# Send logs to Better Stack with RSyslog ## Start logging in 5 minutes Send your system logs to Better Stack using RSyslog. ### 1. Install Install RSyslog TLS package: ```bash [label Install RSyslog TLS] apt-get install rsyslog-gnutls ``` ### 2. Setup Set up RSyslog using the provided script: [code-tabs] ```bash [label TCP (recommended)] wget -qO- https://telemetry.betterstack.com/rsyslog/$SOURCE_TOKEN | sh ``` ```bash [label UDP] wget -qO- https://telemetry.betterstack.com/rsyslog/udp/$SOURCE_TOKEN | sh ``` [/code-tabs] [info] **Curious about what the script does?** [/info] ### 2. Restart Restart the RSyslog service to reload configuration: ```bash [label Restart the service] systemctl restart rsyslog ``` You should see your logs in [Better Stack → Live tail](https://telemetry.betterstack.com/team/0/tail ";_blank"). ## Need help? Please let us know at hello@betterstack.com. We're happy to help! 🙏 ## Manual RSyslog setup Our Syslog server listens for TCP connections on port `6514`, allowing only encrypted traffic. It also listens on port `6517` for unencrypted UDP connections. Please use the **Ingesting host** from your source settings as the hostname. To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include `[logtail@11993 source_token="$SOURCE_TOKEN"]`. ### 1. Install Install RSyslog TLS package: ```bash [label Install RSyslog TLS] apt install rsyslog-gnutls ``` ### Setup Do you want to log over TCP or UDP? - [Log over encrypted TCP](#log-using-tcp) - [Log over unencrypted UDP](#log-using-udp) #### Log using TCP Configure RSyslog to log over TCP: ```text [label Syslog config] global(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt") template(name="LogtailFormat" type="list") { constant(value="<") property(name="pri") constant(value=">") constant(value="1") constant(value=" ") property(name="timestamp" dateFormat="rfc3339") constant(value=" ") property(name="hostname") constant(value=" ") property(name="app-name") constant(value=" ") property(name="procid") constant(value=" ") property(name="msgid") constant(value=" ") property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0") constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]") constant(value=" ") property(name="msg" droplastlf="on") } action( type="omfwd" protocol="tcp" target="$INGESTING_HOST_VEC" port="6514" template="LogtailFormat" TCP_Framing="octet-counted" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.betterstackdata.com" queue.spoolDirectory="/var/spool/rsyslog" queue.filename="logtail" queue.maxdiskspace="75m" queue.type="LinkedList" queue.saveonshutdown="on" ) ``` [info] **Not using Ubuntu or Debian?** You might need to adjust the certificate path in the config based on your operating system. For example, use `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` on CentOS. [/info] #### Log using UDP Configure RSyslog to log over UDP: ```text [label Syslog config] template(name="LogtailFormat" type="list") { constant(value="<") property(name="pri") constant(value=">") constant(value="1") constant(value=" ") property(name="timestamp" dateFormat="rfc3339") constant(value=" ") property(name="hostname") constant(value=" ") property(name="app-name") constant(value=" ") property(name="procid") constant(value=" ") property(name="msgid") constant(value=" ") property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0") constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]") constant(value=" ") property(name="msg" droplastlf="on") } action( type="omfwd" protocol="udp" target="$INGESTING_HOST_VEC" port="6517" template="LogtailFormat" queue.spoolDirectory="/var/spool/rsyslog" queue.filename="logtail" queue.maxdiskspace="75m" queue.type="LinkedList" queue.saveonshutdown="on" ) ``` ### 3. Restart Restart the RSyslog service: ```bash [label Restart the service] systemctl restart rsyslog ``` ### 4. Start logging 🎉 Test the logger: ```bash [label Send test log] logger "Hello from Better Stack!" ``` You should see your logs in [Better Stack → Live tail](https://telemetry.betterstack.com/team/0/tail ";_blank"). ### Need help? Please let us know at hello@betterstack.com. We're happy to help! 🙏