Curious about what the script does?
- Detects whether
syslog-ngis installed on your system. - Creates configuration for your Better Stack source.
Explore documentation
Send logs to Better Stack with RSyslog
Start logging in 5 minutes
Send your system logs to Better Stack using RSyslog.
1. Install
Install RSyslog TLS package:
Install RSyslog TLS
apt-get install rsyslog-gnutls
2. Setup
Set up RSyslog using the provided script:
TCP (recommended)
UDP
wget -qO- https://telemetry.betterstack.com/rsyslog/$SOURCE_TOKEN | shwget -qO- https://telemetry.betterstack.com/rsyslog/udp/$SOURCE_TOKEN | sh2. Restart
Restart the RSyslog service to reload configuration:
Restart the service
systemctl restart rsyslog
You should see your logs in Better Stack → Live tail.
Need help?
Please let us know at hello@betterstack.com.
We're happy to help! 🙏
Manual RSyslog setup
Our Syslog server listens for TCP connections on port 6514, allowing only encrypted traffic. It also listens on port 6517 for unencrypted UDP connections.
Please use the Ingesting host from your source settings as the hostname.
To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"].
1. Install
Install RSyslog TLS package:
Install RSyslog TLS
apt install rsyslog-gnutls
Setup
Do you want to log over TCP or UDP?
Log using TCP
Configure RSyslog to log over TCP:
Syslog config
global(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
action(
type="omfwd"
protocol="tcp"
target="$INGESTING_HOST_VEC"
port="6514"
template="LogtailFormat"
TCP_Framing="octet-counted"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.betterstackdata.com"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
Not using Ubuntu or Debian?
You might need to adjust the certificate path in the config based on your operating system.
For example, use /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem on CentOS.
Log using UDP
Configure RSyslog to log over UDP:
Syslog config
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
action(
type="omfwd"
protocol="udp"
target="$INGESTING_HOST_VEC"
port="6517"
template="LogtailFormat"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
3. Restart
Restart the RSyslog service:
Restart the service
systemctl restart rsyslog
4. Start logging 🎉
Test the logger:
Send test log
logger "Hello from Better Stack!"
You should see your logs in Better Stack → Live tail.
Need help?
Please let us know at hello@betterstack.com.
We're happy to help! 🙏