Documentation forSolarWinds Observability

Send logs using syslog

Using a syslog daemon such as rsyslog or NXlog, you can collect application, operating system, and other log files on your device and forward those logs to SolarWinds Observability. Linux devices typically come with rsyslog built in. NXLog can be installed on Windows devices to enable syslog functionality.

From a Linux machine

  1. In SolarWinds Observability, click Add Data in the upper-right corner.
  2. In the Add Data dialog, click Logs.

  3. Create or select an API ingestion token to use when sending your logs by doing either of the following:

    • Select Generate New Token and enter an Ingestion Token Name, and then click Next.
    • Select Use Existing Token and select an ingestion token from the list, and then click Next.
  4. Select Syslog and click Next.

  5. Select your Linux distribution from the Operating System drop-down.

  6. If Certificate Authority (CA) certificates are not already installed on your machine, install them now using the command:

    Debian/Ubuntu
    apt-get install ca-certificates rsyslog-gnutls
    RHEL
    yum install ca-certificates rsyslog-gnutls
  7. Create a new file named 99-solarwinds.conf and save it in /etc/rsyslog.d/. To determine the contents of the new file, do either of the following:

    • Press Copy to Clipboard under the Setup Config step and paste the contents into the 99-solarwinds.conf you just created.

    • Put the following configuration text into the 99-solarwinds.conf you just created, replacing YourTokenHere with your API ingestion token (found in the Token field).

      Debian/Ubuntu
      $DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
      $ActionSendStreamDriver gtls
      $ActionSendStreamDriverMode 1
      $ActionSendStreamDriverAuthMode x509/name
      $ActionSendStreamDriverPermittedPeer *.collector.na-01.st-ssp.solarwinds.com
      
      $template SWOFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [YourTokenHere@41058]%msg:::sp-if-no-1st-sp%%msg%"
        
      *.* @@syslog.collector.xx-yy.cloud.solarwinds.com:6514;SWOFormat
      RHEL
      $DefaultNetstreamDriverCAFile /etc/pki/tls/certs/ca-bundle.crt
      $ActionSendStreamDriver gtls
      $ActionSendStreamDriverMode 1
      $ActionSendStreamDriverAuthMode x509/name
      $ActionSendStreamDriverPermittedPeer *.collector.na-01.st-ssp.solarwinds.com
      
      $template SWOFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [YourTokenHere@41058]%msg:::sp-if-no-1st-sp%%msg%"
        
      *.* @@syslog.collector.xx-yy.cloud.solarwinds.com:6514;SWOFormat
  8. Restart rsyslog using the command:

    sudo service rsyslog restart
  9. Click View Logs to open the Logs Explorer and view the logs forwarded with syslog.

From a Windows machine

NXLog is required to send logs using syslog on a Windows machine. If it is not already installed, download and install the version 2.11.x of NXLog Community Edition with the default options.

  1. In SolarWinds Observability, click Add Data in the upper-right corner.
  2. In the Add Data dialog, click Logs.

  3. Create or select an API ingestion token to use when sending your logs by doing either of the following:

    • Select Generate New Token and enter an Ingestion Token Name, and then click Next.
    • Select Use Existing Token and select an ingestion token from the list, and then click Next.
  4. Select Syslog and click Next.

  5. Select Windows from the Operating System drop-down.

  6. Download the certificate to the cert folder in the NXLog installation directory (typically C:\Program Files (x86)\nxlog\).

  7. Open nxlog.conf in the conf folder in the NXLog installation directory. To determine the contents of the new file, do either of the following:

    • Press Copy to Clipboard under the Setup Config step and paste the contents into the nxlog.conf you just created.

    • Put the following configuration text into the nxlog.conf you just created, replacing YourApiTokenHere with your API ingestion token (found in the Token field).

      ## Please set the ROOT to your nxlog installation directory
      
      define TOKEN YourApiTokenHere
      define ROOT C:\Program Files (x86)\nxlog
      define CERTDIR %ROOT%\cert
      
      Moduledir %ROOT%\modules
      CacheDir %ROOT%\data
      Pidfile %ROOT%\data\nxlog.pid
      SpoolDir %ROOT%\data
      LogFile %ROOT%\data\nxlog.log
      
      <Extension syslog>
        Module xm_syslog
      </Extension>
      
      # Monitor application log files
      <Input watchfile>
        Module im_file
        # File 'C:\\path\\to\\*.log'
        Exec $Message = $raw_event;
        Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1;
        SavePos TRUE
        Recursive FALSE
      </Input>
      
      # Monitor Windows event logs
      <Input eventlog>
        # Uncomment for Windows Vista/2008 or later
        Module im_msvistalog
      
        # Uncomment for Windows 2000 or later
        # Module im_mseventlog
      </Input>
      
      <Output syslogout>
        Module om_ssl
        Host logs.collector.na-01.cloud.solarwinds.com
        Port 6514
        Exec $Hostname = hostname(); to_syslog_ietf();
        Exec $raw_event =~ s/^(?:[^ ]* ){6}\K(?:-|\[(?:\\.|[^]\\])*])/[%TOKEN%@41058]/;
        OutputType Syslog_TLS
        CAFile %CERTDIR%\cacert.pem
        AllowUntrusted FALSE
      </Output>
      
      <Route 1>
        Path eventlog, watchfile => syslogout
      </Route>
  8. Restart the nxlog service using the commands:

    net stop nxlog
    net start nxlog
  9. Click View Logs to open the Logs Explorer and view the logs forwarded by syslog.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.