Logging from Linux (Rsyslog)

Sending logs to Logmatic.io from Linux is made easy thanks to the syslog daemons, which are installed on distributions. In this chapter, we will show you how to configure the Rsyslog to send system logs and other files you may want to follow.

In this chapter, we assume that Rsyslog is already installed on your machine.

Forward all the syslog messages

Please edit the rsyslog.conf file which resides in the /etc directory:

sudo vim /etc/rsyslog.conf

Indicate that you want to send all the messages to Logmatic.io TCP PORT 10514 formatted as RFC-5424 prefixed by your api key:

$template LogmaticFormat,"<your_api_key> <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - - %msg%\n"
*.* @@api.logmatic.io:10514;LogmaticFormat

Don't forget to correctly replace <your_api_key> by the one generated for your usage.

The *.* before the TCP address is a Rsyslog's selector, this means that you want to send all the messages.
Once you are happy with this configuration don't forget to restart the service

sudo service rsyslog restart

Watching your own files

Using Rsyslog as a file content forwarder is quite straightforward. Just follow these simple steps:

Edit the rsyslog.conf file:

sudo vim /etc/rsyslog.conf

Insert the following configuration block for each file you want to follow:

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

# Input for FILE1
$InputFileName /<path_to_file1>
$InputFileTag <app_name_file1>
$InputFileStateFile <unique_file_id1>
$InputFileSeverity info
$InputRunFileMonitor

# Input for FILE2
$InputFileName /<path_to_file2>
$InputFileTag <app_name_file2>
$InputFileStateFile <unique_file_id2>
$InputFileSeverity info
$InputRunFileMonitor

# etc...

If you need more details about this config, please refer to the imfile module documentation.

Once you are happy with this configuration don't forget to restart the service:

sudo service rsyslog restart

Enabling security

You can set up the encryption for Rsyslog with a certificate validation.[ Download final certificate here ]

First, be sure you have installed packages that support TLS for Rsyslog. Usually this is done by installing rsyslog-gnutls via apt-get:

sudo apt-get install rsyslog-gnutls

You can now enable TLS by replacing it - if you followed the previous step:

$template LogmaticFormat,"<your_api_key> <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - - %msg%\n"

*.* @@api.logmatic.io:10514;LogmaticFormat

by:

$template LogmaticFormat,"<your_api_key> <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - - %msg%\n"

$DefaultNetstreamDriverCAFile <path_to_your_.crt_file>

$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name

*.* @@api.logmatic.io:10515;LogmaticFormat

Don't forget to specify <path_to_your_.crt_file>, <your_api_key> and ensure that the port number is 10515.

Logging from Linux (Rsyslog)

Sending logs to Logmatic.io from Linux is made easy thanks to the syslog daemons, which are installed on distributions. In this chapter, we will show you how to configure the Rsyslog to send system logs and other files you may want to follow.

In this chapter, we assume that Rsyslog is already installed on your machine.