Send logs to Better Stack with RSyslog

Start logging in 5 minutes

Send your system logs to Better Stack using RSyslog.

1. Install

Install RSyslog TLS package:

Install RSyslog TLS
apt-get install rsyslog-gnutls

2. Setup

Set up RSyslog using the provided script:

TCP (recommended) UDP
wget -qO- https://logs.betterstack.com/rsyslog/$SOURCE_TOKEN | sh
wget -qO- https://logs.betterstack.com/rsyslog/udp/$SOURCE_TOKEN | sh

Curious about what the script does?

  • Detects whether syslog-ng is installed on your system.
  • Creates configuration for your Better Stack source.

2. Restart

Restart the RSyslog service to reload configuration:

Restart the service
systemctl restart rsyslog

You should see your logs in Better Stack β†’ Live tail.

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! πŸ™

Manual RSyslog setup

Our Syslog server listens for TCP connections on in.logs.betterstack.com:6514, allowing only encrypted traffic. It also listens on in.logs.betterstack.com:6517 for unencrypted UDP connections.

To authenticate the incoming logs, we utilize Syslog's structured data. Every Syslog message must include [logtail@11993 source_token="$SOURCE_TOKEN"].

1. Install

Install RSyslog TLS package:

Install RSyslog TLS
apt install rsyslog-gnutls

Setup

Do you want to log over TCP or UDP?

Log using TCP

Configure RSyslog to log over TCP:

Syslog config
global(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")

template(name="LogtailFormat" type="list") {
 constant(value="<")
 property(name="pri")
 constant(value=">")
 constant(value="1")
 constant(value=" ")
 property(name="timestamp" dateFormat="rfc3339")
 constant(value=" ")
 property(name="hostname")
 constant(value=" ")
 property(name="app-name")
 constant(value=" ")
 property(name="procid")
 constant(value=" ")
 property(name="msgid")
 constant(value=" ")
 property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
 constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
 constant(value=" ")
 property(name="msg" droplastlf="on")
}

action(
 type="omfwd"
 protocol="tcp"
 target="in.logs.betterstack.com"
 port="6514"
 template="LogtailFormat"
 TCP_Framing="octet-counted"
 StreamDriver="gtls"
 StreamDriverMode="1"
 StreamDriverAuthMode="x509/name"
 StreamDriverPermittedPeers="*.logs.betterstack.com"
 queue.spoolDirectory="/var/spool/rsyslog"
 queue.filename="logtail"
 queue.maxdiskspace="75m"
 queue.type="LinkedList"
 queue.saveonshutdown="on"
)

Not using Ubuntu or Debian?
You might need to adjust the certificate path in the config based on your operating system. For example, use /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem on CentOS.

Log using UDP

Configure RSyslog to log over UDP:

Syslog config
template(name="LogtailFormat" type="list") {
 constant(value="<")
 property(name="pri")
 constant(value=">")
 constant(value="1")
 constant(value=" ")
 property(name="timestamp" dateFormat="rfc3339")
 constant(value=" ")
 property(name="hostname")
 constant(value=" ")
 property(name="app-name")
 constant(value=" ")
 property(name="procid")
 constant(value=" ")
 property(name="msgid")
 constant(value=" ")
 property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
 constant(value="[logtail@11993 source_token=\"$SOURCE_TOKEN\"]")
 constant(value=" ")
 property(name="msg" droplastlf="on")
}

action(
 type="omfwd"
 protocol="udp"
 target="in.logs.betterstack.com"
 port="6517"
 template="LogtailFormat"
 queue.spoolDirectory="/var/spool/rsyslog"
 queue.filename="logtail"
 queue.maxdiskspace="75m"
 queue.type="LinkedList"
 queue.saveonshutdown="on"
)

3. Restart

Restart the RSyslog service:

Restart the service
systemctl restart rsyslog

4. Start logging πŸŽ‰

Test the logger:

Send test log
logger "Hello from Better Stack!"

You should see your logs in Better Stack β†’ Live tail.

Need help?

Please let us know at hello@betterstack.com.
We're happy to help! πŸ™