Logging from Linux (Rsyslog)

Sending logs to Logmatic.io from Linux is made easy thanks to the syslog daemons, which are installed on distributions. In this chapter, we will show you how to configure the Rsyslog to send system logs and other files you may want to follow.

In this chapter, we assume that Rsyslog is already installed on your machine.

Overview

Already a Logmatic.io’s user ?

We advise you to to directly go to the Rsyslog - Integration on your platform that will help you do the setup and the configuration.

Global overview of Logmatic.io Input API

You will find here a global overview on our Input API

Setup - Forward all the syslog messages

Please edit the rsyslog.conf file which resides in the /etc directory:

sudo vim /etc/rsyslog.conf

Indicate that you want to send all the messages to Logmatic.io TCP PORT 10514 formatted as RFC-5424 prefixed by your api key.
Once you are happy with this configuration don't forget to restart the service.

# Defining the logmatic syslog format, as defined in RFC 5424
$template LogmaticFormat,"<your_api_key> <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - - %msg%\n"

#The `*.*` before the TCP address is a Rsyslog's selector, this means that you want to send all the messages.
*.* @@api.logmatic.io:10514;LogmaticFormat

sudo service rsyslog restart

Don't forget to correctly replace <your_api_key> by the one generated for your usage

Setup - Watching your own files

Using Rsyslog as a file content forwarder is quite straightforward. Just follow these simple steps:

Edit the rsyslog.conf file:

sudo vim /etc/rsyslog.conf

Add those line to enable file monitoring:

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

Insert the following configuration block for each file you want to follow:

# Input for FILE1
$InputFileName /<path_to_file1>
#Name of the application logging in the file
$InputFileTag <app_name_file1>
#A unique id for Rsyslog internal use
$InputFileStateFile <unique_file_id1>
#Default severity to apply to log coming from this logfile
$InputFileSeverity info
$InputRunFileMonitor

If you need more details about this config, please refer to the imfile module documentation:

Once you are happy with this configuration don't forget to restart the service:

sudo service rsyslog restart

Setup - Enabling security

You can set up the encryption for Rsyslog with a certificate validation.[ Download final certificate here ]

Be sure you have installed packages that support TLS for Rsyslog. Usually this is done by installing rsyslog-gnutls via apt-get:

sudo apt-get install rsyslog-gnutls

You can now enable TLS by replacing the former forwarding configuration line - if you followed the previous step:

*.* @@api.logmatic.io:10514;LogmaticFormat
$DefaultNetstreamDriverCAFile <path_to_your_.crt_file>

$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name

*.* @@api.logmatic.io:10515;LogmaticFormat

Don't forget to specify <path_to_your_.crt_file>, <your_api_key> and ensure that the port number is 10515.


What's next ?

On Linux, you are able to use Syslog-ng as an alternative to Rsyslog.

Using Syslog-NG
Infrastructure

Logging from Linux (Rsyslog)

Sending logs to Logmatic.io from Linux is made easy thanks to the syslog daemons, which are installed on distributions. In this chapter, we will show you how to configure the Rsyslog to send system logs and other files you may want to follow.

In this chapter, we assume that Rsyslog is already installed on your machine.