sendsyslog-tcp

Sends input data as syslog messages to a remote server over TCP.

Command properties

Property	Description
Command type	Transforming
Required permission	None
License usage	N/A
Parallel execution	Not supported
Distributed execution	Not supported

Syntax

sendsyslog-tcp dst=IP [port=INT] [format={txt|json}] [pri=INT] [framing={lf|rfc6587}]

Options

dst=IP: IP address of the syslog receiving server.
port=INT: Port number of the syslog receiving server. (Default: 514)
format={txt|json}: Syslog message body format. (Default: txt)

txt: Sends the value of the line field of the input record as-is.
json: Converts the entire input record to JSON format and sends it. The _id, _table, and _time fields are excluded.

pri=INT

PRI value as defined in RFC 5424. The default of 134 corresponds to the local0 facility and info severity. (Default: 134)

The PRI value equals the facility value multiplied by 8, plus the severity value.

Facility / Severity	0/Emer	1/Alert	2/Crit	3/Error	4/Warn	5/Notice	6/Info	7/Debug
0 / kern	0	1	2	3	4	5	6	7
1 / user	8	9	10	11	12	13	14	15
2 / mail	16	17	18	19	20	21	22	23
3 / daemon	24	25	26	27	28	29	30	31
4 / auth	32	33	34	35	36	37	38	39
5 / syslog	40	41	42	43	44	45	46	47
6 / lpr	48	49	50	51	52	53	54	55
7 / news	56	57	58	59	60	61	62	63
8 / uucp	64	65	66	67	68	69	70	71
9 / clock	72	73	74	75	76	77	78	79
10 / authpriv	80	81	82	83	84	85	86	87
11 / ftp	88	89	90	91	92	93	94	95
12 / ntp	96	97	98	99	100	101	102	103
13 / audit	104	105	106	107	108	109	110	111
14 / alert	112	113	114	115	116	117	118	119
15 / solaris-cron	120	121	122	123	124	125	126	127
16 / local0	128	129	130	131	132	133	134 (default)	135
17 / local1	136	137	138	139	140	141	142	143
18 / local2	144	145	146	147	148	149	150	151
19 / local3	152	153	154	155	156	157	158	159
20 / local4	160	161	162	163	164	165	166	167
21 / local5	168	169	170	171	172	173	174	175
22 / local6	176	177	178	179	180	181	182	183
23 / local7	184	185	186	187	188	189	190	191

framing={lf|rfc6587}

TCP syslog framing method. (Default: lf)

lf: Separates messages using a linefeed (LF) character.
rfc6587: Separates messages using octet counting as defined in RFC 6587.

Input fields

Field	Type	Required	Description
`line`	string	Required when `format=txt`	Text to send as the syslog message body. If null, an empty string is sent.

Error codes

Parsing errors

Error code	Message	Description
24100	Specify the dst option for the sendsyslog-tcp command.	The `dst` option was not specified.
24101	Specify the port option for the sendsyslog-tcp command.	The `port` option was not specified.
24102	Specify a valid host address for the dst option of the sendsyslog-tcp command.	An invalid host address was specified for the `dst` option.
24103	Specify a valid port value between 1 and 65535 for the port option of the sendsyslog-tcp command.	A value outside the range 1–65535 was specified for the `port` option.
24104	Specify a valid value for the pri option of the sendsyslog-tcp command.	A non-integer value was specified for the `pri` option.
24105	The framing option of the sendsyslog-tcp command must be lf or rfc6587.	A value other than `lf` or `rfc6587` was specified for the `framing` option.
24106	The format option of the sendsyslog-tcp command must be txt or json.	A value other than `txt` or `json` was specified for the `format` option.

Runtime errors

N/A

Description

The sendsyslog-tcp command generates a TCP syslog message for each input record and sends it to the specified remote server. Unlike the sendsyslog command, which uses UDP, this command uses TCP and therefore provides higher delivery reliability.

Syslog messages are formatted as <PRI>body. When format=txt, the value of the line field is used as the message body. When format=json, the entire input record is converted to JSON and used as the body, excluding the _id, _table, and _time fields. The body uses <PRI>{...} format, with no RFC 3164/RFC 5424 timestamp or hostname headers. The encoding is UTF-8. For example, with PRI 134, the body looks like:

<134>{"src_ip":"192.168.0.10","src_port":52344,"dst_ip":"10.0.0.5","dst_port":443,"protocol":"tcp","bytes":1480}

Each field is converted to a JSON value according to the following rules.

Logpresso type	JSON representation
string	JSON string
integer, float (`int`, `long`, `double`, etc.)	JSON number
boolean	`true` / `false`
`null`	`null`
date	String in `"yyyy-MM-dd HH:mm:ssZ"` format (e.g., `"2026-05-04 13:45:00+0900"`)
IP address	Address string (e.g., `"192.168.0.10"`)
UUID	UUID string
binary	Lowercase hexadecimal string
array	JSON array (each element recursively converted by the rules above)
map	JSON object (values recursively converted by the rules above)

The order of keys in the JSON object is not guaranteed. Write your receiver parser to operate based on key names. If the receiver needs time information, use the eval command to copy _time to a separate field before passing it to sendsyslog-tcp.

The framing option specifies how messages are delimited in the TCP stream. lf uses a linefeed character, and rfc6587 prefixes each message with its length.

Regardless of whether transmission succeeds, the input record is passed to the next command unchanged. If a transmission error occurs, only the first error is logged; subsequent identical errors are suppressed.

If the TCP connection drops or delays occur, the message queue may back up. Messages that cannot be transmitted within 30 seconds are discarded. The following JVM options control queue management behavior.

JVM Option	Description	Value
`-Dlogpresso.tcp_sender.idle_timeout`	Threshold for stopping transmission when there is no response from the server	1–86400 seconds (default: `300`)
`-Dlogpresso.tcp_sender.max_queue_time`	Threshold for stopping transmission when delivery takes too long	1–600 seconds (default: `30`)
`-Dlogpresso.tcp_sender.max_queue_chars`	Threshold for stopping transmission when too many characters are queued	1,000,000–1,000,000,000 characters (default: `100,000,000`)

Examples

Send TCP syslog messages in text format
```
table duration=1h web_logs
| sendsyslog-tcp dst=198.51.100.10
```
Sends the line field of the web logs from the past hour as TCP syslog messages to 198.51.100.10:514.
Send TCP syslog messages in JSON format
```
table duration=1h web_logs
| sendsyslog-tcp dst=198.51.100.10 port=1514 format=json
```
Converts all fields of the web logs to JSON format and sends them to 198.51.100.10:1514 over TCP.

Use RFC 6587 framing

table duration=1h web_logs
| sendsyslog-tcp dst=198.51.100.10 port=1514 format=json framing=rfc6587

Sends JSON-formatted syslog messages over TCP using RFC 6587 octet-counting framing.

Specify a PRI value
```
table duration=1h security_logs
| sendsyslog-tcp dst=198.51.100.10 pri=165
```
Sets the PRI value to 165 (local4 + notice) and sends the security logs as TCP syslog messages.