Rsyslog is a syslog daemon commonly deployed in Debian and Ubuntu systems. It typically uses a simple TCP connection to send logs line-by-line.
We support two methods of forwarding rsyslog events to Logentries, which are explained below. We recommend using our Token-based input method which brings additional security and is independent of the actual source IP address.
Create a new Host in the UI. Inside this host, create a new Log and select Token TCP and Register the log, you will receive a unique Token UUID which will be printed under the form and then beside the log name in the list of logs.
Enter this token where it says TOKEN HERE below and place the two lines at the bottom of your rsyslog configuration file found at
$template LogentriesFormat,"TOKEN_HERE %HOSTNAME% %syslogtag%%msg%\n"
Plain TCP/UDP Forwarding (Legacy)
If you would rather use a more basic Input, then create a host in the Logentries UI. Inside that, create a log and select Plain TCP/UDP and Register the log, you will receive a PORT number to use which will be printed under the form and beside the log name in the list of logs.
Simply add the PORT number to the following line and place it at the bottom of your rsyslog configuration file found at
Note: For UDP forwarding use a single
@. For encrypted TLS connections use
In order to accept any changes to its configuration, restart your syslog server with the following command and you should start to see your events displayed in the log file you just set up in your account:
sudo service rsyslog restart
Configuring rsyslog to follow a regular file
Rsyslog can be configured to follow any files on your system. Full documentation on this can be found here.
If you wanted to follow a file called
/var/log/myapp/errors.log, you would enter the following lines in your
/etc/rsyslog.confconfiguration file, above the previous snippet we added.
$InputFileTag myapp$InputFileStateFile myapp-file1
# Only entered once in case of following multiple files
# This will poll the file every 10 seconds
Configuring rsyslog to follow files that change their name – rsyslog v8.5.0+ onlyUsing wildcards when specifying the log to follow allows for situations where you need to follow the most recent log in a particular folder. Rsyslog looks for any active log in the folder and will monitor the events in that log. The below example follows two files with a non-typical rotation pattern, using the newer rsyslog configuration file format. Please check your rsyslog version and upgrade if necessary. Rotation support in rsyslog depends on inotify being installed on the system.
Note wildcards are NOT needed in typical syslog log rotation scheme, where log file named
xxx.logis renamed to
xxx.log.0and a new
xxx.logfile is created. In this situation follow the
xxx.logfile only, do not specify wildcards.
input(type="imfile" file="/path/to/file1-*.log" tag="app1") input(type="imfile" file="/path/to/file2-*.log" tag="app2") $template App1Template,"TOKEN_1 %HOSTNAME% %syslogtag%%msg%\n" $template App2Template,"TOKEN_2 %HOSTNAME% %syslogtag%%msg%\n" if $programname == 'app1' then @@data.logentries.com:80;App1Template & ~ if $programname == 'app2' then @@data.logentries.com:80;App2Template & ~
Rsyslog Setup Tool
Logentries also provides a Python setup tool to setup your Rsyslog configuration. This tool can be downloaded via Github.
The setup tool allows you to automatically create a new Host and then for each file you wish to follow it will create a new log. The register documentation can be found here.
Following a file is done by simply running
sudo python le follow myfilewhere myfile is the path of the file you wish to follow.
More details can be found here.
The setup tool can also read from a JSON configuration file which allows you to setup what files you wish to follow and what tokens to use. This is very useful is you are logging in an elastic environment. More details can be found here.
Filtering rsyslog to send events to specific files
Rsyslog allows you to filter logs and assign different destinations to different events. Full documentation on this can be found here.
If you wanted to send your nginx access log to a single log on Logentries, you would first follow the above section so that the nginx access log is monitored, taking note of the value you gave for
Then you would enter the following in your
$template NginxTemplate,"TOKEN_HERE %HOSTNAME% %syslogtag%%msg%\n"
if $programname == 'mytag' then @@data.logentries.com:80;NginxTemplate& ~
You need to create a logfile on Logentries and choose Token TCP and then the token thats printed in green is inserted above where it says TOKEN_HERE.
You also need to make sure, that the value you used for
$InputFileTagmatches the value that
$programnameis being checked against. The third line simply discards the event after its sent to Logentries, you can omit this if you would like to also be sent somehwere else in your
In untrusted networks, you can set up encryption with certificate validation. You may need to join the Logentries certificate with CA’s certificates in
logentries.all.crt. All certificates are available for download on the certificates page, you can also get download the logentries.all.crt file here.
Make sure you have installed support for TLS. Usually this is achieved installing the
Sample configuration to enable encryption may look like this:
$template LogentriesTemplate,"TOKEN_HERE %HOSTNAME% %syslogtag%%msg%\n"*.* @@data.logentries.com:443;LogentriesTemplate
Note: you have to specify the right port number. For token based input, the port number is
443. For Plain TCP/UDP, you should use
api.logentries.comand increase your port number by
In case of unreliable network connection you can instruct rsyslog to buffer log entries during network outage. For more details please refer to rsyslog reliable forwarding documentation.
Rsyslog Parameters Explained
The following is a quick guide to the parameters we have set in our Rsyslog.conf. Fpr further information make sure to check our Rsyslog’s Official Documentation
$InputFileName: The location of the file that we wish to follow e.g /var/log/dmesg
$InputFileTag: The tag to be used for messages that originate from this file. If you would like to see the colon after the tag, you need to specify it here (like ‘tag=”myTagValue:”’).
$InputFileStateFile: This is the name of this file’s state file.
$InputFileFacility: The syslog facility to be assigned to lines read. Can be specified in textual form (e.g. “local0”, “local1”, …) or as numbers (e.g. 128 for “local0”). Textual form is suggested. Default is “local0”.
$InputFileSeverity: The syslog severity to be assigned to lines read. Can be specified in textual form (e.g. “info”, “warning”, …) or as numbers (e.g. 4 for “info”). Textual form is suggested. Default is “notice”.
$InputRunFileMonitor: This activates the current monitor. It has no parameters. If you forget this directive, no file monitoring will take place.
$InputFilePollInterval: This setting specifies how often files are to be polled for new data. For obvious reasons, it has effect only if imfile is running in polling mode. The time specified is in seconds. During each polling interval, all files are processed in a round-robin fashion.
My logs stop forwarding at certain times, e.g. Midnight UTC?
There is a known bug with the Rsyslog version currently available through Ubuntu repositories, when used in conjunction with logrotate. Rsyslog does not pick up the new files after they are rotated. To fix this, you can install a newer version of Rsyslog with the instructions found here.
For anything else, please refer to the syslog section for troubleshooting general syslog services.