Linux Syslog

Loggly provides the infrastructure to aggregate and normalize log events so they are available to explore interactively, build visualizations, or create threshold-based alerting. In general, any method to send logs from a system or application to an external source can be adapted to send logs to Loggly. The following instructions provide one scenario for sending logs to Loggly.

You can configure Linux to send logs to Loggly through the default syslog daemon installed with your distribution, so there are no proprietary agents needed. This guide will configure your system to send the standard Linux system logs, and offer a foundation to monitor file and application logs.

This Linux logging guide assumes you have sudo access, you’re on a common Linux distribution with rsyslog 5.8 or higher, it receives local system logs, and port 514 is open to outbound connections. If you have different requirements, please see the Advanced Options below.

Linux Logging Setup

1. Configure Syslog Daemon

Run our automatic Configure-Syslog script below to setup rsyslog. Alternatively, you can Manually Configure Rsyslog or Syslog-ng.

curl -O https://www.loggly.com/install/configure-linux.sh
sudo bash configure-linux.sh -a SUBDOMAIN -u USERNAME 

Replace:

• SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
• USERNAME: your Loggly username, which is visible at the top right of the Loggly console

You will need to enter your system root password so it can update your rsyslog configuration. It will then prompt for your Loggly password.

2. Send A Test Event

Use Logger to send a test event to Loggly.

logger 'Hello World!' 

3. Verify

Search Loggly over the past 30 minutes to find your logs. It may take a few minutes to index them. If you don’t see them, check the troubleshooting section below.

Click on one of the Linux logs to show a list of syslog fields. If you don’t see them, please check that you are using one of our automatically parsed formats.

4. Next Steps

• Troubleshoot Problems Using Linux Logs – Find the root cause of login failures, memory problems, and more
• Logging from Applications – Send application logs through your Linux syslog daemon

Advanced Linux Logging Options

• Rsyslog TLS config – securely send sensitive data using TLS encryption
• Switch to UDP logging by using single "@" instead of "@@" in *.* @@logs-01.loggly.com:514;LogglyFormat line present in 22-loggly.conf file.
• The default maximum supported message size is 8K. Use $MaxMessageSize parameter in /etc/rsyslog.conf file to handle more than 8K message size.
• Streaming syslog
• Joyant or SmartOS Containers – the config file is stored in /opt/local/etc/rsyslog.conf
• Search or post your own Linux logs questions in the community forum.

Troubleshooting Linux Syslog

• Rsyslog-Gnutls Package

  Sample Error Messages:

  Package rsyslog-gnutls is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source 

  If you see this error then you must first update your package manager’s repository by running the below command:

  sudo apt-get update 

• SELinux Error Message:

  Sample Error Messages:

  ERROR: selinux status is 'Enforcing'. Please manually restart the rsyslog daemon or turn off selinux by running 'setenforce 0' and then rerun the script. 

  If you see this error then you will need to review your permissions in SElinux to ensure the correct access control is configured for your logging and security needs. For more information, see Using syslog-ng with SELinux in enforcing mode in the Syslog NG Community Blog.

  For more insight into specific permission failures and commands that may address the failure, review the security logs on your host.

• If you are using RHEL 5 or older, you will need to manually configure rsyslog
• Try manually configuring rsyslog if the script doesn’t work
• See our Rsyslog Troubleshooting Guide
• Check that you are using one of our automatically parsed formats
• Search or post your own question in the community forum.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.