Outcold Solutions - Monitoring Kubernetes, OpenShift and Docker in Splunk
Monitoring Docker in Splunk Monitoring Kubernetes in Splunk Monitoring OpenShift in Splunk Monitoring Linux in Splunk Monitoring Windows Containers in Splunk Forwarding Logs to Elasticsearch and OpenSearch Forwarding Logs to QRadar
Documentation Blog Contact Us Pricing Evaluation licenses Partners License Agreement Privacy Policy FAQ
Syslog (QRadar)

Annotations reference

Every annotation Collectord recognizes for the syslog forwarder, grouped by the datatype it controls. For usage, examples, and patterns, see the companion Annotations page. All annotations use the syslog.collectord.io/ prefix; annotations under collectord.collectord.io/{annotation} apply to every Collectord instance regardless of subdomain.

  • General annotations
    • syslog.collectord.io/source - change the source for all the data forwarded for this Pod (container logs, application logs)
    • syslog.collectord.io/type - change the sourcetype for all the data forwarded for this Pod (container logs, application logs)
    • syslog.collectord.io/host - change the host for all the data forwarded for this Pod (container logs, application logs)
    • syslog.collectord.io/output - (5.2+) change the output to devnull or syslog
    • syslog.collectord.io/userfields.{fieldname} - (5.15.300+) attach custom fields to events
  • Annotations for container logs
    • syslog.collectord.io/logs-source - change the source for the container logs forwarded from this Pod
    • syslog.collectord.io/logs-type - change the sourcetype for the container logs forwarded from this Pod
    • syslog.collectord.io/logs-host - change the host for the container logs forwarded from this Pod
    • syslog.collectord.io/logs-eventpattern - set the regex identifying the event start pattern for Pod logs
    • syslog.collectord.io/logs-replace.{N}-search - define the search pattern for the replace pipe
    • syslog.collectord.io/logs-replace.{N}-val - define the replace pattern for the replace pipe
    • syslog.collectord.io/logs-hashing.{N}-match - (5.3+) the regexp for a matched value
    • syslog.collectord.io/logs-hashing.{N}-function - (5.3+) hash function (default is sha256, available adler-32,crc-32-ieee,crc-32-castagnoli,crc-32-koopman,crc-64-iso,crc-64-ecma,fnv-1-64,fnv-1a-64,fnv-1-32,fnv-1a-32,fnv-1-128,fnv-1a-128,md5,sha1,sha256,sha384,sha512)
    • syslog.collectord.io/logs-extraction - define the regexp for fields extraction
    • syslog.collectord.io/logs-extractionMessageField - (5.18+) specify the field name for the message (by default first unnamed ground in regexp)
    • syslog.collectord.io/logs-timestampfield - define the field for timestamp (after fields extraction)
    • syslog.collectord.io/logs-timestampformat - define the timestamp format
    • syslog.collectord.io/logs-timestampsetmonth - define if month should be set to current for timestamp
    • syslog.collectord.io/logs-timestampsetday - define if day should be set to current for timestamp
    • syslog.collectord.io/logs-timestamplocation - define timestamp location if not set by format
    • syslog.collectord.io/logs-joinpartial - join partial events
    • syslog.collectord.io/logs-joinmultiline - (5.3+) join multiline logs (default value depends on [pipe.join] disabled)
    • syslog.collectord.io/logs-escapeterminalsequences - escape terminal sequences (including colors)
    • syslog.collectord.io/logs-override.{N}-match - (5.2+) match for override pattern
    • syslog.collectord.io/logs-override.{N}-source - (5.2+) override source for matched events
    • syslog.collectord.io/logs-override.{N}-type - (5.2+) override type for matched events
    • syslog.collectord.io/logs-output - (5.2+) change the output to devnull or syslog (this annotation cannot be specified for stderr and stdout)
    • syslog.collectord.io/logs-disabled - (5.3+) disable any log processing for this container (this annotation cannot be specified for stderr and stdout)
    • syslog.collectord.io/logs-sampling-percent - (5.6+) specify the % value of logs that should be forwarded to the syslog server
    • syslog.collectord.io/logs-sampling-key - (5.6+) regexp pattern to specify the key for the sampling based on hash values
    • syslog.collectord.io/logs-ThruputPerSecond - (5.10.252+) set the thruput for this container, maximum amount of logs per second, for example 128Kb, 1024b
    • syslog.collectord.io/logs-TooOldEvents - (5.10.252+) duration of events from now to past that are considered too old and should be ignored, for example 168h, 24h
    • syslog.collectord.io/logs-TooNewEvents - (5.10.252+) duration of events from now to the future that are considered too new and should be ignored, for example 1h, 30m
    • syslog.collectord.io/logs-whitelist - (5.14.284+) allow to configure pattern for log messages, only log messages matching this pattern will be forwarded
    • syslog.collectord.io/logs-userfields.{fieldname} - (5.15.300+) attach custom fields to events
    • Specific for stdout, with the annotations below you can define configuration specific for stdout
      • syslog.collectord.io/stdout-logs-source
      • syslog.collectord.io/stdout-logs-type
      • syslog.collectord.io/stdout-logs-host
      • syslog.collectord.io/stdout-logs-eventpattern
      • syslog.collectord.io/stdout-logs-replace.{N}-search
      • syslog.collectord.io/stdout-logs-replace.{N}-val
      • syslog.collectord.io/stdout-logs-hashing.{N}-match - (5.3+)
      • syslog.collectord.io/stdout-logs-hashing.{N}-function - (5.3+)
      • syslog.collectord.io/stdout-logs-extraction
      • syslog.collectord.io/stdout-logs-extractionMessageField - (5.18+)
      • syslog.collectord.io/stdout-logs-timestampfield
      • syslog.collectord.io/stdout-logs-timestampformat
      • syslog.collectord.io/stdout-logs-timestampsetmonth
      • syslog.collectord.io/stdout-logs-timestampsetday
      • syslog.collectord.io/stdout-logs-timestamplocation
      • syslog.collectord.io/stdout-logs-joinpartial
      • syslog.collectord.io/stdout-logs-joinmultiline - (5.3+)
      • syslog.collectord.io/stdout-logs-escapeterminalsequences
      • syslog.collectord.io/stdout-logs-override.{N}-match - (5.2+)
      • syslog.collectord.io/stdout-logs-override.{N}-source - (5.2+)
      • syslog.collectord.io/stdout-logs-override.{N}-type - (5.2+)
      • syslog.collectord.io/stdout-logs-sampling-percent - (5.6+)
      • syslog.collectord.io/stdout-logs-sampling-key - (5.6+)
      • syslog.collectord.io/stdout-logs-ThruputPerSecond - (5.10.252+)
      • syslog.collectord.io/stdout-logs-TooOldEvents - (5.10.252+)
      • syslog.collectord.io/stdout-logs-TooNewEvents - (5.10.252+)
      • syslog.collectord.io/stdout-logs-whitelist - (5.14.284+)
    • Specific for stderr, with the annotations below you can define configuration specific for stderr
      • syslog.collectord.io/stderr-logs-source
      • syslog.collectord.io/stderr-logs-type
      • syslog.collectord.io/stderr-logs-host
      • syslog.collectord.io/stderr-logs-eventpattern
      • syslog.collectord.io/stderr-logs-replace.{N}-search
      • syslog.collectord.io/stderr-logs-replace.{N}-val
      • syslog.collectord.io/stderr-logs-hashing.{N}-match - (5.3+)
      • syslog.collectord.io/stderr-logs-hashing.{N}-function - (5.3+)
      • syslog.collectord.io/stderr-logs-extraction
      • syslog.collectord.io/stderr-logs-extractionMessageField - (5.18+)
      • syslog.collectord.io/stderr-logs-timestampfield
      • syslog.collectord.io/stderr-logs-timestampformat
      • syslog.collectord.io/stderr-logs-timestampsetmonth
      • syslog.collectord.io/stderr-logs-timestampsetday
      • syslog.collectord.io/stderr-logs-timestamplocation
      • syslog.collectord.io/stderr-logs-joinpartial
      • syslog.collectord.io/stderr-logs-joinmultiline - (5.3+)
      • syslog.collectord.io/stderr-logs-escapeterminalsequences
      • syslog.collectord.io/stderr-logs-override.{N}-match - (5.2+)
      • syslog.collectord.io/stderr-logs-override.{N}-source - (5.2+)
      • syslog.collectord.io/stderr-logs-override.{N}-type - (5.2+)
      • syslog.collectord.io/stderr-logs-sampling-percent - (5.6+)
      • syslog.collectord.io/stderr-logs-sampling-key - (5.6+)
      • syslog.collectord.io/stderr-logs-ThruputPerSecond - (5.10.252+)
      • syslog.collectord.io/stderr-logs-TooOldEvents - (5.10.252+)
      • syslog.collectord.io/stderr-logs-TooNewEvents - (5.10.252+)
      • syslog.collectord.io/stderr-logs-whitelist - (5.14.284+)
  • Annotations for events (can be applied only to namespaces)
    • syslog.collectord.io/events-source - change the source for the events of specific namespace
    • syslog.collectord.io/events-type - change the source type for the events of specific namespace
    • syslog.collectord.io/events-host - change the host for the events of specific namespace
    • syslog.collectord.io/events-userfields.{fieldname} - (5.15.300+) attach custom fields to events
    • syslog.collectord.io/events-output - (26.04.1+) change the output for the events published on the namespace
  • Annotations for application logs
    • syslog.collectord.io/volume.{N}-logs-name - name of the volume attached to Pod
    • syslog.collectord.io/volume.{N}-logs-output - configure the output for the logs forwarded from the volume
    • syslog.collectord.io/volume.{N}-logs-source - change the source for logs forwarded from the volume
    • syslog.collectord.io/volume.{N}-logs-type - change the type for logs forwarded from the volume
    • syslog.collectord.io/volume.{N}-logs-host - change the host for logs forwarded from the volume
    • syslog.collectord.io/volume.{N}-logs-eventpattern - change the event pattern defining new event for logs forwarded from the volume
    • syslog.collectord.io/volume.{N}-logs-replace.{N}-search - specify the regex search for replace pipe for the logs
    • syslog.collectord.io/volume.{N}-logs-replace.{N}-val - specify the regex replace pattern for replace pipe for the logs
    • syslog.collectord.io/volume.{N}-logs-hashing.{N}-match - (5.3+) the regexp for a matched value
    • syslog.collectord.io/volume.{N}-logs-hashing.{N}-function - (5.3+) hash function (default is sha256, available adler-32,crc-32-ieee,crc-32-castagnoli,crc-32-koopman,crc-64-iso,crc-64-ecma,fnv-1-64,fnv-1a-64,fnv-1-32,fnv-1a-32,fnv-1-128,fnv-1a-128,md5,sha1,sha256,sha384,sha512)
    • syslog.collectord.io/volume.{N}-logs-extraction - specify the fields extraction with the regex the logs
    • syslog.collectord.io/volume.{N}-logs-extractionMessageField - (5.18+) specify the field name for the message (by default first unnamed ground in regexp)
    • syslog.collectord.io/volume.{N}-logs-timestampfield - specify the timestamp field
    • syslog.collectord.io/volume.{N}-logs-timestampformat - specify the format for timestamp field
    • syslog.collectord.io/volume.{N}-logs-timestampsetmonth - define if month should be set to current for timestamp
    • syslog.collectord.io/volume.{N}-logs-timestampsetday - define if day should be set to current for timestamp
    • syslog.collectord.io/volume.{N}-logs-timestamplocation - define timestamp location if not set by format
    • syslog.collectord.io/volume.{N}-logs-glob - set the glob pattern for matching logs
    • syslog.collectord.io/volume.{N}-logs-match - set the regexp pattern for matching logs
    • syslog.collectord.io/volume.{N}-logs-recursive - set if walker should walk the directory recursive
    • syslog.collectord.io/volume.{N}-logs-override.{N}-match - (5.2+) match for override pattern
    • syslog.collectord.io/volume.{N}-logs-override.{N}-source - (5.2+) override source for matched events
    • syslog.collectord.io/volume.{N}-logs-override.{N}-type - (5.2+) override type for matched events
    • syslog.collectord.io/volume.{N}-logs-sampling-percent - (5.6+) specify the % value of logs that should be forwarded to the syslog server
    • syslog.collectord.io/volume.{N}-logs-sampling-key - (5.6+) regexp pattern to specify the key for the sampling based on hash values
    • syslog.collectord.io/volume.{N}-logs-ThruputPerSecond - (5.10.252+) set the thruput for this container, maximum amount of logs per second, for example 128Kb, 1024b
    • syslog.collectord.io/volume.{N}-logs-TooOldEvents - (5.10.252+) duration of events from now to past that are considered too old and should be ignored, for example 168h, 24h
    • syslog.collectord.io/volume.{N}-logs-TooNewEvents - (5.10.252+) duration of events from now to the future that are considered too new and should be ignored, for example 1h, 30m
    • syslog.collectord.io/volume.{N}-logs-whitelist - (5.14.284+) allow to configure pattern for log messages, only log messages matching this pattern will be forwarded
    • syslog.collectord.io/volume.{N}-logs-userfields.{fieldname} - (5.15.300+) attach custom fields to events
    • syslog.collectord.io/volume.{N}-logs-maxholdafterclose - (5.18.381+) how long Collectord can hold file descriptors open for files in PVC after pod is terminated (duration 5s, 1800s)
    • syslog.collectord.io/volume.{N}-logs-onvolumedatabase - (5.20.400+) boolean flag to enable on volume database for this volume, in case if this volume might be used on more than one host
    • syslog.collectord.io/volume.{N}-logs-withlock - (5.24.440+) boolean flag to enable file locking of forwarding logs from the files, and preventing other Collectord instances to read the file