Adding upstream version 1.34.4.

Signed-off-by: Daniel Baumann <daniel@debian.org>

plugins/outputs/syslog/README.md

@@ -0,0 +1,149 @@
+# Syslog Output Plugin
+
+This plugin writes metrics as syslog messages via UDP in
+[RFC5426 format][rfc5426] or via TCP in [RFC6587 format][rfc6587] or via
+TLS in [RFC5425 format][rfc5425], with or without the octet counting framing.
+
+> [!IMPORTANT]
+> Syslog messages are formatted according to [RFC5424][rfc5424] limiting the
+> field sizes when sending messages according to the
+> [syslog message format][msgformat] section of the RFC. Sending messages beyond
+> these sizes may get dropped by a strict receiver silently.
+
+⭐ Telegraf v1.11.0
+🏷️ logging
+💻 all
+
+[rfc5426]: https://tools.ietf.org/html/rfc5426
+[rfc6587]: https://tools.ietf.org/html/rfc6587
+[rfc5425]: https://tools.ietf.org/html/rfc5425
+[rfc5424]: https://tools.ietf.org/html/rfc5424
+[msgformat]: https://datatracker.ietf.org/doc/html/rfc5424#section-6
+
+## Global configuration options <!-- @/docs/includes/plugin_config.md -->
+
+In addition to the plugin-specific configuration settings, plugins support
+additional global and plugin configuration settings. These settings are used to
+modify metrics, tags, and field or create aliases and configure ordering, etc.
+See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
+
+[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins
+
+## Startup error behavior options <!-- @/docs/includes/startup_error_behavior.md -->
+
+In addition to the plugin-specific and global configuration settings the plugin
+supports options for specifying the behavior when experiencing startup errors
+using the `startup_error_behavior` setting. Available values are:
+
+- `error`:  Telegraf with stop and exit in case of startup errors. This is the
+            default behavior.
+- `ignore`: Telegraf will ignore startup errors for this plugin and disables it
+            but continues processing for all other plugins.
+- `retry`:  Telegraf will try to startup the plugin in every gather or write
+            cycle in case of startup errors. The plugin is disabled until
+            the startup succeeds.
+- `probe`:  Telegraf will probe the plugin's function (if possible) and disables the plugin
+            in case probing fails. If the plugin does not support probing, Telegraf will
+            behave as if `ignore` was set instead.
+
+## Configuration
+
+```toml @sample.conf
+# Configuration for Syslog server to send metrics to
+[[outputs.syslog]]
+  ## URL to connect to
+  ## ex: address = "tcp://127.0.0.1:8094"
+  ## ex: address = "tcp4://127.0.0.1:8094"
+  ## ex: address = "tcp6://127.0.0.1:8094"
+  ## ex: address = "tcp6://[2001:db8::1]:8094"
+  ## ex: address = "udp://127.0.0.1:8094"
+  ## ex: address = "udp4://127.0.0.1:8094"
+  ## ex: address = "udp6://127.0.0.1:8094"
+  address = "tcp://127.0.0.1:8094"
+
+  ## Optional TLS Config
+  # tls_ca = "/etc/telegraf/ca.pem"
+  # tls_cert = "/etc/telegraf/cert.pem"
+  # tls_key = "/etc/telegraf/key.pem"
+  ## Use TLS but skip chain & host verification
+  # insecure_skip_verify = false
+
+  ## Period between keep alive probes.
+  ## Only applies to TCP sockets.
+  ## 0 disables keep alive probes.
+  ## Defaults to the OS configuration.
+  # keep_alive_period = "5m"
+
+  ## The framing technique with which it is expected that messages are
+  ## transported (default = "octet-counting").  Whether the messages come
+  ## using the octet-counting (RFC5425#section-4.3.1, RFC6587#section-3.4.1),
+  ## or the non-transparent framing technique (RFC6587#section-3.4.2).  Must
+  ## be one of "octet-counting", "non-transparent".
+  # framing = "octet-counting"
+
+  ## The trailer to be expected in case of non-transparent framing (default = "LF").
+  ## Must be one of "LF", or "NUL".
+  # trailer = "LF"
+
+  ## SD-PARAMs settings
+  ## Syslog messages can contain key/value pairs within zero or more
+  ## structured data sections.  For each unrecognized metric tag/field a
+  ## SD-PARAMS is created.
+  ##
+  ## Example:
+  ##   [[outputs.syslog]]
+  ##     sdparam_separator = "_"
+  ##     default_sdid = "default@32473"
+  ##     sdids = ["foo@123", "bar@456"]
+  ##
+  ##   input => xyzzy,x=y foo@123_value=42,bar@456_value2=84,something_else=1
+  ##   output (structured data only) => [foo@123 value=42][bar@456 value2=84][default@32473 something_else=1 x=y]
+
+  ## SD-PARAMs separator between the sdid and tag/field key (default = "_")
+  # sdparam_separator = "_"
+
+  ## Default sdid used for tags/fields that don't contain a prefix defined in
+  ## the explicit sdids setting below If no default is specified, no SD-PARAMs
+  ## will be used for unrecognized field.
+  # default_sdid = "default@32473"
+
+  ## List of explicit prefixes to extract from tag/field keys and use as the
+  ## SDID, if they match (see above example for more details):
+  # sdids = ["foo@123", "bar@456"]
+
+  ## Default severity value. Severity and Facility are used to calculate the
+  ## message PRI value (RFC5424#section-6.2.1).  Used when no metric field
+  ## with key "severity_code" is defined.  If unset, 5 (notice) is the default
+  # default_severity_code = 5
+
+  ## Default facility value. Facility and Severity are used to calculate the
+  ## message PRI value (RFC5424#section-6.2.1).  Used when no metric field with
+  ## key "facility_code" is defined.  If unset, 1 (user-level) is the default
+  # default_facility_code = 1
+
+  ## Default APP-NAME value (RFC5424#section-6.2.5)
+  ## Used when no metric tag with key "appname" is defined.
+  ## If unset, "Telegraf" is the default
+  # default_appname = "Telegraf"
+```
+
+## Metric mapping
+
+The output plugin expects syslog metrics tags and fields to match up with the
+ones created in the [syslog input][].
+
+The following table shows the metric tags, field and defaults used to format
+syslog messages.
+
+| Syslog field | Metric Tag | Metric Field | Default value |
+| --- | --- | --- | --- |
+| APP-NAME | appname | - | default_appname = "Telegraf" |
+| TIMESTAMP | - | timestamp | Metric's own timestamp |
+| VERSION | - | version | 1 |
+| PRI | - | severity_code + (8 * facility_code)| default_severity_code=5 (notice), default_facility_code=1 (user-level)|
+| HOSTNAME | hostname OR source OR host | - | os.Hostname() |
+| MSGID | - | msgid | Metric name |
+| PROCID | - | procid | - |
+| MSG | - | msg | - |
+
+[syslog input]: /plugins/inputs/syslog#metrics

plugins/outputs/syslog/sample.conf

@@ -0,0 +1,76 @@
+# Configuration for Syslog server to send metrics to
+[[outputs.syslog]]
+  ## URL to connect to
+  ## ex: address = "tcp://127.0.0.1:8094"
+  ## ex: address = "tcp4://127.0.0.1:8094"
+  ## ex: address = "tcp6://127.0.0.1:8094"
+  ## ex: address = "tcp6://[2001:db8::1]:8094"
+  ## ex: address = "udp://127.0.0.1:8094"
+  ## ex: address = "udp4://127.0.0.1:8094"
+  ## ex: address = "udp6://127.0.0.1:8094"
+  address = "tcp://127.0.0.1:8094"
+
+  ## Optional TLS Config
+  # tls_ca = "/etc/telegraf/ca.pem"
+  # tls_cert = "/etc/telegraf/cert.pem"
+  # tls_key = "/etc/telegraf/key.pem"
+  ## Use TLS but skip chain & host verification
+  # insecure_skip_verify = false
+
+  ## Period between keep alive probes.
+  ## Only applies to TCP sockets.
+  ## 0 disables keep alive probes.
+  ## Defaults to the OS configuration.
+  # keep_alive_period = "5m"
+
+  ## The framing technique with which it is expected that messages are
+  ## transported (default = "octet-counting").  Whether the messages come
+  ## using the octet-counting (RFC5425#section-4.3.1, RFC6587#section-3.4.1),
+  ## or the non-transparent framing technique (RFC6587#section-3.4.2).  Must
+  ## be one of "octet-counting", "non-transparent".
+  # framing = "octet-counting"
+
+  ## The trailer to be expected in case of non-transparent framing (default = "LF").
+  ## Must be one of "LF", or "NUL".
+  # trailer = "LF"
+
+  ## SD-PARAMs settings
+  ## Syslog messages can contain key/value pairs within zero or more
+  ## structured data sections.  For each unrecognized metric tag/field a
+  ## SD-PARAMS is created.
+  ##
+  ## Example:
+  ##   [[outputs.syslog]]
+  ##     sdparam_separator = "_"
+  ##     default_sdid = "default@32473"
+  ##     sdids = ["foo@123", "bar@456"]
+  ##
+  ##   input => xyzzy,x=y foo@123_value=42,bar@456_value2=84,something_else=1
+  ##   output (structured data only) => [foo@123 value=42][bar@456 value2=84][default@32473 something_else=1 x=y]
+
+  ## SD-PARAMs separator between the sdid and tag/field key (default = "_")
+  # sdparam_separator = "_"
+
+  ## Default sdid used for tags/fields that don't contain a prefix defined in
+  ## the explicit sdids setting below If no default is specified, no SD-PARAMs
+  ## will be used for unrecognized field.
+  # default_sdid = "default@32473"
+
+  ## List of explicit prefixes to extract from tag/field keys and use as the
+  ## SDID, if they match (see above example for more details):
+  # sdids = ["foo@123", "bar@456"]
+
+  ## Default severity value. Severity and Facility are used to calculate the
+  ## message PRI value (RFC5424#section-6.2.1).  Used when no metric field
+  ## with key "severity_code" is defined.  If unset, 5 (notice) is the default
+  # default_severity_code = 5
+
+  ## Default facility value. Facility and Severity are used to calculate the
+  ## message PRI value (RFC5424#section-6.2.1).  Used when no metric field with
+  ## key "facility_code" is defined.  If unset, 1 (user-level) is the default
+  # default_facility_code = 1
+
+  ## Default APP-NAME value (RFC5424#section-6.2.5)
+  ## Used when no metric tag with key "appname" is defined.
+  ## If unset, "Telegraf" is the default
+  # default_appname = "Telegraf"

plugins/outputs/syslog/syslog.go

@@ -0,0 +1,192 @@
+//go:generate ../../../tools/readme_config_includer/generator
+package syslog
+
+import (
+	"crypto/tls"
+	_ "embed"
+	"errors"
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/leodido/go-syslog/v4/nontransparent"
+	"github.com/leodido/go-syslog/v4/rfc5424"
+
+	"github.com/influxdata/telegraf"
+	"github.com/influxdata/telegraf/config"
+	"github.com/influxdata/telegraf/internal"
+	common_tls "github.com/influxdata/telegraf/plugins/common/tls"
+	"github.com/influxdata/telegraf/plugins/outputs"
+)
+
+//go:embed sample.conf
+var sampleConfig string
+
+type Syslog struct {
+	Address             string
+	KeepAlivePeriod     *config.Duration
+	DefaultSdid         string
+	DefaultSeverityCode uint8
+	DefaultFacilityCode uint8
+	DefaultAppname      string
+	Sdids               []string
+	Separator           string `toml:"sdparam_separator"`
+	Framing             string `toml:"framing"`
+	Trailer             nontransparent.TrailerType
+	Log                 telegraf.Logger `toml:"-"`
+	net.Conn
+	common_tls.ClientConfig
+	mapper *SyslogMapper
+}
+
+func (*Syslog) SampleConfig() string {
+	return sampleConfig
+}
+func (s *Syslog) Init() error {
+	// Check framing and set default
+	switch s.Framing {
+	case "":
+		s.Framing = "octet-counting"
+	case "octet-counting", "non-transparent":
+	default:
+		return fmt.Errorf("invalid 'framing' %q", s.Framing)
+	}
+	return nil
+}
+
+func (s *Syslog) Connect() error {
+	s.initializeSyslogMapper()
+
+	spl := strings.SplitN(s.Address, "://", 2)
+	if len(spl) != 2 {
+		return fmt.Errorf("invalid address: %s", s.Address)
+	}
+
+	tlsCfg, err := s.ClientConfig.TLSConfig()
+	if err != nil {
+		return err
+	}
+
+	var c net.Conn
+	if tlsCfg == nil {
+		c, err = net.Dial(spl[0], spl[1])
+	} else {
+		c, err = tls.Dial(spl[0], spl[1], tlsCfg)
+	}
+	if err != nil {
+		return &internal.StartupError{Err: err, Retry: true}
+	}
+
+	if err := s.setKeepAlive(c); err != nil {
+		s.Log.Warnf("unable to configure keep alive (%s): %s", s.Address, err)
+	}
+
+	s.Conn = c
+	return nil
+}
+
+func (s *Syslog) setKeepAlive(c net.Conn) error {
+	if s.KeepAlivePeriod == nil {
+		return nil
+	}
+	tcpc, ok := c.(*net.TCPConn)
+	if !ok {
+		return fmt.Errorf("cannot set keep alive on a %s socket", strings.SplitN(s.Address, "://", 2)[0])
+	}
+	if *s.KeepAlivePeriod == 0 {
+		return tcpc.SetKeepAlive(false)
+	}
+	if err := tcpc.SetKeepAlive(true); err != nil {
+		return err
+	}
+	return tcpc.SetKeepAlivePeriod(time.Duration(*s.KeepAlivePeriod))
+}
+
+func (s *Syslog) Close() error {
+	if s.Conn == nil {
+		return nil
+	}
+	err := s.Conn.Close()
+	s.Conn = nil
+	return err
+}
+
+func (s *Syslog) Write(metrics []telegraf.Metric) (err error) {
+	if s.Conn == nil {
+		// previous write failed with permanent error and socket was closed.
+		if err := s.Connect(); err != nil {
+			return err
+		}
+	}
+	for _, metric := range metrics {
+		msg, err := s.mapper.MapMetricToSyslogMessage(metric)
+		if err != nil {
+			s.Log.Errorf("Failed to create syslog message: %v", err)
+			continue
+		}
+
+		msgBytesWithFraming, err := s.getSyslogMessageBytesWithFraming(msg)
+		if err != nil {
+			s.Log.Errorf("Failed to convert syslog message with framing: %v", err)
+			continue
+		}
+		if _, err = s.Conn.Write(msgBytesWithFraming); err != nil {
+			var netErr net.Error
+			if errors.As(err, &netErr) {
+				s.Close()
+				s.Conn = nil
+				return fmt.Errorf("closing connection: %w", netErr)
+			}
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *Syslog) getSyslogMessageBytesWithFraming(msg *rfc5424.SyslogMessage) ([]byte, error) {
+	var msgString string
+	var err error
+	if msgString, err = msg.String(); err != nil {
+		return nil, err
+	}
+	msgBytes := []byte(msgString)
+
+	if s.Framing == "octet-counting" {
+		return append([]byte(strconv.Itoa(len(msgBytes))+" "), msgBytes...), nil
+	}
+	// Non-transparent framing
+	trailer, err := s.Trailer.Value()
+	if err != nil {
+		return nil, err
+	}
+	return append(msgBytes, byte(trailer)), nil
+}
+
+func (s *Syslog) initializeSyslogMapper() {
+	if s.mapper != nil {
+		return
+	}
+	s.mapper = newSyslogMapper()
+	s.mapper.DefaultFacilityCode = s.DefaultFacilityCode
+	s.mapper.DefaultSeverityCode = s.DefaultSeverityCode
+	s.mapper.DefaultAppname = s.DefaultAppname
+	s.mapper.Separator = s.Separator
+	s.mapper.DefaultSdid = s.DefaultSdid
+	s.mapper.Sdids = s.Sdids
+}
+
+func newSyslog() *Syslog {
+	return &Syslog{
+		Trailer:             nontransparent.LF,
+		Separator:           "_",
+		DefaultSeverityCode: uint8(5), // notice
+		DefaultFacilityCode: uint8(1), // user-level
+		DefaultAppname:      "Telegraf",
+	}
+}
+
+func init() {
+	outputs.Add("syslog", func() telegraf.Output { return newSyslog() })
+}

plugins/outputs/syslog/syslog_mapper.go

@@ -0,0 +1,202 @@
+package syslog
+
+import (
+	"errors"
+	"math"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/leodido/go-syslog/v4/rfc5424"
+
+	"github.com/influxdata/telegraf"
+)
+
+type SyslogMapper struct {
+	DefaultSdid         string
+	DefaultSeverityCode uint8
+	DefaultFacilityCode uint8
+	DefaultAppname      string
+	Sdids               []string
+	Separator           string
+	reservedKeys        map[string]bool
+}
+
+// MapMetricToSyslogMessage maps metrics tags/fields to syslog messages
+func (sm *SyslogMapper) MapMetricToSyslogMessage(metric telegraf.Metric) (*rfc5424.SyslogMessage, error) {
+	msg := &rfc5424.SyslogMessage{}
+
+	sm.mapPriority(metric, msg)
+	sm.mapStructuredData(metric, msg)
+	sm.mapAppname(metric, msg)
+	mapHostname(metric, msg)
+	mapTimestamp(metric, msg)
+	mapMsgID(metric, msg)
+	mapVersion(metric, msg)
+	mapProcID(metric, msg)
+	mapMsg(metric, msg)
+
+	if !msg.Valid() {
+		return nil, errors.New("metric could not produce valid syslog message")
+	}
+	return msg, nil
+}
+
+func (sm *SyslogMapper) mapStructuredData(metric telegraf.Metric, msg *rfc5424.SyslogMessage) {
+	for _, tag := range metric.TagList() {
+		sm.mapStructuredDataItem(tag.Key, tag.Value, msg)
+	}
+	for _, field := range metric.FieldList() {
+		sm.mapStructuredDataItem(field.Key, formatValue(field.Value), msg)
+	}
+}
+
+func (sm *SyslogMapper) mapStructuredDataItem(key, value string, msg *rfc5424.SyslogMessage) {
+	// Do not add already reserved keys
+	if sm.reservedKeys[key] {
+		return
+	}
+
+	// Add keys matching one of the sd-IDs
+	for _, sdid := range sm.Sdids {
+		if k := strings.TrimPrefix(key, sdid+sm.Separator); key != k {
+			msg.SetParameter(sdid, k, value)
+			return
+		}
+	}
+
+	// Add remaining keys with the default sd-ID if configured
+	if sm.DefaultSdid == "" {
+		return
+	}
+	k := strings.TrimPrefix(key, sm.DefaultSdid+sm.Separator)
+	msg.SetParameter(sm.DefaultSdid, k, value)
+}
+
+func (sm *SyslogMapper) mapAppname(metric telegraf.Metric, msg *rfc5424.SyslogMessage) {
+	if value, ok := metric.GetTag("appname"); ok {
+		msg.SetAppname(formatValue(value))
+	} else {
+		// Use default appname
+		msg.SetAppname(sm.DefaultAppname)
+	}
+}
+
+func mapMsgID(metric telegraf.Metric, msg *rfc5424.SyslogMessage) {
+	if value, ok := metric.GetField("msgid"); ok {
+		msg.SetMsgID(formatValue(value))
+	} else {
+		// We default to metric name
+		msg.SetMsgID(metric.Name())
+	}
+}
+
+func mapVersion(metric telegraf.Metric, msg *rfc5424.SyslogMessage) {
+	if value, ok := metric.GetField("version"); ok {
+		if v, ok := value.(uint64); ok {
+			msg.SetVersion(uint16(v))
+			return
+		}
+	}
+	msg.SetVersion(1)
+}
+
+func mapMsg(metric telegraf.Metric, msg *rfc5424.SyslogMessage) {
+	if value, ok := metric.GetField("msg"); ok {
+		msg.SetMessage(formatValue(value))
+	}
+}
+
+func mapProcID(metric telegraf.Metric, msg *rfc5424.SyslogMessage) {
+	if value, ok := metric.GetField("procid"); ok {
+		msg.SetProcID(formatValue(value))
+	}
+}
+
+func (sm *SyslogMapper) mapPriority(metric telegraf.Metric, msg *rfc5424.SyslogMessage) {
+	severityCode := sm.DefaultSeverityCode
+	facilityCode := sm.DefaultFacilityCode
+
+	if value, ok := getFieldCode(metric, "severity_code"); ok {
+		severityCode = *value
+	}
+
+	if value, ok := getFieldCode(metric, "facility_code"); ok {
+		facilityCode = *value
+	}
+
+	priority := (8 * facilityCode) + severityCode
+	msg.SetPriority(priority)
+}
+
+func mapHostname(metric telegraf.Metric, msg *rfc5424.SyslogMessage) {
+	// Try with hostname, then with source, then with host tags, then take OS Hostname
+	if value, ok := metric.GetTag("hostname"); ok {
+		msg.SetHostname(formatValue(value))
+	} else if value, ok := metric.GetTag("source"); ok {
+		msg.SetHostname(formatValue(value))
+	} else if value, ok := metric.GetTag("host"); ok {
+		msg.SetHostname(formatValue(value))
+	} else if value, err := os.Hostname(); err == nil {
+		msg.SetHostname(value)
+	}
+}
+
+func mapTimestamp(metric telegraf.Metric, msg *rfc5424.SyslogMessage) {
+	timestamp := metric.Time()
+
+	if value, ok := metric.GetField("timestamp"); ok {
+		if v, ok := value.(int64); ok {
+			timestamp = time.Unix(0, v).UTC()
+		}
+	}
+	msg.SetTimestamp(timestamp.Format(time.RFC3339))
+}
+
+func formatValue(value interface{}) string {
+	switch v := value.(type) {
+	case string:
+		return v
+	case bool:
+		if v {
+			return "1"
+		}
+		return "0"
+	case uint64:
+		return strconv.FormatUint(v, 10)
+	case int64:
+		return strconv.FormatInt(v, 10)
+	case float64:
+		if math.IsNaN(v) {
+			return ""
+		}
+
+		if math.IsInf(v, 0) {
+			return ""
+		}
+		return strconv.FormatFloat(v, 'f', -1, 64)
+	}
+
+	return ""
+}
+
+func getFieldCode(metric telegraf.Metric, fieldKey string) (*uint8, bool) {
+	if value, ok := metric.GetField(fieldKey); ok {
+		if v, err := strconv.ParseUint(formatValue(value), 10, 8); err == nil {
+			r := uint8(v)
+			return &r, true
+		}
+	}
+	return nil, false
+}
+
+func newSyslogMapper() *SyslogMapper {
+	return &SyslogMapper{
+		reservedKeys: map[string]bool{
+			"version": true, "severity_code": true, "facility_code": true,
+			"procid": true, "msgid": true, "msg": true, "timestamp": true, "sdid": true,
+			"hostname": true, "source": true, "host": true, "severity": true,
+			"facility": true, "appname": true},
+	}
+}

plugins/outputs/syslog/syslog_mapper_test.go

@@ -0,0 +1,219 @@
+package syslog
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf/metric"
+)
+
+func TestSyslogMapperWithDefaults(t *testing.T) {
+	s := newSyslog()
+	s.initializeSyslogMapper()
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{},
+		map[string]interface{}{},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+	hostname, err := os.Hostname()
+	require.NoError(t, err)
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	str, err := syslogMessage.String()
+	require.NoError(t, err)
+	require.Equal(t, "<13>1 2010-11-10T23:00:00Z "+hostname+" Telegraf - testmetric -", str, "Wrong syslog message")
+}
+
+func TestSyslogMapperWithHostname(t *testing.T) {
+	s := newSyslog()
+	s.initializeSyslogMapper()
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{
+			"hostname": "testhost",
+			"source":   "sourcevalue",
+			"host":     "hostvalue",
+		},
+		map[string]interface{}{},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	str, err := syslogMessage.String()
+	require.NoError(t, err)
+	require.Equal(t, "<13>1 2010-11-10T23:00:00Z testhost Telegraf - testmetric -", str, "Wrong syslog message")
+}
+func TestSyslogMapperWithHostnameSourceFallback(t *testing.T) {
+	s := newSyslog()
+	s.initializeSyslogMapper()
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{
+			"source": "sourcevalue",
+			"host":   "hostvalue",
+		},
+		map[string]interface{}{},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	str, err := syslogMessage.String()
+	require.NoError(t, err)
+	require.Equal(t, "<13>1 2010-11-10T23:00:00Z sourcevalue Telegraf - testmetric -", str, "Wrong syslog message")
+}
+
+func TestSyslogMapperWithHostnameHostFallback(t *testing.T) {
+	s := newSyslog()
+	s.initializeSyslogMapper()
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{
+			"host": "hostvalue",
+		},
+		map[string]interface{}{},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	str, err := syslogMessage.String()
+	require.NoError(t, err)
+	require.Equal(t, "<13>1 2010-11-10T23:00:00Z hostvalue Telegraf - testmetric -", str, "Wrong syslog message")
+}
+
+func TestSyslogMapperWithDefaultSdid(t *testing.T) {
+	s := newSyslog()
+	s.DefaultSdid = "default@32473"
+	s.initializeSyslogMapper()
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{
+			"appname":            "testapp",
+			"hostname":           "testhost",
+			"tag1":               "bar",
+			"default@32473_tag2": "foobar",
+		},
+		map[string]interface{}{
+			"severity_code":        uint64(3),
+			"facility_code":        uint64(3),
+			"msg":                  "Test message",
+			"procid":               uint64(25),
+			"version":              uint16(2),
+			"msgid":                int64(555),
+			"timestamp":            time.Date(2010, time.November, 10, 23, 30, 0, 0, time.UTC).UnixNano(),
+			"value1":               int64(2),
+			"default@32473_value2": "foo",
+			"value3":               float64(1.2),
+		},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	str, err := syslogMessage.String()
+	require.NoError(t, err)
+	require.Equal(
+		t,
+		"<27>2 2010-11-10T23:30:00Z testhost testapp 25 555 [default@32473 tag1=\"bar\" tag2=\"foobar\" "+
+			"value1=\"2\" value2=\"foo\" value3=\"1.2\"] Test message",
+		str,
+		"Wrong syslog message",
+	)
+}
+
+func TestSyslogMapperWithDefaultSdidAndOtherSdids(t *testing.T) {
+	s := newSyslog()
+	s.DefaultSdid = "default@32473"
+	s.Sdids = []string{"bar@123", "foo@456"}
+	s.initializeSyslogMapper()
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{
+			"appname":            "testapp",
+			"hostname":           "testhost",
+			"tag1":               "bar",
+			"default@32473_tag2": "foobar",
+			"bar@123_tag3":       "barfoobar",
+		},
+		map[string]interface{}{
+			"severity_code":        uint64(1),
+			"facility_code":        uint64(3),
+			"msg":                  "Test message",
+			"procid":               uint64(25),
+			"version":              uint16(2),
+			"msgid":                int64(555),
+			"timestamp":            time.Date(2010, time.November, 10, 23, 30, 0, 0, time.UTC).UnixNano(),
+			"value1":               int64(2),
+			"default@32473_value2": "default",
+			"bar@123_value3":       int64(2),
+			"foo@456_value4":       "foo",
+		},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	str, err := syslogMessage.String()
+	require.NoError(t, err)
+	require.Equal(
+		t,
+		"<25>2 2010-11-10T23:30:00Z testhost testapp 25 555 [bar@123 tag3=\"barfoobar\" value3=\"2\"][default@32473 "+
+			"tag1=\"bar\" tag2=\"foobar\" value1=\"2\" value2=\"default\"][foo@456 value4=\"foo\"] Test message",
+		str,
+		"Wrong syslog message",
+	)
+}
+
+func TestSyslogMapperWithNoSdids(t *testing.T) {
+	// Init mapper
+	s := newSyslog()
+	s.initializeSyslogMapper()
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{
+			"appname":            "testapp",
+			"hostname":           "testhost",
+			"tag1":               "bar",
+			"default@32473_tag2": "foobar",
+			"bar@123_tag3":       "barfoobar",
+			"foo@456_tag4":       "foobarfoo",
+		},
+		map[string]interface{}{
+			"severity_code":        uint64(2),
+			"facility_code":        uint64(3),
+			"msg":                  "Test message",
+			"procid":               uint64(25),
+			"version":              uint16(2),
+			"msgid":                int64(555),
+			"timestamp":            time.Date(2010, time.November, 10, 23, 30, 0, 0, time.UTC).UnixNano(),
+			"value1":               int64(2),
+			"default@32473_value2": "default",
+			"bar@123_value3":       int64(2),
+			"foo@456_value4":       "foo",
+		},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	str, err := syslogMessage.String()
+	require.NoError(t, err)
+	require.Equal(t, "<26>2 2010-11-10T23:30:00Z testhost testapp 25 555 - Test message", str, "Wrong syslog message")
+}

plugins/outputs/syslog/syslog_test.go

@@ -0,0 +1,584 @@
+package syslog
+
+import (
+	"bytes"
+	"net"
+	"os"
+	"path/filepath"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/leodido/go-syslog/v4/nontransparent"
+	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf"
+	"github.com/influxdata/telegraf/config"
+	"github.com/influxdata/telegraf/internal"
+	"github.com/influxdata/telegraf/metric"
+	"github.com/influxdata/telegraf/models"
+	"github.com/influxdata/telegraf/plugins/outputs"
+	"github.com/influxdata/telegraf/plugins/parsers/influx"
+	"github.com/influxdata/telegraf/testutil"
+)
+
+func TestGetSyslogMessageWithFramingOctetCounting(t *testing.T) {
+	// Init plugin
+	s := newSyslog()
+	require.NoError(t, s.Init())
+	s.initializeSyslogMapper()
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{
+			"hostname": "testhost",
+		},
+		map[string]interface{}{},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	messageBytesWithFraming, err := s.getSyslogMessageBytesWithFraming(syslogMessage)
+	require.NoError(t, err)
+
+	require.Equal(t, "59 <13>1 2010-11-10T23:00:00Z testhost Telegraf - testmetric -", string(messageBytesWithFraming), "Incorrect Octet counting framing")
+}
+
+func TestGetSyslogMessageWithFramingNonTransparent(t *testing.T) {
+	// Init plugin
+	s := newSyslog()
+	require.NoError(t, s.Init())
+	s.initializeSyslogMapper()
+	s.Framing = "non-transparent"
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{
+			"hostname": "testhost",
+		},
+		map[string]interface{}{},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	messageBytesWithFraming, err := s.getSyslogMessageBytesWithFraming(syslogMessage)
+	require.NoError(t, err)
+
+	require.Equal(t, "<13>1 2010-11-10T23:00:00Z testhost Telegraf - testmetric -\n", string(messageBytesWithFraming), "Incorrect Octet counting framing")
+}
+
+func TestGetSyslogMessageWithFramingNonTransparentNul(t *testing.T) {
+	// Init plugin
+	s := newSyslog()
+	require.NoError(t, s.Init())
+	s.initializeSyslogMapper()
+	s.Framing = "non-transparent"
+	s.Trailer = nontransparent.NUL
+
+	// Init metrics
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{
+			"hostname": "testhost",
+		},
+		map[string]interface{}{},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC),
+	)
+
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(m1)
+	require.NoError(t, err)
+	messageBytesWithFraming, err := s.getSyslogMessageBytesWithFraming(syslogMessage)
+	require.NoError(t, err)
+
+	require.Equal(t, "<13>1 2010-11-10T23:00:00Z testhost Telegraf - testmetric -\x00", string(messageBytesWithFraming), "Incorrect Octet counting framing")
+}
+
+func TestSyslogWriteWithTcp(t *testing.T) {
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	s := newSyslog()
+	require.NoError(t, s.Init())
+	s.Address = "tcp://" + listener.Addr().String()
+
+	err = s.Connect()
+	require.NoError(t, err)
+
+	lconn, err := listener.Accept()
+	require.NoError(t, err)
+
+	testSyslogWriteWithStream(t, s, lconn)
+}
+
+func TestSyslogWriteWithUdp(t *testing.T) {
+	listener, err := net.ListenPacket("udp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	s := newSyslog()
+	require.NoError(t, s.Init())
+	s.Address = "udp://" + listener.LocalAddr().String()
+
+	err = s.Connect()
+	require.NoError(t, err)
+
+	testSyslogWriteWithPacket(t, s, listener)
+}
+
+func testSyslogWriteWithStream(t *testing.T, s *Syslog, lconn net.Conn) {
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{},
+		map[string]interface{}{},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC))
+
+	metrics := []telegraf.Metric{m1}
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(metrics[0])
+	require.NoError(t, err)
+	messageBytesWithFraming, err := s.getSyslogMessageBytesWithFraming(syslogMessage)
+	require.NoError(t, err)
+
+	err = s.Write(metrics)
+	require.NoError(t, err)
+
+	buf := make([]byte, 256)
+	n, err := lconn.Read(buf)
+	require.NoError(t, err)
+	require.Equal(t, string(messageBytesWithFraming), string(buf[:n]))
+}
+
+func testSyslogWriteWithPacket(t *testing.T, s *Syslog, lconn net.PacketConn) {
+	s.Framing = "non-transparent"
+	m1 := metric.New(
+		"testmetric",
+		map[string]string{},
+		map[string]interface{}{},
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC))
+
+	metrics := []telegraf.Metric{m1}
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(metrics[0])
+	require.NoError(t, err)
+	messageBytesWithFraming, err := s.getSyslogMessageBytesWithFraming(syslogMessage)
+	require.NoError(t, err)
+
+	err = s.Write(metrics)
+	require.NoError(t, err)
+
+	buf := make([]byte, 256)
+	n, _, err := lconn.ReadFrom(buf)
+	require.NoError(t, err)
+	require.Equal(t, string(messageBytesWithFraming), string(buf[:n]))
+}
+
+func TestSyslogWriteErr(t *testing.T) {
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	s := newSyslog()
+	require.NoError(t, s.Init())
+	s.Address = "tcp://" + listener.Addr().String()
+
+	err = s.Connect()
+	require.NoError(t, err)
+	err = s.Conn.(*net.TCPConn).SetReadBuffer(256)
+	require.NoError(t, err)
+
+	lconn, err := listener.Accept()
+	require.NoError(t, err)
+	err = lconn.(*net.TCPConn).SetWriteBuffer(256)
+	require.NoError(t, err)
+
+	metrics := []telegraf.Metric{testutil.TestMetric(1, "testerr")}
+
+	// close the socket to generate an error
+	err = lconn.Close()
+	require.NoError(t, err)
+
+	err = s.Conn.Close()
+	require.NoError(t, err)
+
+	err = s.Write(metrics)
+	require.Error(t, err)
+	require.Nil(t, s.Conn)
+}
+
+func TestSyslogWriteReconnect(t *testing.T) {
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	s := newSyslog()
+	require.NoError(t, s.Init())
+	s.Address = "tcp://" + listener.Addr().String()
+
+	err = s.Connect()
+	require.NoError(t, err)
+	err = s.Conn.(*net.TCPConn).SetReadBuffer(256)
+	require.NoError(t, err)
+
+	lconn, err := listener.Accept()
+	require.NoError(t, err)
+	err = lconn.(*net.TCPConn).SetWriteBuffer(256)
+	require.NoError(t, err)
+	err = lconn.Close()
+	require.NoError(t, err)
+	s.Conn = nil
+
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	var lerr error
+	go func() {
+		lconn, lerr = listener.Accept()
+		wg.Done()
+	}()
+
+	metrics := []telegraf.Metric{testutil.TestMetric(1, "testerr")}
+	err = s.Write(metrics)
+	require.NoError(t, err)
+
+	wg.Wait()
+	require.NoError(t, lerr)
+
+	syslogMessage, err := s.mapper.MapMetricToSyslogMessage(metrics[0])
+	require.NoError(t, err)
+	messageBytesWithFraming, err := s.getSyslogMessageBytesWithFraming(syslogMessage)
+	require.NoError(t, err)
+	buf := make([]byte, 256)
+	n, err := lconn.Read(buf)
+	require.NoError(t, err)
+	require.Equal(t, string(messageBytesWithFraming), string(buf[:n]))
+}
+
+func TestStartupErrorBehaviorDefault(t *testing.T) {
+	// Setup a dummy listener but do not accept connections
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	address := listener.Addr().String()
+	listener.Close()
+
+	// Setup the plugin and the model to be able to use the startup retry strategy
+	plugin := &Syslog{
+		Address:             "tcp://" + address,
+		Trailer:             nontransparent.LF,
+		Separator:           "_",
+		DefaultSeverityCode: uint8(5), // notice
+		DefaultFacilityCode: uint8(1), // user-level
+		DefaultAppname:      "Telegraf",
+	}
+
+	model := models.NewRunningOutput(
+		plugin,
+		&models.OutputConfig{
+			Name: "syslog",
+		},
+		10, 100,
+	)
+	require.NoError(t, model.Init())
+
+	// Starting the plugin will fail with an error because the server does not listen
+	err = model.Connect()
+	require.Error(t, err, "connection should be refused")
+	var serr *internal.StartupError
+	require.ErrorAs(t, err, &serr)
+}
+
+func TestStartupErrorBehaviorError(t *testing.T) {
+	// Setup a dummy listener but do not accept connections
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	address := listener.Addr().String()
+	listener.Close()
+
+	// Setup the plugin and the model to be able to use the startup retry strategy
+	plugin := &Syslog{
+		Address:             "tcp://" + address,
+		Trailer:             nontransparent.LF,
+		Separator:           "_",
+		DefaultSeverityCode: uint8(5), // notice
+		DefaultFacilityCode: uint8(1), // user-level
+		DefaultAppname:      "Telegraf",
+	}
+
+	model := models.NewRunningOutput(
+		plugin,
+		&models.OutputConfig{
+			Name:                 "syslog",
+			StartupErrorBehavior: "error",
+		},
+		10, 100,
+	)
+	require.NoError(t, model.Init())
+
+	// Starting the plugin will fail with an error because the server does not listen
+	err = model.Connect()
+	require.Error(t, err, "connection should be refused")
+	var serr *internal.StartupError
+	require.ErrorAs(t, err, &serr)
+}
+
+func TestStartupErrorBehaviorIgnore(t *testing.T) {
+	// Setup a dummy listener but do not accept connections
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	address := listener.Addr().String()
+	listener.Close()
+
+	// Setup the plugin and the model to be able to use the startup retry strategy
+	plugin := &Syslog{
+		Address:             "tcp://" + address,
+		Trailer:             nontransparent.LF,
+		Separator:           "_",
+		DefaultSeverityCode: uint8(5), // notice
+		DefaultFacilityCode: uint8(1), // user-level
+		DefaultAppname:      "Telegraf",
+	}
+
+	model := models.NewRunningOutput(
+		plugin,
+		&models.OutputConfig{
+			Name:                 "syslog",
+			StartupErrorBehavior: "ignore",
+		},
+		10, 100,
+	)
+	require.NoError(t, model.Init())
+
+	// Starting the plugin will fail because the server does not accept connections.
+	// The model code should convert it to a fatal error for the agent to remove
+	// the plugin.
+	err = model.Connect()
+	require.Error(t, err, "connection should be refused")
+	var fatalErr *internal.FatalError
+	require.ErrorAs(t, err, &fatalErr)
+}
+
+func TestStartupErrorBehaviorRetry(t *testing.T) {
+	// Setup a dummy listener but do not accept connections
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	address := listener.Addr().String()
+	listener.Close()
+
+	// Setup the plugin and the model to be able to use the startup retry strategy
+	plugin := &Syslog{
+		Address:             "tcp://" + address,
+		Trailer:             nontransparent.LF,
+		Separator:           "_",
+		DefaultSeverityCode: uint8(5), // notice
+		DefaultFacilityCode: uint8(1), // user-level
+		DefaultAppname:      "Telegraf",
+	}
+
+	model := models.NewRunningOutput(
+		plugin,
+		&models.OutputConfig{
+			Name:                 "syslog",
+			StartupErrorBehavior: "retry",
+		},
+		10, 100,
+	)
+	require.NoError(t, model.Init())
+
+	// Starting the plugin will return no error because the plugin will
+	// retry to connect in every write cycle.
+	require.NoError(t, model.Connect())
+	defer model.Close()
+
+	// Writing metrics in this state should fail because we are not fully
+	// started up
+	metrics := testutil.MockMetrics()
+	for _, m := range metrics {
+		model.AddMetric(m)
+	}
+	require.ErrorIs(t, model.WriteBatch(), internal.ErrNotConnected)
+
+	// Startup an actually working listener we can connect and write to
+	listener, err = net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer listener.Close()
+
+	var wg sync.WaitGroup
+	buf := make([]byte, 256)
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+
+		conn, err := listener.Accept()
+		if err != nil {
+			t.Logf("accepting connection failed: %v", err)
+			t.Fail()
+			return
+		}
+
+		if err := conn.SetReadDeadline(time.Now().Add(3 * time.Second)); err != nil {
+			t.Logf("setting read deadline failed: %v", err)
+			t.Fail()
+			return
+		}
+
+		if _, err := conn.Read(buf); err != nil {
+			t.Logf("reading failed: %v", err)
+			t.Fail()
+		}
+	}()
+
+	// Update the plugin's address and write again. This time the write should
+	// succeed.
+	plugin.Address = "tcp://" + listener.Addr().String()
+	require.NoError(t, model.WriteBatch())
+	wg.Wait()
+	require.NotEmpty(t, string(buf))
+}
+
+func TestCases(t *testing.T) {
+	// Get all testcase directories
+	folders, err := os.ReadDir("testcases")
+	require.NoError(t, err)
+
+	// Register the plugin
+	outputs.Add("syslog", func() telegraf.Output { return newSyslog() })
+
+	for _, f := range folders {
+		// Only handle folders
+		if !f.IsDir() {
+			continue
+		}
+
+		t.Run(f.Name(), func(t *testing.T) {
+			testcasePath := filepath.Join("testcases", f.Name())
+			configFilename := filepath.Join(testcasePath, "telegraf.conf")
+			inputFilename := filepath.Join(testcasePath, "input.influx")
+			expectedFilename := filepath.Join(testcasePath, "expected.out")
+			expectedErrorFilename := filepath.Join(testcasePath, "expected.err")
+
+			// Get parser to parse input and expected output
+			parser := &influx.Parser{}
+			require.NoError(t, parser.Init())
+
+			// Load the input data
+			input, err := testutil.ParseMetricsFromFile(inputFilename, parser)
+			require.NoError(t, err)
+
+			// Read the expected output if any
+			var expected []byte
+			if _, err := os.Stat(expectedFilename); err == nil {
+				expected, err = os.ReadFile(expectedFilename)
+				require.NoError(t, err)
+			}
+
+			// Read the expected output if any
+			var expectedError string
+			if _, err := os.Stat(expectedErrorFilename); err == nil {
+				expectedErrors, err := testutil.ParseLinesFromFile(expectedErrorFilename)
+				require.NoError(t, err)
+				require.Len(t, expectedErrors, 1)
+				expectedError = expectedErrors[0]
+			}
+
+			// Configure the plugin
+			cfg := config.NewConfig()
+			require.NoError(t, cfg.LoadConfig(configFilename))
+			require.Len(t, cfg.Outputs, 1)
+
+			// Create a mock-server to receive the data
+			server, err := newMockServer()
+			require.NoError(t, err)
+
+			var wg sync.WaitGroup
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				server.listen()
+			}()
+			defer server.close()
+
+			// Setup the plugin
+			plugin := cfg.Outputs[0].Output.(*Syslog)
+			plugin.Address = "udp://" + server.address()
+			plugin.Log = testutil.Logger{}
+			require.NoError(t, plugin.Init())
+			require.NoError(t, plugin.Connect())
+			defer plugin.Close()
+
+			// Write the data and wait for it to arrive
+			err = plugin.Write(input)
+			if expectedError != "" {
+				require.ErrorContains(t, err, expectedError)
+				return
+			}
+			require.NoError(t, err)
+			require.NoError(t, plugin.Close())
+
+			require.Eventuallyf(t, func() bool {
+				return server.len() >= len(expected)
+			}, 3*time.Second, 100*time.Millisecond, "received %q", server.message())
+
+			// Check the received data
+			require.Equal(t, string(expected), server.message())
+		})
+	}
+}
+
+type mockServer struct {
+	conn *net.UDPConn
+
+	data bytes.Buffer
+	err  error
+
+	sync.Mutex
+}
+
+func newMockServer() (*mockServer, error) {
+	addr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0")
+	if err != nil {
+		return nil, err
+	}
+
+	conn, err := net.ListenUDP("udp", addr)
+	if err != nil {
+		return nil, err
+	}
+
+	return &mockServer{conn: conn}, nil
+}
+
+func (s *mockServer) address() string {
+	return s.conn.LocalAddr().String()
+}
+
+func (s *mockServer) listen() {
+	buf := make([]byte, 2048)
+	for {
+		n, err := s.conn.Read(buf)
+		if err != nil {
+			s.err = err
+			return
+		}
+		s.Lock()
+		_, _ = s.data.Write(buf[:n])
+		s.Unlock()
+	}
+}
+
+func (s *mockServer) close() error {
+	if s.conn == nil {
+		return nil
+	}
+
+	return s.conn.Close()
+}
+
+func (s *mockServer) message() string {
+	s.Lock()
+	defer s.Unlock()
+	return s.data.String()
+}
+
+func (s *mockServer) len() int {
+	s.Lock()
+	defer s.Unlock()
+	return s.data.Len()
+}

plugins/outputs/syslog/testcases/issue_16012/expected.out

@@ -0,0 +1 @@
+342 <13>1 2024-10-11T21:30:04Z draco Telegraf - scc-change-logs [additional entityUid="6b580296-7199-47b5-9736-9b91329c284e" lastEventDate="2024-10-09T19:26:13Z" status="COMPLETED" uid="544ee602-1f4c-4f5f-bbd2-365d865d78b3"][events action="UPDATE" date="2024-10-09T19:26:08Z" description="Changed ASA Config" diff="" username="user@mydomain.com"]

plugins/outputs/syslog/testcases/issue_16012/input.influx

@@ -0,0 +1 @@
+scc-change-logs,host=draco events_description="Changed ASA Config",events_diff="@@ -5,1 +5,1 @@\\n-: Written by lockhart at 18:53:02.210 UTC Tue Oct 8 2024\\n+: Written by lockhart at 19:24:54.048 UTC Wed Oct 9 2024\\n@@ -135,2 +135,0 @@\\n-object network 1.1.1.1\\n-host 1.1.1.1\\n@@ -239,0 +237,2 @@\\n+object network 1.1.1.1\\n+host 1.1.1.1\\n@@ -1108,1 +1108,1 @@\\n-Cryptochecksum:b06f479add1a10f8388a2958d0ee0018\\n+Cryptochecksum:b858dfb10323f3dbc9694a49b8c94168",events_username="user@mydomain.com",events_date="2024-10-09T19:26:08Z",events_action="UPDATE",uid="544ee602-1f4c-4f5f-bbd2-365d865d78b3",status="COMPLETED",lastEventDate="2024-10-09T19:26:13Z",entityUid="6b580296-7199-47b5-9736-9b91329c284e" 1728682204000000000

plugins/outputs/syslog/testcases/issue_16012/telegraf.conf

@@ -0,0 +1,4 @@
+[[outputs.syslog]]
+  address = "udp://127.0.0.1:0"
+  default_sdid = "additional"
+  sdids = ["events"]