Use Observability Pipelines’ syslog destinations to send logs to rsyslog or syslog-ng.
Setup
Set up the rsyslog or syslog-ng destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.
Set up the destination
The rsyslog and syslog-ng destinations support the
RFC5424 format.
The rsyslog and syslog-ng destinations match these log fields to the following Syslog fields:
| Log Event | SYSLOG FIELD | Default |
|---|
| log[“message”] | MESSAGE | NIL |
| log[“procid”] | PROCID | The running Worker’s process ID. |
| log[“appname”] | APP-NAME | observability_pipelines |
| log[“facility”] | FACILITY | 8 (log_user) |
| log[“msgid”] | MSGID | NIL |
| log[“severity”] | SEVERITY | info |
| log[“host”] | HOSTNAME | NIL |
| log[“timestamp”] | TIMESTAMP | Current UTC time. |
The following destination settings are optional:
- Toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required:
Server Certificate Path: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).CA Certificate Path: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).Private Key Path: The path to the .key private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
- Enter the number of seconds to wait before sending TCP keepalive probes on an idle connection.
Set the environment variables
- The rsyslog or syslog-ng endpoint URL. For example,
127.0.0.1:9997.- The Observability Pipelines Worker sends logs to this address and port.
- Stored as the environment variable:
DD_OP_DESTINATION_SYSLOG_ENDPOINT_URL.
How the destination works
Event batching
The rsyslog and syslog-ng destinations do not batch events.
