Skip to content

Deprecation of native GELF and UDP rsyslog ingestion

Published: May 31, 2026

Effective: August 20, 2026

Deprecation notice

Coralogix will permanently discontinue its native GELF and UDP rsyslog ingestion endpoints on August 20, 2026.

Customers sending logs via Docker's GELF log driver or UDP rsyslog directly to Coralogix endpoints must migrate to a local forwarding solution before the cutoff to avoid data loss.

Why this is happening

Native GELF and UDP rsyslog support relied on endpoints that are no longer part of our current ingestion architecture. Moving to standard forwarders — Logstash for GELF and the OpenTelemetry Collector for UDP rsyslog — provides a more reliable and maintainable path that works with all current Coralogix ingestion methods.

What's affected

The following will stop working after August 20, 2026:

  • GELF (Graylog Extended Log Format): Docker containers using --log-driver=gelf with gelf-address=udp://syslogserver.<domain>:20001
  • UDP rsyslog: rsyslog instances forwarding logs over UDP to a Coralogix syslog endpoint

TCP-based rsyslog and syslog-ng ingestion are not affected.

What you need to do

GELF migration: Logstash forwarder

Deploy a local Logstash instance to receive GELF input and forward logs to Coralogix.

Step 1. Install Logstash on a host reachable from your Docker containers.

Step 2. Install the GELF input plugin:

bin/logstash-plugin install logstash-input-gelf

Step 3. Create a Logstash pipeline configuration file (for example, /etc/logstash/conf.d/coralogix-gelf.conf):

input {
  gelf {
    port => 12201
    type => "docker"
  }
}

filter {
  ruby {
    code => "
      event.set('[@metadata][application]', event.get('APP_NAME') || event.get('host') || 'unknown')
      event.set('[@metadata][subsystem]', event.get('SUB_NAME') || event.get('source_host') || 'docker')
      event.set('[@metadata][host]', event.get('host') || event.get('source_host') || 'unknown')
      event.set('[@metadata][event]', event.to_json)
    "
  }
}

output {
  http {
    url => "https://ingress./logs/v1/singles"
    http_method => "post"
    headers => ["authorization", "Bearer <Send-Your-Data API key>"]
    format => "json_batch"
    codec => "json"
    mapping => {
      "applicationName" => "%{[@metadata][application]}"
      "subsystemName"   => "%{[@metadata][subsystem]}"
      "computerName"    => "%{[@metadata][host]}"
      "text"            => "%{[@metadata][event]}"
    }
    http_compression => true
    automatic_retries => 5
    retry_non_idempotent => true
    connect_timeout => 30
    keepalive => false
  }
}

Replace <Send-Your-Data API key> with your Send-Your-Data API key. Use the domain selector at the top of this page to set the correct endpoint URL for your Coralogix domain.

The filter maps APP_NAME and SUB_NAME — the environment variables the existing GELF integration forwards with --log-opt env=APP_NAME,SUB_NAME — falling back to host and source_host, and forwards the originating host as computerName. If your containers expose different field names, update them accordingly.

Start or restart Logstash to load the pipeline, for example sudo systemctl restart logstash. Logstash listens on UDP port 12201; make sure that port is reachable from your containers.

Step 4. Update your Docker containers to point the GELF log driver at your Logstash instance:

docker run \
  -e APP_NAME="your-application" \
  -e SUB_NAME="your-subsystem" \
  --log-driver=gelf \
  --log-opt gelf-address=udp://<logstash-host>:12201 \
  --log-opt env=APP_NAME,SUB_NAME \
  your-image

The --log-opt env=APP_NAME,SUB_NAME list must name the variables you pass with -e, or the GELF message won't carry them and Logstash falls back to host and source_host.

Or in docker-compose.yml:

services:
  your-service:
    environment:
      - APP_NAME=your-application
      - SUB_NAME=your-subsystem
    logging:
      driver: gelf
      options:
        gelf-address: "udp://<logstash-host>:12201"
        env: "APP_NAME,SUB_NAME"

Replace <logstash-host> with the hostname or IP of the host running Logstash.

Step 5. Verify the migration. In Coralogix, navigate to Explore > Logs and search the last 15 minutes. If your container logs appear, GELF logs are now flowing through Logstash. To confirm with a query instead of the UI, run this DataPrime query (replace the application name with yours):

source logs | filter $l.applicationname == '<application-name>'

Example. A container started with APP_NAME=payments, SUB_NAME=checkout, and --log-opt env=APP_NAME,SUB_NAME causes Logstash to send a request body like this (abridged) to the singles endpoint:

[
  {
    "applicationName": "payments",
    "subsystemName": "checkout",
    "computerName": "app-host-01",
    "text": "{\"message\":\"Order 4521 shipped\",\"APP_NAME\":\"payments\",\"SUB_NAME\":\"checkout\",\"host\":\"app-host-01\",\"level\":6}"
  }
]

The log then appears in Coralogix under application payments and subsystem checkout. Because text holds the event as JSON, Coralogix parses it automatically, so the original log line is available as the message field. The Docker GELF driver also forwards fields such as container_id, image_name, and tag; these travel inside text and become parsed fields in Coralogix.


UDP rsyslog migration: OTel Collector forwarder

Deploy an OpenTelemetry Collector with the syslog receiver to receive UDP syslog traffic and forward it to Coralogix.

Step 1. Install the OpenTelemetry Collector on a host reachable from your rsyslog instances. The syslog receiver and coralogix exporter are part of the opentelemetry-collector-contrib distribution, so install otelcol-contrib or the Coralogix OpenTelemetry distribution — the core otelcol build does not include them. See Getting started with OpenTelemetry.

Step 2. Create a Collector configuration file:

receivers:
  syslog:
    udp:
      listen_address: "0.0.0.0:514"
    protocol: rfc5424

exporters:
  coralogix:
    domain: "<your-coralogix-domain>"
    private_key: "<your-send-your-data-api-key>"
    application_name: "<application-name>"
    subsystem_name: "<subsystem-name>"
    timeout: 30s

service:
  pipelines:
    logs:
      receivers: [syslog]
      exporters: [coralogix]

Replace the placeholders with your Coralogix domain, Send-Your-Data API key, and application/subsystem names.

If your rsyslog instances use rfc3164 format, change protocol: rfc5424 to protocol: rfc3164 in the receiver and send a matching RFC 3164 format from rsyslog: in the directive below, replace RSYSLOG_SyslogProtocol23Format (RFC 5424) with RSYSLOG_TraditionalForwardFormat (RFC 3164). The receiver protocol and the rsyslog template must match, or the Collector cannot parse the messages.

Start the Collector with this configuration, for example otelcol-contrib --config collector.yaml, or restart your Collector service. Binding to UDP port 514 requires root or the CAP_NET_BIND_SERVICE capability, and the port must be open in the host firewall.

Step 3. Update your rsyslog configuration to send to the Collector. In /etc/rsyslog.d/coralogix.rsyslog.conf, replace the destination line:

# Remove this line (Coralogix native UDP endpoint)
*.* @<old-coralogix-endpoint>;CoralogixSyslogFormat

# Add this line (OTel Collector)
*.* @<collector-host>:514;RSYSLOG_SyslogProtocol23Format

Replace <collector-host> with the hostname or IP of the host running the Collector. The *.* selector forwards every facility and severity; to forward only specific logs, replace it with a narrower rsyslog selector, for example local0.* or *.warning.

Step 4. Restart rsyslog:

sudo service rsyslog restart

Step 5. Verify the migration. In Coralogix, navigate to Explore > Logs and search the last 15 minutes. If your syslog messages appear, UDP rsyslog is now flowing through the Collector. To confirm with a query instead of the UI, run this DataPrime query (replace the subsystem name with the value from your exporter):

source logs | filter $l.subsystemname == '<subsystem-name>'

Example. rsyslog forwards an RFC 5424 frame like this to the Collector:

<13>1 2026-06-07T10:43:28.456038+00:00 app-host-01 myapp - - - Order 4521 shipped

The syslog receiver parses it into structured attributes — appname, hostname, facility, priority, version, and message — maps the syslog priority to the log's severity, and keeps the raw frame as the log body. The log appears in Coralogix under the application_name and subsystem_name set in the coralogix exporter. Unlike the Logstash path, the Collector does not populate the Coralogix computerName field; the originating host stays available in the hostname attribute.

What will happen after August 20, 2026?

  • Native GELF and UDP rsyslog endpoints will be permanently shut down
  • Containers and services still pointing to the old endpoints will stop shipping logs without warning
  • Data may be lost if configurations are not updated in time

Additional resources

Logstash GELF input pluginlogstash-input-gelf
Logstash integrationLogstash
OTel syslog receiversyslogreceiver README
Syslog using OpenTelemetrySyslog using OpenTelemetry
OpenTelemetry getting startedGetting started with OpenTelemetry

Need help?

Reach out via our 24/7 in-app support or contact your Technical Account Manager directly.