Curious about what the script does?
- Detects whether
syslog-ngis installed on your system. - Creates configuration for your Better Stack source.
Explore documentation
Send logs to Better Stack with RSyslog
Start logging in 5 minutes
Send your system logs to Better Stack using RSyslog.
1. Install
Install RSyslog TLS package:
Install RSyslog TLS
apt-get install rsyslog-gnutls
2. Setup
Set up RSyslog using the provided script:
TCP (recommended)
UDP
wget -qO- https://logs.betterstack.com/rsyslog/$SOURCE_TOKEN | shwget -qO- https://logs.betterstack.com/rsyslog/udp/$SOURCE_TOKEN | sh2. Restart
Restart the RSyslog service to reload configuration:
Restart the service
systemctl restart rsyslog
You should see your logs in Better Stack -> Live tail.
Need help?
Please let us know at hello@betterstack.com.
We're happy to help! ๐
Manual RSyslog setup
Our Syslog server listens for TCP connections on in.logs.betterstack.com:6514, allowing only encrypted traffic. It also listens on in.logs.betterstack.com:6517 for unencrypted UDP connections.
To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"].
1. Install
Install RSyslog TLS package:
Install RSyslog TLS
apt install rsyslog-gnutls
Setup
Do you want to log over TCP or UDP?
Log using TCP
Configure RSyslog to log over TCP:
Syslog config
global(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
action(
type="omfwd"
protocol="tcp"
target="in.logs.betterstack.com"
port="6514"
template="LogtailFormat"
TCP_Framing="octet-counted"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.logs.betterstack.com"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
Not using Ubuntu or Debian?
You might need to adjust the certificate path in the config based on your operating system.
For example, use /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem on CentOS.
Log using UDP
Configure RSyslog to log over UDP:
Syslog config
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
action(
type="omfwd"
protocol="udp"
target="in.logs.betterstack.com"
port="6517"
template="LogtailFormat"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
3. Restart
Restart the RSyslog service:
Restart the service
systemctl restart rsyslog
4. Start logging ๐
Test the logger:
Send test log
logger "Hello from Better Stack!"
You should see your logs in Better Stack -> Live tail.
Need help?
Please let us know at hello@betterstack.com.
We're happy to help! ๐