Forwarding Logstash events to a syslog collector keeps log ingestion compatible with legacy syslog-based pipelines and many SIEM forwarders. A syslog output is useful when normalized events must be delivered to an existing central syslog server without changing collector-side tooling.

The syslog output plugin converts each event into a syslog message and sends it to a remote listener over UDP or TCP. Message headers and fields can be formatted for common syslog standards such as RFC3164 and RFC5424, while facility and severity are set to match downstream routing rules.

Syslog transport and formatting choices affect reliability and parsing. UDP is best-effort and may drop messages under load, while TCP reduces loss at the cost of backpressure when the collector is slow. Confirm the remote listener, firewall rules, and any allowlists before enabling forwarding, and validate pipeline configuration before restarting to avoid a failed Logstash service start.

Steps to configure a Logstash syslog output:

  1. Confirm the logstash-output-syslog plugin is available. 
    $ sudo /usr/share/logstash/bin/logstash-plugin list --verbose logstash-output-syslog
Using bundled JDK: /usr/share/logstash/jdk
logstash-output-syslog (3.1.0)
  2. Install the logstash-output-syslog plugin if it is not listed. 
    $ sudo /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog
Using bundled JDK: /usr/share/logstash/jdk
Validating logstash-output-syslog
Resolving mixin dependencies
Updating mixin dependencies logstash-mixin-normalize_config_support
Bundler attempted to update logstash-mixin-normalize_config_support but its version stayed the same
Installing logstash-output-syslog
Installation successful
  3. Create a syslog output configuration file at /etc/logstash/conf.d/70-syslog-output.conf. 
    output {
  syslog {
    host => "syslog.example.net"
    port => 514
    protocol => "udp"
    facility => "local0"
  }
}

    Conf.d files are concatenated in name order for the default main pipeline on package installs, so an output-only file works when an input is defined elsewhere in /etc/logstash/conf.d.

    The output is applied to all events in the pipeline unless restricted with conditionals, which can overwhelm a syslog collector when forwarding high-volume pipelines.

  4. Run a pipeline configuration test using --config.test_and_exit. 
    $ sudo /usr/share/logstash/bin/logstash --path.settings /etc/logstash --config.test_and_exit
##### snipped #####
Configuration OK

    Related: How to test a Logstash pipeline configuration

  5. Restart the Logstash service to apply the updated pipeline. 
    $ sudo systemctl restart logstash

    Related: How to manage the Logstash service with systemctl in Linux

  6. Confirm the Logstash service is active after the restart. 
    $ sudo systemctl status logstash --no-pager
● logstash.service - logstash
     Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
     Active: active (running) since Wed 2026-01-07 11:41:35 UTC; 8s ago
##### snipped #####

    Related: How to manage the Logstash service with systemctl in Linux

  7. Check pipeline statistics for increasing output event counters. 
    $ curl -s http://127.0.0.1:9600/_node/stats/pipelines?pretty | sed -n '1,80p'
{
  "host" : "host",
  "version" : "8.19.9",
  "http_address" : "127.0.0.1:9600",
  "id" : "3723b694-8264-4225-a32b-a201e0fcb5dc",
  "name" : "host",
  "ephemeral_id" : "ddfb4871-abee-4253-a6bc-934eb91f0928",
  "snapshot" : false,
  "status" : "green",
  "pipeline" : {
    "workers" : 10,
    "batch_size" : 125,
    "batch_delay" : 50
  },
  "pipelines" : {
    "main" : {
      "events" : {
        "out" : 69,
        "duration_in_millis" : 2530,
        "queue_push_duration_in_millis" : 1,
        "filtered" : 69,
        "in" : 69
      },
##### snipped #####

    The Monitoring API typically listens on 127.0.0.1:9600 unless http.port is changed in /etc/logstash/logstash.yml.