Fluent Bit can ingest syslog messages in both RFC 3164 and RFC 5424 formats using its built-in parsers.
Let’s see this in action. Imagine you have a simple syslog server running on 192.168.1.100 on port 514.
# On the syslog server, this might look like:
# (Assuming rsyslog is configured to listen on UDP 514)
echo '<165>Oct 11 22:14:15 myhost tag: This is a RFC 3164 message' | nc -u 192.168.1.100 514
# And for RFC 5424:
echo '<34>2003-10-11T22:14:15.003Z mymachine su - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] An RFC 5424 message' | nc -u 192.168.1.100 514
Now, on your Fluent Bit instance, you’d configure an input plugin to listen for these messages and a parser to interpret them.
Here’s a fluent-bit.conf snippet:
[INPUT]
Name udp
Listen 0.0.0.0
Port 514
Parser syslog_rfc
Buffer_Chunk_Size 1024
Buffer_Max_Size 10240
[PARSER]
Name syslog_rfc
Format regex
Regex ^(?P<severity>\d+)\s+(?P<timestamp>.{3}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2})\s+(?P<host>\S+)\s+(?P<tag>[^:]+):\s+(?P<message>.*)$
Time_Key timestamp
Time_Format %b %d %H:%M:%S
Time_Keep On
[PARSER]
Name syslog_rfc5424
Format rfc5424
# No regex needed for rfc5424, it's a structured format
Hold on, that syslog_rfc parser is actually the old way and is deprecated for RFC 3164. Fluent Bit has specific parsers for both. Let’s correct that configuration to be explicit and modern:
[INPUT]
Name udp
Listen 0.0.0.0
Port 514
# Use a parser group to handle both formats if you expect mixed traffic
Parser_n syslog3164, syslog5424
Buffer_Chunk_Size 1024
Buffer_Max_Size 10240
[PARSER]
Name syslog3164
Format rfc3164
# Fluent Bit handles the parsing of RFC 3164 automatically with this format.
# No need for custom regex.
[PARSER]
Name syslog5424
Format rfc5424
# Fluent Bit handles the parsing of RFC 5424 automatically with this format.
# No need for custom regex.
When a message arrives, Fluent Bit’s udp input plugin receives it. If Parser_n is configured with syslog3164 and syslog5424, Fluent Bit will attempt to parse the incoming data using the rfc3164 parser first. If that fails (e.g., it’s not a valid RFC 3164 message), it will then try the rfc5424 parser. The Format rfc3164 and Format rfc5424 directives tell Fluent Bit to use its built-in, optimized parsers for these specific syslog standards.
The rfc3164 parser will extract fields like hostname, tag, timestamp, and message. It automatically handles the common syslog timestamp format (Mmm DD HH:MM:SS). The rfc5424 parser is more robust, capable of parsing structured data within the message (like the SD part) and handling more modern timestamp formats.
Once parsed, these fields become structured data within Fluent Bit’s internal record. For example, an RFC 3164 message might be turned into:
{
"hostname": "myhost",
"tag": "tag",
"timestamp": "Oct 11 22:14:15",
"message": "This is a RFC 3164 message",
"severity": "165"
}
And an RFC 5424 message:
{
"proc_id": "-",
"hostname": "mymachine",
"appname": "su",
"msg_id": "ID47",
"timestamp": "2003-10-11T22:14:15.003Z",
"message": "An RFC 5424 message",
"severity": "34",
"structured_data": {
"exampleSDID@32473": {
"iut": "3",
"eventSource": "Application",
"eventID": "1011"
}
}
}
This structured data can then be sent to various outputs (like Elasticsearch, Splunk, S3, etc.) with the fields preserved, enabling more effective searching and analysis. The Parser_n directive is key here; it allows you to define a prioritized list of parsers to try. If the input is truly mixed, this is the most reliable way to ensure messages are correctly interpreted without needing complex conditional logic.
The real magic is that Fluent Bit’s rfc3164 and rfc5424 format parsers are highly optimized and handle the intricacies of these protocols directly, including timestamp interpretation and field extraction, without needing custom regular expressions that are prone to errors and performance issues.
If you’re seeing messages with a mix of RFC 3164 and RFC 5424 formats, the Parser_n directive is your friend. It allows Fluent Bit to intelligently try one parser, and if it doesn’t match, fall back to the next in the list, ensuring that both types of messages are correctly parsed without needing separate input or parser configurations for each.
The next challenge you’ll likely encounter is handling different network protocols for syslog, such as TCP, and ensuring reliable delivery with TLS encryption.