Rsyslog Manual Configuration

The Basic Rsyslog configuration will send your local system logs to Loggly, and offer a foundation to add file and application logs. If you are unable to use our automated configure-syslog script, this guide will help you setup manually with a quick copy & paste. It assumes you have sudo access, you’re on a common linux distribution with rsyslog 1.19 or higher, it receives local system logs, and port 514 is open to outbound connections. If you have different requirements, please see the Advanced section or the Rsyslog TLS configuration.

Rsyslog Configuration Manual Setup

  1. Configure Rsyslog
  2. Open or create a new loggly configuration file for rsyslog:

    sudo vim /etc/rsyslog.d/22-loggly.conf

    Determine the version of rsyslog you are using

    rsyslogd -v

    If you are using version 6.x or lower, paste in this configuration:

    # Setup disk assisted queues
    $WorkDirectory /var/spool/rsyslog # where to place spool files
    $ActionQueueFileName fwdRule1     # unique name prefix for spool files
    $ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
    $ActionQueueType LinkedList       # run asynchronously
    $ActionResumeRetryCount -1        # infinite retries if host is down
    
    $template LogglyFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"TAG\"] %msg%\n"
    
    # Send messages to Loggly over TCP using the template.
    *.* @@logs-01.loggly.com:514;LogglyFormat
    

    If you are using version 7.x or higher, paste in this configuration:

    # Setup disk assisted queues
    $WorkDirectory /var/spool/rsyslog # where to place spool files
    $ActionQueueFileName fwdRule1     # unique name prefix for spool files
    $ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
    $ActionQueueType LinkedList       # run asynchronously
    $ActionResumeRetryCount -1        # infinite retries if host is down
    
    template(name="LogglyFormat" type="string"
     string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"TAG\"] %msg%\n")
    
    # Send messages to Loggly over TCP using the template.
    action(type="omfwd" protocol="tcp" target="logs-01.loggly.com" port="514" template="LogglyFormat")
    

    Replace the above variables:

    • TOKEN: Replace with your customer token
    • TAG: Replace with a tag that describes the syslog source.

    Open your /etc/rsyslog.conf and modify the $MaxMessageSize with

    $MaxMessageSize 64k

    If $MaxMessageSize is not present then add it in your configuration. For this to work perfectly, add it in the top of the configuration file.

  3. Restart rsyslogd
  4. $ sudo service rsyslog restart
    

  5. Send A Test Event
  6. Use Logger to send a test event. Alternatively, use the automatic verification option in configure-syslog

    $ logger 'Hello World!'

  7. Verify
  8. Verify it shows up in Loggly by doing a search over the past hour (click to expand screenshot). If it doesn’t work, see the Rsyslog troubleshooting section below.

    Click on one of the logs to show a list of syslog fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed formats.

    Rsyslog Configuration

  9. Next Steps

Advanced Rsyslog Configuration Options

  • Rsyslog TLS config – securely send sensitive data using TLS encryption
  • Switch to UDP logging by using single “@” instead of “@@” in *.* @@logs-01.loggly.com:514;LogglyFormat line present in 22-loggly.conf file.
  • The default maximum supported message size is 8K. Use $MaxMessageSize parameter in /etc/rsyslog.conf file to handle more than 8K message size.
  • Streaming syslog to Loggly – accept syslog from the network or localhost, avoid file writes
  • Systemd logs – send logs from linux distributions that have systemd or journald
  • Scrub Data in Rsyslog – Scrubs Sensitive Data matching a particular Regular Expression
  • Use Puppet to configure syslog on many nodes
  • Joyant or SmartOS Containers – the config file is stored in /opt/local/etc/rsyslog.conf
  • Search or post your own rsyslog configuration questions in the community forum.

Troubleshooting Rsyslog Configuration

Troubleshooting Rsyslog offers tips if you don’t see data in the verification step

Rsyslog

Thanks for the feedback! We'll use it to improve our support documentation.


Top