Curious about what the script does?
- Detects whether
syslog-ng
is installed on your system. - Creates configuration for your Better Stack source.
Send your system logs to Better Stack using RSyslog.
Install RSyslog TLS package:
apt-get install rsyslog-gnutls
Set up RSyslog using the provided script:
wget -qO- https://logs.betterstack.com/rsyslog/$SOURCE_TOKEN | sh
wget -qO- https://logs.betterstack.com/rsyslog/udp/$SOURCE_TOKEN | sh
Curious about what the script does?
syslog-ng
is installed on your system.Restart the RSyslog service to reload configuration:
systemctl restart rsyslog
You should see your logs in Better Stack β Live tail.
Please let us know at hello@betterstack.com.
We're happy to help! π
Our Syslog server listens for TCP connections on in.logs.betterstack.com:6514
, allowing only encrypted traffic. It also listens on in.logs.betterstack.com:6517
for unencrypted UDP connections.
To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"]
.
Install RSyslog TLS package:
apt install rsyslog-gnutls
Do you want to log over TCP or UDP?
Configure RSyslog to log over TCP:
global(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
action(
type="omfwd"
protocol="tcp"
target="in.logs.betterstack.com"
port="6514"
template="LogtailFormat"
TCP_Framing="octet-counted"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.logs.betterstack.com"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
Not using Ubuntu or Debian?
You might need to adjust the certificate path in the config based on your operating system.
For example, use /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
on CentOS.
Configure RSyslog to log over UDP:
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
action(
type="omfwd"
protocol="udp"
target="in.logs.betterstack.com"
port="6517"
template="LogtailFormat"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
Restart the RSyslog service:
systemctl restart rsyslog
Test the logger:
logger "Hello from Better Stack!"
You should see your logs in Better Stack β Live tail.
Please let us know at hello@betterstack.com.
We're happy to help! π