# Deprecation of native GELF and UDP rsyslog ingestion

**Published**: May 31, 2026

**Effective**: August 20, 2026

## Deprecation notice

Coralogix will permanently discontinue its native GELF and UDP rsyslog ingestion endpoints on **August 20, 2026**.

Customers sending logs via Docker's GELF log driver or UDP rsyslog directly to Coralogix endpoints must migrate to a local forwarding solution before the cutoff to avoid data loss.

## Why this is happening

Native GELF and UDP rsyslog support relied on endpoints that are no longer part of our current ingestion architecture. Moving to standard forwarders — Logstash for GELF and the OpenTelemetry Collector for UDP rsyslog — provides a more reliable and maintainable path that works with all current Coralogix ingestion methods.

## What's affected

The following will stop working after August 20, 2026:

- **GELF (Graylog Extended Log Format)**: Docker containers using `--log-driver=gelf` with `gelf-address=udp://syslogserver.<domain>:20001`
- **UDP rsyslog**: rsyslog instances forwarding logs over UDP to a Coralogix syslog endpoint

TCP-based rsyslog and syslog-ng ingestion are not affected.

## What you need to do

### GELF migration: Logstash forwarder

Deploy a local **Logstash** instance to receive GELF input and forward logs to Coralogix.

**Step 1.** [Install Logstash](https://www.elastic.co/guide/en/logstash/current/installing-logstash.html) on a host reachable from your Docker containers.

**Step 2.** Install the GELF input plugin:

```bash
bin/logstash-plugin install logstash-input-gelf
```

**Step 3.** Create a Logstash pipeline configuration file (for example, `/etc/logstash/conf.d/coralogix-gelf.conf`):

```groovy
input {
  gelf {
    port => 12201
    type => "docker"
  }
}

filter {
  ruby {
    code => "
      event.set('[@metadata][application]', event.get('APP_NAME') || event.get('host') || 'unknown')
      event.set('[@metadata][subsystem]', event.get('SUB_NAME') || event.get('source_host') || 'docker')
      event.set('[@metadata][host]', event.get('host') || event.get('source_host') || 'unknown')
      event.set('[@metadata][event]', event.to_json)
    "
  }
}

output {
  http {
    url => "https://ingress.[[DOMAIN_VALUE]]/logs/v1/singles"
    http_method => "post"
    headers => ["authorization", "Bearer <Send-Your-Data API key>"]
    format => "json_batch"
    codec => "json"
    mapping => {
      "applicationName" => "%{[@metadata][application]}"
      "subsystemName"   => "%{[@metadata][subsystem]}"
      "computerName"    => "%{[@metadata][host]}"
      "text"            => "%{[@metadata][event]}"
    }
    http_compression => true
    automatic_retries => 5
    retry_non_idempotent => true
    connect_timeout => 30
    keepalive => false
  }
}
```

Replace `<Send-Your-Data API key>` with your [Send-Your-Data API key](https://coralogix.com/docs/user-guides/account-management/api-keys/send-your-data-api-key/index.md). Use the domain selector at the top of this page to set the correct endpoint URL for your Coralogix [domain](https://coralogix.com/docs/user-guides/account-management/account-settings/coralogix-domain/index.md).

The filter maps `APP_NAME` and `SUB_NAME` — the environment variables the existing [GELF integration](https://coralogix.com/docs/integrations/docker/gelf/index.md) forwards with `--log-opt env=APP_NAME,SUB_NAME` — falling back to `host` and `source_host`, and forwards the originating host as `computerName`. If your containers expose different field names, update them accordingly.

Start or restart Logstash to load the pipeline, for example `sudo systemctl restart logstash`. Logstash listens on UDP port 12201; make sure that port is reachable from your containers.

**Step 4.** Update your Docker containers to point the GELF log driver at your Logstash instance:

```bash
docker run \
  -e APP_NAME="your-application" \
  -e SUB_NAME="your-subsystem" \
  --log-driver=gelf \
  --log-opt gelf-address=udp://<logstash-host>:12201 \
  --log-opt env=APP_NAME,SUB_NAME \
  your-image
```

The `--log-opt env=APP_NAME,SUB_NAME` list must name the variables you pass with `-e`, or the GELF message won't carry them and Logstash falls back to `host` and `source_host`.

Or in `docker-compose.yml`:

```yaml
services:
  your-service:
    environment:
      - APP_NAME=your-application
      - SUB_NAME=your-subsystem
    logging:
      driver: gelf
      options:
        gelf-address: "udp://<logstash-host>:12201"
        env: "APP_NAME,SUB_NAME"
```

Replace `<logstash-host>` with the hostname or IP of the host running Logstash.

**Step 5.** Verify the migration. In Coralogix, navigate to **Explore** > **Logs** and search the last 15 minutes. If your container logs appear, GELF logs are now flowing through Logstash. To confirm with a query instead of the UI, run this DataPrime query (replace the application name with yours):

```text
source logs | filter $l.applicationname == '<application-name>'
```

**Example.** A container started with `APP_NAME=payments`, `SUB_NAME=checkout`, and `--log-opt env=APP_NAME,SUB_NAME` causes Logstash to send a request body like this (abridged) to the singles endpoint:

```json
[
  {
    "applicationName": "payments",
    "subsystemName": "checkout",
    "computerName": "app-host-01",
    "text": "{\"message\":\"Order 4521 shipped\",\"APP_NAME\":\"payments\",\"SUB_NAME\":\"checkout\",\"host\":\"app-host-01\",\"level\":6}"
  }
]
```

The log then appears in Coralogix under application **payments** and subsystem **checkout**. Because `text` holds the event as JSON, Coralogix parses it automatically, so the original log line is available as the `message` field. The Docker GELF driver also forwards fields such as `container_id`, `image_name`, and `tag`; these travel inside `text` and become parsed fields in Coralogix.

______________________________________________________________________

### UDP rsyslog migration: OTel Collector forwarder

Deploy an **OpenTelemetry Collector** with the syslog receiver to receive UDP syslog traffic and forward it to Coralogix.

**Step 1.** Install the OpenTelemetry Collector on a host reachable from your rsyslog instances. The `syslog` receiver and `coralogix` exporter are part of the `opentelemetry-collector-contrib` distribution, so install `otelcol-contrib` or the Coralogix OpenTelemetry distribution — the core `otelcol` build does not include them. See [Getting started with OpenTelemetry](https://coralogix.com/docs/opentelemetry/getting-started/index.md).

**Step 2.** Create a Collector configuration file:

```yaml
receivers:
  syslog:
    udp:
      listen_address: "0.0.0.0:514"
    protocol: rfc5424

exporters:
  coralogix:
    domain: "<your-coralogix-domain>"
    private_key: "<your-send-your-data-api-key>"
    application_name: "<application-name>"
    subsystem_name: "<subsystem-name>"
    timeout: 30s

service:
  pipelines:
    logs:
      receivers: [syslog]
      exporters: [coralogix]
```

Replace the placeholders with your Coralogix [domain](https://coralogix.com/docs/user-guides/account-management/account-settings/coralogix-domain/index.md), [Send-Your-Data API key](https://coralogix.com/docs/user-guides/account-management/api-keys/send-your-data-api-key/index.md), and application/subsystem names.

If your rsyslog instances use `rfc3164` format, change `protocol: rfc5424` to `protocol: rfc3164` in the receiver **and** send a matching RFC 3164 format from rsyslog: in the directive below, replace `RSYSLOG_SyslogProtocol23Format` (RFC 5424) with `RSYSLOG_TraditionalForwardFormat` (RFC 3164). The receiver protocol and the rsyslog template must match, or the Collector cannot parse the messages.

Start the Collector with this configuration, for example `otelcol-contrib --config collector.yaml`, or restart your Collector service. Binding to UDP port 514 requires root or the `CAP_NET_BIND_SERVICE` capability, and the port must be open in the host firewall.

**Step 3.** Update your rsyslog configuration to send to the Collector. In `/etc/rsyslog.d/coralogix.rsyslog.conf`, replace the destination line:

```text
# Remove this line (Coralogix native UDP endpoint)
*.* @<old-coralogix-endpoint>;CoralogixSyslogFormat

# Add this line (OTel Collector)
*.* @<collector-host>:514;RSYSLOG_SyslogProtocol23Format
```

Replace `<collector-host>` with the hostname or IP of the host running the Collector. The `*.*` selector forwards every facility and severity; to forward only specific logs, replace it with a narrower rsyslog selector, for example `local0.*` or `*.warning`.

**Step 4.** Restart rsyslog:

```bash
sudo service rsyslog restart
```

**Step 5.** Verify the migration. In Coralogix, navigate to **Explore** > **Logs** and search the last 15 minutes. If your syslog messages appear, UDP rsyslog is now flowing through the Collector. To confirm with a query instead of the UI, run this DataPrime query (replace the subsystem name with the value from your exporter):

```text
source logs | filter $l.subsystemname == '<subsystem-name>'
```

**Example.** rsyslog forwards an RFC 5424 frame like this to the Collector:

```text
<13>1 2026-06-07T10:43:28.456038+00:00 app-host-01 myapp - - - Order 4521 shipped
```

The syslog receiver parses it into structured attributes — `appname`, `hostname`, `facility`, `priority`, `version`, and `message` — maps the syslog priority to the log's severity, and keeps the raw frame as the log body. The log appears in Coralogix under the `application_name` and `subsystem_name` set in the `coralogix` exporter. Unlike the Logstash path, the Collector does not populate the Coralogix `computerName` field; the originating host stays available in the `hostname` attribute.

## What will happen after August 20, 2026?

- Native GELF and UDP rsyslog endpoints will be permanently shut down
- Containers and services still pointing to the old endpoints will stop shipping logs without warning
- Data may be lost if configurations are not updated in time

## Additional resources

|                               |                                                                                                                                        |
| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| Logstash GELF input plugin    | [logstash-input-gelf](https://www.elastic.co/docs/reference/logstash/plugins/plugins-inputs-gelf)                                      |
| Logstash integration          | [Logstash](https://coralogix.com/docs/integrations/files/logstash/index.md)                                                            |
| OTel syslog receiver          | [syslogreceiver README](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/syslogreceiver/README.md) |
| Syslog using OpenTelemetry    | [Syslog using OpenTelemetry](https://coralogix.com/docs/integrations/syslog/syslog-using-opentelemetry/index.md)                       |
| OpenTelemetry getting started | [Getting started with OpenTelemetry](https://coralogix.com/docs/opentelemetry/getting-started/index.md)                                |

## Need help?

Reach out via our 24/7 in-app support or contact your Technical Account Manager directly.
