Documentation forLoggly

Rsyslog Manual Configuration

Loggly provides the infrastructure to aggregate and normalize log events so they are available to explore interactively, build visualizations, or create threshold-based alerting. In general, any method to send logs from a system or application to an external source can be adapted to send logs to Loggly. The following instructions provide one scenario for sending logs to Loggly.

The Basic Rsyslog configuration will send your local system logs to Loggly, and offer a foundation to add file and application logs. If you are unable to use our automated configure-syslog script, this guide will help you setup manually with a quick copy & paste.

It assumes you have sudo access, you’re on a common linux distribution with rsyslog 1.19 or higher, it receives local system logs, and port 514 is open to outbound connections. If you have different requirements, please see the Advanced section or the Rsyslog TLS configuration.

Rsyslog Configuration Manual Setup

1. Configure Rsyslog

Open or create a new loggly configuration file for rsyslog:

sudo vim /etc/rsyslog.d/22-loggly.conf 

Determine the version of rsyslog you are using

rsyslogd -v 

If you are using version 6.x or lower, paste in this configuration:

# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1   # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g    # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on   # save messages to disk on shutdown
$ActionQueueType LinkedList    # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down

$template LogglyFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"TAG\"] %msg%\n"

# Send messages to Loggly over TCP using the template.
*.* @@logs-01.loggly.com:514;LogglyFormat

If you are using version 7.x or higher, paste in this configuration:

# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1   # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g    # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on   # save messages to disk on shutdown
$ActionQueueType LinkedList    # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down

template(name="LogglyFormat" type="string"
 string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"TAG\"] %msg%\n")

# Send messages to Loggly over TCP using the template.
action(type="omfwd" protocol="tcp" target="logs-01.loggly.com" port="514" template="LogglyFormat")

Replace the above variables:

  • TOKEN: Replace with your customer token
  • TAG: Replace with a tag that describes the syslog source.

Open your /etc/rsyslog.conf and modify the $MaxMessageSize with

$MaxMessageSize 64k 

If $MaxMessageSize is not present then add it in your configuration. For this to work perfectly, add it in the top of the configuration file.

2. Restart rsyslogd

$ sudo service rsyslog restart

3. Send A Test Event

Use Logger to send a test event. Alternatively, use the automatic verification option in configure-syslog

$ logger 'Hello World!' 

4. Verify

Verify it shows up in Loggly by doing a search over the past hour (click to expand screenshot). If it doesn’t work, see the Rsyslog troubleshooting section below.

Click on one of the logs to show a list of syslog fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed formats.

Rsyslog manual configuration example

5. Next Steps

Advanced Rsyslog Configuration Options

  • Rsyslog TLS config – securely send sensitive data using TLS encryption
  • Switch to UDP logging by using single "@" instead of "@@" in *.* @@logs-01.loggly.com:514;LogglyFormat line present in 22-loggly.conf file.
  • The default maximum supported message size is 8K. Use $MaxMessageSize parameter in /etc/rsyslog.conf file to handle more than 8K message size.
  • Streaming syslog to Loggly – accept syslog from the network or localhost, avoid file writes
  • Joyant or SmartOS Containers – the config file is stored in /opt/local/etc/rsyslog.conf
  • Search or post your own rsyslog configuration questions in the community forum.
  • Multiple tags: You can send more than one tag within the logs by defining multiple tags in the template line of the Rsyslog configuration. Please refer the example below:
    template(name="LogglyFormat" type="string"
    string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag="TAG1" tag="TAG2"] %msg%n") 

    After changing the template line please restart the Rsyslog service so that changes can be applied.

Troubleshooting Rsyslog Configuration

Troubleshooting Rsyslog offers tips if you don’t see data in the verification step

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.