
validate-utf8: The
validate-utf8
flag enables encoding-verification for messages.Prior to version 4.6, this flag worked only when parsing RFC3164 messages. Starting with version 4.6, it works also for RFC5424 and raw messages.
For RFC5424-formatted messages, if the BOM character is missing, but the message is otherwise UTF-8 compliant, AxoSyslog automatically adds the BOM character to the message.
The byte order mark (BOM) is a Unicode character used to signal the byte-order of the message text.
host-override()
Type: | string |
Default: |
Description: Replaces the ${HOST} part of the message with the parameter string.
keep-hostname()
The syslog-ng-otlp()
source ignores this option and uses the hostname from the message as the ${HOST}
.
keep-timestamp()
Type: | yes or no |
Default: | yes |
Description: Specifies whether AxoSyslog should accept the timestamp received from the sending application or client. If disabled, the time of reception will be used instead. This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.
S_
macros, the keep-timestamp()
option must be enabled (this is the default behavior of AxoSyslog).
log-fetch-limit()
Type: | number |
Default: | 100 |
Description: The maximum number of messages fetched from a source during a single poll loop. The destination queues might fill up before flow-control could stop reading if log-fetch-limit()
is too high.
log-iw-size()
Type: | number |
Default: | 10000 |
Description: The size of the initial window, this value is used during flow control. Make sure that log-iw-size()
is larger than the value of log-fetch-limit()
.
log-prefix() (DEPRECATED)
Type: | string |
Default: |
Description: A string added to the beginning of every log message. It can be used to add an arbitrary string to any log source, though it is most commonly used for adding kernel:
to the kernel messages on Linux.
program-override
instead.
normalize-hostnames()
Accepted values: | yes , no |
Default: | no |
Description: If enabled (normalize-hostnames(yes)
), AxoSyslog converts the hostnames to lowercase.
keep-hostname()
option is enabled, and the message contains a hostname.
persist-name()
Type: | string |
Default: | N/A |
Description: If you receive the following error message during AxoSyslog startup, set the persist-name()
option of the duplicate drivers:
Error checking the uniqueness of the persist names, please override it with persist-name option. Shutting down.
This error happens if you use identical drivers in multiple sources, for example, if you configure two file sources to read from the same file. In this case, set the persist-name()
of the drivers to a custom string, for example, persist-name("example-persist-name1")
.
port()
Type: | integer |
Default: |
Description: The port number to bind to.
program-override()
Type: | string |
Default: |
Description: Replaces the ${PROGRAM} part of the message with the parameter string. For example, to mark every message coming from the kernel, include the program-override("kernel")
option in the source containing /proc/kmsg
.
tags()
Type: | string |
Default: |
Description: Label the messages received from the source with custom tags. Tags must be unique, and enclosed between double quotes. When adding multiple tags, separate them with comma, for example, tags("dmz", "router")
. This option is available only in version 3.1 and later.
time-zone()
Type: | name of the timezone, or the timezone offset |
Default: |
Description: The default timezone for messages read from the source. Applies only if no timezone is specified within the message itself.
The timezone can be specified by using the name, for example, time-zone("Europe/Budapest")
), or as the timezone offset in +/-HH:MM format, for example, +01:00
). On Linux and UNIX platforms, the valid timezone names are listed under the /usr/share/zoneinfo
directory.
time-reopen()
Accepted values: | number [seconds] |
Default: | 60 |
Description: The time to wait in seconds before a dead connection is reestablished.
use-dns()
Type: | yes, no, persist_only |
Default: | yes |
Description: Enable or disable DNS usage. The persist_only
option attempts to resolve hostnames locally from file (for example, from /etc/hosts
). The AxoSyslog application blocks on DNS queries, so enabling DNS may lead to a Denial of Service attack. To prevent DoS, protect your AxoSyslog network endpoint with firewall rules, and make sure that all hosts which may get to AxoSyslog are resolvable. This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.
keep-hostname()
option is enabled (keep-hostname(yes)
) and the message contains a hostname.
use-fqdn()
Type: | yes or no |
Default: | no |
Description: Use this option to add a Fully Qualified Domain Name (FQDN) instead of a short hostname. You can specify this option either globally or per-source. The local setting of the source overrides the global option if available.
use-fqdn()
to yes
if you want to use the custom-domain()
global option.
keep-hostname()
option is enabled (keep-hostname(yes)
) and the message contains a hostname.
workers()
Type: | integer |
Default: | 1 |
Description: Specifies the number of worker threads (at least 1) that AxoSyslog uses to process the messages of the source. Increasing the number of worker threads can drastically improve the performance of the source.