TCP data input configuration fields
Summarize
Summary of TCP data input configuration fields
This content details the configuration fields available when setting up TCP data inputs in ServiceNow, specifically for streaming log data via MID Servers. It guides customers on how to properly configure both basic and advanced settings to ensure efficient and secure log ingestion.
Show less
Basic configuration
- Name: Required field to assign a unique name to the data input.
- Description: Optional field to describe the data input.
- Port: Required field to select a unique port for the MID Server to listen on. Customers must coordinate with their security teams to ensure the port is open and available.
- MID: Required selection of a MID Server that supports log ingestion with basic authentication (note that MID Servers using mTLS are excluded). By default, a single MID Server can stream logs from up to 10 data inputs, configurable in the MID Server properties.
- Service instance: Required field to bind the log data to a specific service instance. If none exists, customers are advised to create one and set its status to Operational.
Additionally, several read-only fields provide real-time information such as the data input’s status, transport protocol (TCP), number of log sources created, timestamps of last log received and any disabling events, plus automatic error messages related to streaming issues.
Advanced configuration
These optional settings allow customers to fine-tune the TCP data input behavior:
- Use SSL/TLS: Enable secure transmission of log data.
- Look up hostnames: Option to resolve IP addresses to hostnames via DNS.
- Boss thread count: Number of threads managing connections (default 1).
- Worker thread count: Number of threads handling incoming data (default 4).
- Read timeout seconds: Timeout period since the last read before the system closes the connection (default 30 seconds).
- Default timezone: Time zone used when logs do not specify one (default GMT).
- Sub sample drop and receive ratios: Control event sampling ratios (default -1, meaning no sampling).
- Max length in bytes: Maximum length allowed for log messages (default 32766 bytes).
- Character encoding: Encoding format for log data (default UTF-8).
- Drop if queue is full: Option to discard logs if MID Server load is high.
- Line breaker delimiters: Characters used to split raw log lines, customizable as a comma-separated list.
Practical considerations for ServiceNow customers
When configuring TCP data inputs, customers should ensure:
- Selected ports are unique and approved by security teams to avoid connectivity issues.
- MID Servers chosen support basic authentication for log ingestion and are configured within allowed input limits.
- Service instances are properly established and operational to correctly bind incoming logs.
- Advanced settings are adjusted based on performance needs, security requirements, and log format specifications.
- Monitoring the read-only status and error fields helps quickly identify and resolve streaming problems.
Description of the fields on the TCP data input configuration form.
Basic configuration
| Field | Description |
|---|---|
| Name | Name of the new data input. This field is required. |
| Description | Description of the data input. |
| Port | The port for the MID Server. Select a unique port from the array. The placeholder shows the range of ports from which to choose. Make sure that your organization’s security team opens the selected port. This field is required. |
| MID | The MID Server to which the logs are streamed. Note: This field is required.
|
| Service instance | The service instance to which to bind the log data. This field is required. Note: If no relevant service instance exists, Create an service instance and add CIs to it. Set the status of the new service instance
to Operational. |
The following fields show read-only information:
| Field | Description |
|---|---|
| Status | Status of the data input. |
| Transport | Protocol used to send the log data. Rsyslog and Splunk send data using the TCP protocol. |
| Sources count | The number of log sources this data input has created. |
| Disabled since | The time when the data input stopped or failed. |
| Last log time | The time when the last log streamed in the data input. |
| Error message | The streaming error. This field is populated automatically. It displays only when a streaming error has occurred. |
Advanced configuration
| Field | Description | Default value |
|---|---|---|
| Use SSL/TLS | Option for selecting to use SSL/TLS. | |
| Look up hostnames | Option for selecting to perform DNS lookup to resolve IPs to hostnames. | false |
| Boss thread count | The number of threads that manage connections. | 1 |
| Worker thread count | The number of threads that handle incoming data. | 4 |
| Read timeout seconds | The timeout in seconds since the last read. When the timeout expires, the system closes the channel. | 30 |
| Default timezone | The default time zone of events. The system uses this default when the log does not specify a time zone. | GMT |
| Sub sample drop ratio | The ratio of events to drop. | -1 |
| Sub sample receive ratio | The ratio of events to receive. | -1 |
| Max length in bytes | The maximum length of log messages in bytes. | 32766 |
| Character encoding | The character encoding for this data input. | UTF-8 |
| Drop if queue is full | Option for selecting to discard logs if there is a load on the MID Server. | |
| Line breaker delimiters | The
line break character separating the raw log lines. Splitting values must be separated by a comma followed by a space: ", ". For example: "\r, \n, , splitHere, #". |