Java Logback using syslog

You can send and manage your Java logs using Logback syslog appender. We’ll show you how to setup a syslog appender to forward these to Rsyslog, which will then forward them to Loggly.

We automatically parse out the timestamp, method, fully classified class name, thread, and log level from logback. The syslog protocol does not support multiline events, so rsyslog will combine them into a single line escaped by octal characters. The advantage of using Rsyslog is that it can send TCP events without blocking your application, can optionally encrypt the data, and even queue data to add robustness to network failure. Although the library supports to send logs up to 64K, currently you can only ingest up to 32K logs to Loggly. This guide assumes you use Java Logback, the default log configuration and directories. For alternatives, please see the Advanced Options section.

Java Logback Log Management using Setup using syslog

1. Configure Syslog Daemon

If you haven’t already, run our automatic Configure-Syslog script below to setup rsyslog. Alternatively, you can Manually Configure Rsyslog or Syslog-ng.

curl -O https://www.loggly.com/install/configure-linux.sh
sudo bash configure-linux.sh -a SUBDOMAIN -u USERNAME

Replace:

SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
USERNAME: your Loggly username

2. Configure Syslog Daemon for UDP Input

Open rsyslog’s configuration file

sudo vim /etc/rsyslog.conf

Uncomment these lines to accept UDP messages on the default port 514.

$ModLoad imudp
$UDPServerRun 514

Java Log4j Log

Restart the rsyslog service so the changes take effect

sudo service rsyslog restart

3. Logback Configuration

Open your logback.xml file:

vim logback.xml

Configure SyslogAppender to write these messages as UDP over localhost to the syslog daemon. The daemon will forward them to Loggly. The first field in the suffix pattern is the syslog appname, in this case it’s set to java.

<configuration debug="true">
  <appender name="loggly" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <facility>SYSLOG</facility>
    <port>514</port>
    <suffixPattern>java %d{ISO8601,UTC} %p %t %c %M - %m%n</suffixPattern>
  </appender>
  <root level="info">
    <appender-ref ref="loggly" />
  </root>
</configuration>

Save the file then restart your Java application so the changes take effect.

4. Verify Events

Search Loggly for events with the java log type over the past hour. It may take a few minutes to index the event. If it doesn’t work, see the troubleshooting section below.

logtype:java

Click on one of the logs to show a list of Java or JSON fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed formats.
Java Logback Using Syslog Example

5. Next Steps

Troubleshooting with Java Logs – Use your logs to find the most common exceptions, trace transactions, debug memory issues, and more.

Advanced Java Logging Options

Java Logback HTTP – For Logback or SLF4J logging via HTTP, especially good for multiline stack traces
Log4j1 – You can send log using Java Log4j1
Log4j2 – You can also send log using Java Log4j2
File Monitoring – You can also configure Log4j with a FileAppender, then monitor that file using Rsyslog. This gives you a local backup but doesn’t work well with multiline stacktraces.
CustomAppname– You can set custom appName in Logback using following suffix pattern
```
<suffixPattern>customAppName %d{ISO8601,UTC} %p %t %c %M - %m%n</suffixPattern> 
```
Syslog4j – The Syslog4j appender can send events up to 64k in size, but it doesn’t seem to follow the layout pattern to enable parsing.
logglylog4j – To send events directly to Loggly over the HTTP/S Event API, supports multiline with proper newline display
Loggly Libraries Catalog – Additional libraries are added here
Search or post your own logback examples, configuration, logback tutorials, or other questions in the community forum.

Java Logback Troubleshooting

If you don’t see any data show up in the verification step, then check for these common problems.

Check Logback:

Wait a few minutes in case indexing needs to catch up
Verify Logback is working, such as by setting up a local file appender with the same format
Run "sudo tcpdump -i lo -A udp and port 514" to verify UDP events are being sent to localhost

Check Your Syslog Daemon:

Please check syslog file in /var/log/syslog if message not send to loggly.
If log is getting truncated please check rsyslog.conf file and add $MaxMessageSize 64k if not exist.
Troubleshooting Rsyslog

Still Not Working?

Search or post your own questions on Java Logback in the community forum.

When the APM Integrated Experience is enabled, Loggly shares a common navigation and enhanced feature set with the other integrated experiences' products. How you navigate Loggly and access its features may vary from these instructions. For more information, go to the APM Integrated Experience documentation.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.