Syslog
You can send your system logs directly to our servers over an encrypted TCP connection. Our Syslog server is listening for TCP connections on in.logtail.com:6514 and it allows only encrypted traffic.
To authenticate the incoming logs, we utilize Syslog's structured data mechanism. Every Syslog message you send to our server must include [[email protected] source_token="YOUR_LOGTAIL_SOURCE_TOKEN].
1. Install rsyslog-gnutls to enable TLS encryption:
apt install rsyslog-gnutls
2. Create a configuration file with the following content:
/etc/rsyslog.d/70-logtail.confglobal(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")template(name="LogtailFormat" type="list") {constant(value="<")property(name="pri")constant(value=">")constant(value="1")constant(value=" ")property(name="timestamp" dateFormat="rfc3339")constant(value=" ")property(name="hostname")constant(value=" ")property(name="app-name")constant(value=" ")property(name="procid")constant(value=" ")property(name="msgid")constant(value=" ")property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")constant(value="[[email protected] source_token=\"YOUR_LOGTAIL_SOURCE_TOKEN\"]")constant(value=" ")property(name="msg" droplastlf="on")}action(type="omfwd"protocol="tcp"target="in.logtail.com"port="6514"template="LogtailFormat"TCP_Framing="octet-counted"StreamDriver="gtls"StreamDriverMode="1"StreamDriverAuthMode="x509/name"StreamDriverPermittedPeers="*.logtail.com"queue.spoolDirectory="/var/spool/rsyslog"queue.filename="logtail"queue.maxdiskspace="75m"queue.type="LinkedList"queue.saveonshutdown="on")
Make sure to replace YOUR_LOGTAIL_SOURCE_TOKEN with your own source token from Logtail.com.
This configuration works on Ubuntu or other Debian-based Linux distributions. Other Linux distributions might have the file with the trusted root CA can be in a different location and the file have a different name. If this is the case, please change the file path on the first line to the correct value (e.g., /etc/ssl/certs/ca-bundle.crt).
3. Restart the rsyslog service and you're done:
systemctl restart rsyslog
1. Download CA certificates (Let's Encrypt) to enable TLS:
mkdir -p /etc/syslog-ng/ca.dcd /etc/syslog-ng/ca.d# Let's Encrypt R3 intermediate certificate (cross signed by TrustID X3 Root)wget https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pemln -s lets-encrypt-r3-cross-signed.pem $(openssl x509 -in lets-encrypt-r3-cross-signed.pem -hash -noout).0# TrustID X3 Root from IdenTrustwget https://letsencrypt.org/certs/trustid-x3-root.pemln -s trustid-x3-root.pem $(openssl x509 -in trustid-x3-root.pem -hash -noout).0# ISRG Root X1wget https://letsencrypt.org/certs/isrgrootx1.pemln -s isrgrootx1.pem $(openssl x509 -in isrgrootx1.pem -hash -noout).0
The links to the certificates are taken from the Let's Encrypt website. You can read more about the setup in the syslog-ng documentation.
2. Create a config file with the following content:
/etc/syslog-ng/conf.d/70-logtail.confdestination d_logtail {syslog("in.logtail.com"transport("tls")port(6514)tls(peer-verify(required-trusted)ca-dir("/etc/syslog-ng/ca.d")trusted-dn("CN=*.logtail.com")));};rewrite add_logtail_credentials {set("YOUR_LOGTAIL_SOURCE_TOKEN" value("[email protected]_token"));};log {source(s_src);rewrite(add_logtail_credentials);destination(d_logtail);};
Make sure you replace YOUR_LOGTAIL_SOURCE_TOKEN with your own source token from Logtail.com.
3. Restart the syslog-ng service:
systemctl restart syslog-ng