This short guide will look at the syslogd input for Logstash. Syslogd is a standard that defines parameters around logging and a protocol to send logs to a remote server. It’s very useful if you want to separate log generation and storage, and allows you to easily centralize log storage and analysis. This input will allow you to set Logstash up as a RFC3164 compliant syslog server.

Quick Info

Links: Source | Documentation
Version: 1.4.2
Requirements: None

The short version

Setting up Logstash as a syslog server is really simple: You don’t need to add any options to the input to get it running:

# Bare minimum
input {
  syslog {}
}

Logstash will now run as a syslog server, listening on port 514 (both TCP and UDP) of all of the machines interfaces (0.0.0.0).

The longer version

The syslog input’s defaults are quite sane, but you might want to change the interface it’s listening on. Since only root can use ports less than 1024, you might consider changing that as well.

Custom interface and port

You can use the host and port settings to customize where Logstash will listen on:

# Listen on interface 192.168.1.20, port 1514
input {
  syslog {
    host => "192.168.1.20"
    port => 1514
  }
}

Custom Labels

Incoming logs will automatically be labelled with a human readable version of it’s severity and facility. You might want to use different labels than the predefined ones. Do this by setting the facility_labels and severity_labels settings. You need to have the same number of elements in each setting and follow the same order as the original, otherwise your labels will get mixed up:

# Custom Labels
input {
  syslog {
    severity_labels => [ "DANGER!" , "BEEP BEEP, "Argh", "Something's Wrong", "Watch Out!", "Ummm", "Did you know", "I talk too much" ]
  }
}

You can also turn this feature off by setting use_labels to false. The severity and facility properties of the message will contain the severity and facility ids:

# No Labels
input {
  syslog {
    use_labels => false
  }
}

All the options

codec – String – The codec with which incoming logs should be interpreted. Defaults to plain.

facility_labels – Array – The facility labels to use when use_labels is enabled. Defaults to the RFC3164 values.

host – String – The address your syslog server should listen on. Defaults to 0.0.0.0.

port – Numeric – The port your syslog server should listen on. Defaults to 514.

severity_labels – Array – The severity labels to use when use_labels is enabled. Defaults to the RFC3164 values.

use_labels – Boolean – Specify whether or not the severity and facility properties should be converted into human readable labels. Defaults to true.


No hassle Logstash configs, easily available in the Logstash Config Guide. You know you want to…

Coder. Thinker. Human. I try to write good code for a living and wrangle data as a hobby. Be sure to check out the book I'm writing: The Logstash Config Guide.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This