@version: 4.10
@include "scl.conf"

# ------------------------------------------------------------
# Source: Receive syslog on UDP/TCP 5514
#  - flags(syslog-protocol): parse RFC5424 whenever possible (better fields)
# ------------------------------------------------------------
source s_network {
  network(
    transport("udp")
    port(5514)
    flags(syslog-protocol)
  );
  network(
    transport("tcp")
    port(5514)
    flags(syslog-protocol)
  );
};

# ------------------------------------------------------------
# Destination: Forward JSON to Vector over TCP 9000
#  - disk-buffer: survive restarts / backpressure
#  - log-fifo-size: allow bursts
#  - time-reopen: reconnect if Vector is restarting
#  - template: JSON with stable types (--cast)
# ------------------------------------------------------------
destination d_vector {
  network(
    "vector"
    port(9000)
    transport("tcp")
    time-reopen(5)
    log-fifo-size(10000)

    disk-buffer(
      mem-buf-length(10000)
      disk-buf-size(268435456)   # 256MB
      reliable(yes)
      dir("/var/log/syslog-ng/buffer")
    )

    template("$(format-json --scope selected_macros --scope nv_pairs --exclude DATE --key ISODATE --cast)\n")

  );
};

# ------------------------------------------------------------
# (Optional) local debug: write what we received (raw) to a file
# - enable this if you want to verify ingestion quickly
# ------------------------------------------------------------
destination d_debug_file {
  file("/var/log/syslog-ng/received.log" flush-lines(1));
};

log {
  source(s_network);
  destination(d_debug_file);
};

# Main log path: network -> vector
log {
  source(s_network);
  destination(d_vector);
};