Logentries Docs

Rsyslog


Rsyslog is a syslog daemon commonly deployed in Debian and Ubuntu systems. It typically uses a simple TCP connection to send logs line-by-line.

We support two methods of forwarding rsyslog events to Logentries, which are explained below. We recommend using our Token-based input method which brings additional security and is independent of the actual source IP address.


Token-based Logging

Create a new Host in the UI. Inside this host, create a new Log and select Token TCP and Register the log, you will receive a unique Token UUID which will be printed under the form and then beside the log name in the list of logs.

Enter this token where it says TOKEN HERE below and place the two lines at the bottom of your rsyslog configuration file found at /etc/rsyslog.conf.

$template LogentriesFormat,"TOKEN_HERE %HOSTNAME% %syslogtag%%msg%\n"

*.* @@api.logentries.com:10000;LogentriesFormat

Plain TCP/UDP Forwarding (Legacy)

If you would rather use a more basic Input, then create a host in the Logentries UI. Inside that, create a log and select Plain TCP/UDP and Register the log, you will receive a PORT number to use which will be printed under the form and beside the log name in the list of logs.

Simply add the PORT number to the following line and place it at the bottom of your rsyslog configuration file found at /etc/rsyslog.conf.

*.* @@api.logentries.com:PORT

For UDP forwarding use a single @.


Restart

In order to accept any changes to its configuration, restart your syslog server with the following command and you should start to see your events displayed in the log file you just set up in your account:

sudo service rsyslog restart

Configuring rsyslog to follow a regular file

Rsyslog can be configured to follow any files on your system. Full documentation on this can be found here.

If you wanted to follow a file called /var/log/myapp/errors.log, you would enter the following lines in your /etc/rsyslog.conf configuration file, above the previous snippet we added.

$Modload imfile

$InputFileName /var/log/myapp/errors.log
$InputFileTag myapp
$InputFileStateFile myapp-file1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor

# Only entered once in case of following multiple files
$InputFilePollInterval 1

Filtering rsyslog to send events to specific files

Rsyslog allows you to filter logs and assign different destinations to different events. Full documentation on this can be found here.

If you wanted to send your nginx access log to a single log on Logentries, you would first follow the above section so that the nginx access log is monitored, taking note of the value you gave for $InputFileTag.

Then you would enter the following in your /etc/rsyslog.conf.

$template NginxTemplate,"TOKEN_HERE %HOSTNAME% %syslogtag%%msg%\n"

if $programname == 'mytag' then @@api.logentries.com:10000;NginxTemplate
& ~

You need to create a logfile on Logentries and choose Token TCP and then the token thats printed in green is inserted above where it says TOKEN_HERE.

You also need to make sure, that the value you used for $InputFileTag matches the value that $programname is being checked against. The third line simply discards the event after its sent to Logentries, you can omit this if you would like to also be sent somehwere else in your /etc/rsyslog.conf


Encryption

In untrusted networks, you can set up encryption with certificate validation. You may need to join the Logentries certificate with CA’s certificates in logentries.all.crt. All certificates are available for download on the certificates page.

Make sure you have installed support for TLS. Usually this is achieved installing the rsyslog-gnutls package.

Sample configuration to enable encryption may look like this:

$DefaultNetstreamDriverCAFile /opt/ssl/logentries.all.crt

$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.logentries.com

*.* @@api.logentries.com:PORT

Note that you have to specify the right port number. The port number is either 20000 for Token-based input or in the case of Plain TCP/UDP, your assigned port number increased by 10000.


Buffering

In case of unreliable network connection you can instruct rsyslog to buffer log entries during network outage. For more details please refer to rsyslog reliable forwarding documentation.


Troubleshooting

My logs stop forwarding at certain times, e.g. Midnight UTC?

There is a known bug with the Rsyslog version currently available through Ubuntu repositories, when used in conjunction with logrotate. Rsyslog does not pick up the new files after they are rotated. To fix this, you can install a newer version of Rsyslog with the instructions found here.

For anything else, please refer to the syslog section for troubleshooting general syslog services.

Back to Top