Return to
Portfolio

109.32. UDP (im_udp)

This module accepts UDP datagrams on the configured address and port. UDP is the transport protocol of the legacy BSD Syslog as described in RFC 3164, so this module can be particularly useful to receive such messages from older devices which do not support other transports.

Warning
 UDP is an unreliable transport protocol, and does not guarantee delivery. Messages may not be received or may be truncated. It is recommended to use the TCP or SSL transport modules instead, if possible.

To reduce the likelihood of message loss, consider:

  • increasing the socket buffer size with SockBufSize,

  • raising the route priority by setting the Priority directive (to a low number such as 1), and

  • adding additional buffering by increasing the LogqueueSize or adding a pm_buffer instance.

Note
 This module provides no access control. Firewall rules can be used to drop log events from certain hosts.

For parsing Syslog messages, see the pm_transformer module or the parse_syslog_bsd() procedure of xm_syslog.

109.32.1. Configuration

The im_udp module accepts the following directives in addition to the common module directives.

Host

The module will accept messages on this IP address or DNS hostname. The default is localhost.

Port

The module will listen for incoming connections on this port number. The default is port 514.

SockBufSize

This optional directive sets the socket buffer size (SO_RCVBUF) to the value specified. If not set, the operating system defaults are used. If UDP packet loss is occurring at the kernel level, setting this to a high value (such as 150000000) may help. On Windows systems the default socket buffer size is extremely low, and using this option is highly recommended.

UseRecvmmsg

This boolean directive specifies that the recvmmsg() system call should be used, if available, to receive multiple messages per call to improve performance. The default is TRUE.

109.32.2. Fields

The following fields are used by im_udp.

$raw_event (type: string)

The received string.

$MessageSourceAddress (type: string)

The IP address of the remote host.

109.32.3. Examples

Example 570. Using the im_udp Module

This configuration accepts log messages via UDP and writes them to file.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14


  
<Input udp>
    Module  im_udp
    Host    192.168.1.1
    Port    514
</Input>

<Output file>
    Module  om_file
    File    "tmp/output"
</Output>

<Route udp_to_file>
    Path    udp => file
</Route>

← Previous: im_testgen | ↑ Up: Input Modules | ⌂ Home: NXLog User Guide | Next: Unix Domain Sockets (im_uds) →