Explore documentation
  1. Welcome to Telemetry👋
  2. Quick start guide
  3. Log libraries
    1. Programming languages
    2. Cloud platforms
    3. Web servers & Load balancers
    4. Operating systems
    5. Databases & Message queues
    6. Containers & Clusters
    7. HTTP REST API
  4. Metrics
    1. Vector (Recommended)
    2. Prometheus (push)
    3. Prometheus (scrape)
    4. Datadog Agent
    5. OpenTelemetry
  5. Log Forwarding
    1. Vector (Recommended)
    2. Fluent Bit
    3. Logstash
    4. Fluentd
    5. Filebeat
    6. Syslog
      1. Syslog-ng
      2. RSyslog
  6. Dashboards
    1. Getting started
    2. Converting logs to metrics
    3. SQL queries
    4. Simplified PromQL
    5. Alerts
    6. How do we bill for metrics?
    7. Transforming with JavaScript
  7. Using Logs
    1. Querying data in Better Stack
    2. String + JSON format
    3. Formatting logs
    4. Live tail query language
    5. Explore logs with SQL
    6. AWS S3-compatible archive
  8. Telemetry API
    1. Get started with Telemetry API
    2. Sources API
    3. Metrics API
    4. Query API

Send logs to Better Stack with RSyslog

Start logging in 5 minutes

Send your system logs to Better Stack using RSyslog.

1. Install

Install RSyslog TLS package:

Install RSyslog TLS
apt-get install rsyslog-gnutls

2. Setup

Set up RSyslog using the provided script:

TCP (recommended) UDP 
wget -qO- https://telemetry.betterstack.com/rsyslog/$SOURCE_TOKEN | sh
wget -qO- https://telemetry.betterstack.com/rsyslog/udp/$SOURCE_TOKEN | sh

Curious about what the script does?

  • Detects whether syslog-ng is installed on your system.
  • Creates configuration for your Better Stack source.

2. Restart

Restart the RSyslog service to reload configuration:

Restart the service
systemctl restart rsyslog

You should see your logs in Better Stack → Live tail.

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! 🙏

Manual RSyslog setup

Our Syslog server listens for TCP connections on in.logs.betterstack.com:6514, allowing only encrypted traffic. It also listens on in.logs.betterstack.com:6517 for unencrypted UDP connections.

To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"].

1. Install

Install RSyslog TLS package:

Install RSyslog TLS
apt install rsyslog-gnutls

Setup

Do you want to log over TCP or UDP?

Log using TCP

Configure RSyslog to log over TCP:

Syslog config
global(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")

template(name="LogtailFormat" type="list") {
 constant(value="<")
 property(name="pri")
 constant(value=">")
 constant(value="1")
 constant(value=" ")
 property(name="timestamp" dateFormat="rfc3339")
 constant(value=" ")
 property(name="hostname")
 constant(value=" ")
 property(name="app-name")
 constant(value=" ")
 property(name="procid")
 constant(value=" ")
 property(name="msgid")
 constant(value=" ")
 property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
 constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
 constant(value=" ")
 property(name="msg" droplastlf="on")
}

action(
 type="omfwd"
 protocol="tcp"
 target="in.logs.betterstack.com"
 port="6514"
 template="LogtailFormat"
 TCP_Framing="octet-counted"
 StreamDriver="gtls"
 StreamDriverMode="1"
 StreamDriverAuthMode="x509/name"
 StreamDriverPermittedPeers="*.logs.betterstack.com"
 queue.spoolDirectory="/var/spool/rsyslog"
 queue.filename="logtail"
 queue.maxdiskspace="75m"
 queue.type="LinkedList"
 queue.saveonshutdown="on"
)

Not using Ubuntu or Debian?
You might need to adjust the certificate path in the config based on your operating system. For example, use /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem on CentOS.

Log using UDP

Configure RSyslog to log over UDP:

Syslog config
template(name="LogtailFormat" type="list") {
 constant(value="<")
 property(name="pri")
 constant(value=">")
 constant(value="1")
 constant(value=" ")
 property(name="timestamp" dateFormat="rfc3339")
 constant(value=" ")
 property(name="hostname")
 constant(value=" ")
 property(name="app-name")
 constant(value=" ")
 property(name="procid")
 constant(value=" ")
 property(name="msgid")
 constant(value=" ")
 property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
 constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
 constant(value=" ")
 property(name="msg" droplastlf="on")
}

action(
 type="omfwd"
 protocol="udp"
 target="in.logs.betterstack.com"
 port="6517"
 template="LogtailFormat"
 queue.spoolDirectory="/var/spool/rsyslog"
 queue.filename="logtail"
 queue.maxdiskspace="75m"
 queue.type="LinkedList"
 queue.saveonshutdown="on"
)

3. Restart

Restart the RSyslog service:

Restart the service
systemctl restart rsyslog

4. Start logging 🎉

Test the logger:

Send test log
logger "Hello from Better Stack!"

You should see your logs in Better Stack → Live tail.

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! 🙏

Previous article

Send logs to Better Stack with syslog-ng

Next article

Getting started with Dashboards