
We suggest you go through the setup script before you run it and make sure it doesn't do anything malicious. You should never run scripts copied from the internet in your terminal.
You can send your system logs directly to our servers over an encrypted TCP connection. Our Syslog server is listening for TCP connections on in.logtail.com:6514
and it allows only encrypted traffic.
To authenticate the incoming logs, we utilize Syslog's structured data mechanism. Every Syslog message you send to our server must include [[email protected] source_token="YOUR_LOGTAIL_SOURCE_TOKEN"]
.
First, make sure rsyslog-gnutls is installed on your system:
apt install rsyslog-gnutls
We created a simple script that will configure rsyslog for you:
wget -qO- https://logtail.com/rsyslog/YOUR_SOURCE_TOKEN | sh
We suggest you go through the setup script before you run it and make sure it doesn't do anything malicious. You should never run scripts copied from the internet in your terminal.
The script will detect whether rsyslog
is installed on your system and if it is in place, it will create the correct configuration for your Logtail source.
After the script finishes successfully, you might need to restart the rsyslog
service so that the new configuration is loaded:
systemctl restart rsyslog
1.Install rsyslog-gnutls
to enable TLS encryption:
apt install rsyslog-gnutls
2.Create a configuration file with the following content:
global(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[[email protected] source_token=\"YOUR_LOGTAIL_SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
action(
type="omfwd"
protocol="tcp"
target="in.logtail.com"
port="6514"
template="LogtailFormat"
TCP_Framing="octet-counted"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.logtail.com"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
3.Restart the rsyslog
service and you're done:
systemctl restart rsyslog
Make sure to replace YOUR_LOGTAIL_SOURCE_TOKEN
with your own source token from Logtail.com.
This configuration works on Ubuntu or other Debian-based Linux distributions. Other Linux distributions might have the file with the trusted root CA can be in a different location and the file have a different name. If this is the case, please change the file path on the first line to the correct value (e.g., /etc/ssl/certs/ca-bundle.crt
).