sendsyslog

Sends input data as syslog messages to a remote server over UDP.

Command properties

Property	Description
Command type	Transforming
Required permission	None
License usage	N/A
Parallel execution	Not supported
Distributed execution	Not supported

Syntax

sendsyslog dst=IP [port=INT] [format={txt|json}] [pri=INT] [src=IP]

Options

dst=IP

IP address of the syslog receiving server.

port=INT

Port number of the syslog receiving server. (Default: 514)

format={txt|json}

Syslog message body format. (Default: txt)

txt: Sends the value of the line field of the input record as-is.
json: Converts the entire input record to JSON format and sends it. The _id, _table, and _time fields are excluded.

pri=INT

PRI value as defined in RFC 5424. The default of 134 corresponds to the local0 facility and info severity. (Default: 134)

The PRI value equals the facility value multiplied by 8, plus the severity value.

Facility / Severity	0/Emer	1/Alert	2/Crit	3/Error	4/Warn	5/Notice	6/Info	7/Debug
0 / kern	0	1	2	3	4	5	6	7
1 / user	8	9	10	11	12	13	14	15
2 / mail	16	17	18	19	20	21	22	23
3 / daemon	24	25	26	27	28	29	30	31
4 / auth	32	33	34	35	36	37	38	39
5 / syslog	40	41	42	43	44	45	46	47
6 / lpr	48	49	50	51	52	53	54	55
7 / news	56	57	58	59	60	61	62	63
8 / uucp	64	65	66	67	68	69	70	71
9 / clock	72	73	74	75	76	77	78	79
10 / authpriv	80	81	82	83	84	85	86	87
11 / ftp	88	89	90	91	92	93	94	95
12 / ntp	96	97	98	99	100	101	102	103
13 / audit	104	105	106	107	108	109	110	111
14 / alert	112	113	114	115	116	117	118	119
15 / solaris-cron	120	121	122	123	124	125	126	127
16 / local0	128	129	130	131	132	133	134 (default)	135
17 / local1	136	137	138	139	140	141	142	143
18 / local2	144	145	146	147	148	149	150	151
19 / local3	152	153	154	155	156	157	158	159
20 / local4	160	161	162	163	164	165	166	167
21 / local5	168	169	170	171	172	173	174	175
22 / local6	176	177	178	179	180	181	182	183
23 / local7	184	185	186	187	188	189	190	191

src=IP

Source IP address. When specified, sends the packet with this IP address as the source instead of the Logpresso server's IP address. Using this option causes packets to be generated directly through the PCAP device.

Input fields

Field	Type	Required	Description
`line`	string	Required when `format=txt`	Text to send as the syslog message body. If null, an empty string is sent.

Error codes

Parsing errors

Error code	Message	Description
missing-dst-option	(none)	The `dst` option was not specified.
invalid-dst-ip	(none)	An invalid IP address was specified for the `dst` option.
invalid-format	(none)	A value other than `txt` or `json` was specified for the `format` option.
invalid-pri	(none)	A non-integer value was specified for the `pri` option.
invalid-port-number	(none)	A value outside the range 1–65535 was specified for the `port` option.
invalid-src-ip	(none)	An invalid IP address was specified for the `src` option.

Runtime errors

Error code	Message	Description
pcap-device-failure	(exception message)	The PCAP device specified by the `src` option could not be opened

Description

The sendsyslog command generates a UDP syslog message for each input record and sends it to the specified remote server. Syslog messages are formatted as <PRI>body.

When format=txt, the value of the line field is used as the message body. When format=json, the entire input record is converted to JSON and used as the body, excluding the _id, _table, and _time fields. The message body uses <PRI>{...} format, with no RFC 3164/RFC 5424 timestamp or hostname headers. The encoding is UTF-8. For example, with PRI 134, the body looks like:

<134>{"src_ip":"192.168.0.10","src_port":52344,"dst_ip":"10.0.0.5","dst_port":443,"protocol":"tcp","bytes":1480}

Each field is converted to a JSON value according to the following rules.

Logpresso type	JSON representation
string	JSON string
integer, float (`int`, `long`, `double`, etc.)	JSON number
boolean	`true` / `false`
`null`	`null`
date	String in `"yyyy-MM-dd HH:mm:ssZ"` format (e.g., `"2026-05-04 13:45:00+0900"`)
IP address	Address string (e.g., `"192.168.0.10"`)
UUID	UUID string
binary	Lowercase hexadecimal string
array	JSON array (each element recursively converted by the rules above)
map	JSON object (values recursively converted by the rules above)

The order of keys in the JSON object is not guaranteed. Write your receiver parser to operate based on key names. If the receiver needs time information, use the eval command to copy _time to a separate field before passing it to sendsyslog.

sendsyslog sends one UDP datagram per record. When format=json is used with large records, the serialized data may exceed the MTU, causing fragmentation or packet loss. Consider using sendsyslog-tcp for large records.

When the src option is specified, a UDP packet with an arbitrary source IP is generated using the PCAP device. Without the src option, a standard UDP socket is used. Using the src option requires libpcap (Linux/macOS) or WinPcap (Windows) to be installed on the operating system. Packets exceeding the MTU size may fail to be transmitted.

Regardless of whether transmission succeeds, the input record is passed to the next command unchanged. If a transmission error occurs, only the first error is logged; subsequent identical errors are suppressed.

Examples

Send syslog messages in text format
```
table duration=1h web_logs
| sendsyslog dst=198.51.100.10
```
Sends the line field of the web logs from the past hour as UDP syslog messages to 198.51.100.10:514.
Send syslog messages in JSON format
```
table duration=1h web_logs
| sendsyslog dst=198.51.100.10 port=1514 format=json
```
Converts all fields of the web logs to JSON format and sends them to 198.51.100.10:1514.
Specify the PRI value and source IP
```
table duration=1h web_logs
| sendsyslog dst=198.51.100.10 pri=165 src=203.0.113.5
```
Sets the PRI value to 165 (local4 + notice) and sends packets with 203.0.113.5 as the source IP.