You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Losing logs only because they do not fit into any syslog standard / rfc is a bad idea. It may contain sensitive information which should not belost.
This is always a disadvantage of a produkct like loki or alloy's loki.source.syslog.
There should be an option like: "allow unoparsed messages" = false (default
There should be an option
"allow unoparsed messages" = true
"unparsed_messages_destination" = [default] or [loki.process.xyz.receiver]
The user should be able to decide if he wants to allow unparsed syslog messages.
If it can not be parsed then the user should have two additional possibilities. He should decide if the message should follow the default path or if the message should be routed to another component which then maybe starts to process the message (loki.process) as the user wants.
An additional advantage would be, if someone is sending rfc5424 messages to a loki rfc3164 listener the message can not be parsed.
No problem, no need for an additional listener, but "allow unparsed messages" and define a different forward_to endpoint where the user can try to parse the syslog message with another listener or another parser.
Another recent limitation of loki.source.syslog is that there can be only one listener per port.
e.g. rfc5424 is on port 514 UDP/TCP. But if some applications send rfc3164 syslogs and can not change the destination port then this can not be solved with the same grafana alloy loki.source.syslog component.
For these reasons:
unparsed messages should be allows to be processed
user should be able which path these messages should go. send to another listener which is parsing it as another rfc or another component like loki.process
Request
Losing logs only because they do not fit into any syslog standard / rfc is a bad idea. It may contain sensitive information which should not belost.
This is always a disadvantage of a produkct like loki or alloy's loki.source.syslog.
There should be an option like:
"allow unoparsed messages" = false (default
There should be an option
There was a discussion on slack asking for what happens with messages which count against
loki_source_syslog_parsing_errors_total
https://grafana.slack.com/archives/C01050C3D8F/p1733952946344909?thread_ts=1733928788.934089&cid=C01050C3D8F
Code:
https://github.com/grafana/alloy/blob/main/internal/component/loki/source/syslog/internal/syslogtarget/transport.go#L326
Use case
The user should be able to decide if he wants to allow unparsed syslog messages.
If it can not be parsed then the user should have two additional possibilities. He should decide if the message should follow the default path or if the message should be routed to another component which then maybe starts to process the message (loki.process) as the user wants.
An additional advantage would be, if someone is sending rfc5424 messages to a loki rfc3164 listener the message can not be parsed.
No problem, no need for an additional listener, but "allow unparsed messages" and define a different forward_to endpoint where the user can try to parse the syslog message with another listener or another parser.
Another recent limitation of loki.source.syslog is that there can be only one listener per port.
e.g. rfc5424 is on port 514 UDP/TCP. But if some applications send rfc3164 syslogs and can not change the destination port then this can not be solved with the same grafana alloy loki.source.syslog component.
For these reasons:
loki.source.syslog: drops multiline syslog messages and only accepts first message #2286
The text was updated successfully, but these errors were encountered: