Curious about what the script does?
- Detects whether
syslog-ng
is installed on your system. - Creates configuration for your Better Stack source.
Send your system logs to Better Stack using RSyslog.
Install RSyslog TLS package:
apt-get install rsyslog-gnutls
Set up RSyslog using the provided script:
wget -qO- https://telemetry.betterstack.com/rsyslog/$SOURCE_TOKEN | sh
wget -qO- https://telemetry.betterstack.com/rsyslog/udp/$SOURCE_TOKEN | sh
Curious about what the script does?
syslog-ng
is installed on your system.Restart the RSyslog service to reload configuration:
systemctl restart rsyslog
You should see your logs in Better Stack → Live tail.
Please let us know at hello@betterstack.com.
We're happy to help! 🙏
Our Syslog server listens for TCP connections on port 6514
, allowing only encrypted traffic. It also listens on port 6517
for unencrypted UDP connections.
Please use the Ingesting host from your source settings as the hostname.
To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"]
.
Install RSyslog TLS package:
apt install rsyslog-gnutls
Do you want to log over TCP or UDP?
Configure RSyslog to log over TCP:
global(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
action(
type="omfwd"
protocol="tcp"
target="$INGESTING_HOST_VEC"
port="6514"
template="LogtailFormat"
TCP_Framing="octet-counted"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.betterstackdata.com"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
Not using Ubuntu or Debian?
You might need to adjust the certificate path in the config based on your operating system.
For example, use /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
on CentOS.
Configure RSyslog to log over UDP:
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
action(
type="omfwd"
protocol="udp"
target="$INGESTING_HOST_VEC"
port="6517"
template="LogtailFormat"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
Restart the RSyslog service:
systemctl restart rsyslog
Test the logger:
logger "Hello from Better Stack!"
You should see your logs in Better Stack → Live tail.
Please let us know at hello@betterstack.com.
We're happy to help! 🙏