Listens on a ZeroMQ endpoint and receives events.
accept_zmq endpoint:string, [prefix=string, keep_prefix=bool, { … }]Description
Section titled “Description”Binds a ZeroMQ SUB socket to the specified endpoint and receives messages that
match the configured subscription prefix.
Use accept_zmq when Tenzir should own the listening endpoint. This matches the
naming used by other transport operators such as accept_tcp, even
though ZeroMQ itself calls this binding rather than accepting.
As with from_zmq, the prefix option uses ZeroMQ’s raw subscription
filtering. When keep_prefix=false, the operator strips the matched prefix
before handing the remaining bytes to the nested pipeline.
endpoint: string
Section titled “endpoint: string”The endpoint to listen on, for example tcp://0.0.0.0:5555, ipc://path, or
inproc://name.
prefix = string (optional)
Section titled “prefix = string (optional)”A constant subscription prefix to install on the SUB socket.
The expression must evaluate to a string before the operator starts receiving messages. It cannot depend on event fields.
Defaults to the empty string, which subscribes to all messages.
keep_prefix = bool (optional)
Section titled “keep_prefix = bool (optional)”Whether to keep the matched prefix in the bytes that are passed to the nested pipeline.
Defaults to false.
{ … } (optional)
Section titled “{ … } (optional)”The pipeline to run for incoming message payloads. It receives bytes and must
produce events, for example { read_json } or { read_syslog }.
If you omit the nested pipeline, the operator emits one event per message with a
single field message containing the message payload as a blob.
Examples
Section titled “Examples”Listen for JSON messages
Section titled “Listen for JSON messages”accept_zmq "tcp://0.0.0.0:5555" { read_json}Listen with a subscription prefix
Section titled “Listen with a subscription prefix”accept_zmq "tcp://0.0.0.0:5555", prefix="suricata/" { read_suricata}