Logtail
What is Logtail?Get helpBook a demoSystem Status
Search…
Getting started
βš™οΈ Sources
JavaScript
Python
Ruby
PHP
.NET
Java
Heroku
Render
Kubernetes
Docker
Dokku
Cloudflare
HTTP REST API
Nginx
Apache2
Redis
MongoDB
PostgreSQL
MySQL
Ubuntu
πŸ”—
Integrations
Slack
πŸ”€οΈ Log forwarding
Vector (recommended)
Fluent Bit
Logstash
Fluentd
Syslog
πŸ”§
API
Getting Started
Sources API
Query API
πŸŽ“
How-to Guides
Deprecated tables in Logtail
GeoIP map visualization
AWS S3-compatible archive
String + JSON format
Live Tail Query Language
Querying data in Logtail
Tutorials
Powered By GitBook
Syslog
Send your system logs to Logtail with Syslog.
You can send your system logs directly to our servers over an encrypted TCP connection. Our Syslog server is listening for TCP connections on in.logtail.com:6514 and it allows only encrypted traffic.
To authenticate the incoming logs, we utilize Syslog's structured data mechanism. Every Syslog message you send to our server must include [[email protected] source_token="YOUR_LOGTAIL_SOURCE_TOKEN"].

Setup guide

rsyslog setup
syslog-ng setup
rsyslog - manual setup
syslog-ng - manual setup
First, make sure rsyslog-gnutls is installed on your system:
apt install rsyslog-gnutls
We created a simple script that will configure rsyslog for you:
wget -qO- https://logtail.com/rsyslog/YOUR_SOURCE_TOKEN | sh
We suggest you go through the setup script before you run it and make sure it doesn't do anything malicious. You should never run scripts copied from the internet in your terminal.
The script will detect whether rsyslog is installed on your system and if it is is in place, it will create the correct configuration for your Logtail source.
After the script finishes successfully, you might need to restart the rsyslog service so that the new configuration is loaded:
systemctl restart rsyslog
We created a simple script that will configure syslog-ng for you:
wget -qO- https://logtail.com/syslog-ng/YOUR_SOURCE_TOKEN | sh
We suggest you go through the setup script before you run it and make sure it doesn't do anything malicious. You should never run scripts copied from the internet in your terminal.
The script will detect whether syslog-ng is installed on your system and if it is is in place, it will create the correct configuration for your Logtail source. The script will download Let's Encrypt root certificates, but it won't install them globally.
After the script finishes successfully, you might need to restart the syslog-ng service so that the new configuration is loaded:
systemctl restart syslog-ng
1. Install rsyslog-gnutls to enable TLS encryption:
apt install rsyslog-gnutls
2. Create a configuration file with the following content:
/etc/rsyslog.d/70-logtail.conf
global(DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt")
​
template(name="LogtailFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
constant(value="1")
constant(value=" ")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="app-name")
constant(value=" ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data" regex.expression="[^-]" regex.nomatchmode="BLANK" regex.submatch="0")
constant(value="[[email protected] source_token=\"YOUR_LOGTAIL_SOURCE_TOKEN\"]")
constant(value=" ")
property(name="msg" droplastlf="on")
}
​
action(
type="omfwd"
protocol="tcp"
target="in.logtail.com"
port="6514"
template="LogtailFormat"
TCP_Framing="octet-counted"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.logtail.com"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="logtail"
queue.maxdiskspace="75m"
queue.type="LinkedList"
queue.saveonshutdown="on"
)
Make sure to replace YOUR_LOGTAIL_SOURCE_TOKEN with your own source token from Logtail.com.
This configuration works on Ubuntu or other Debian-based Linux distributions. Other Linux distributions might have the file with the trusted root CA can be in a different location and the file have a different name. If this is the case, please change the file path on the first line to the correct value (e.g., /etc/ssl/certs/ca-bundle.crt).
3. Restart the rsyslog service and you're done:
systemctl restart rsyslog
1. Download CA certificates (Let's Encrypt) to enable TLS:
mkdir -p /etc/syslog-ng/ca.d
cd /etc/syslog-ng/ca.d
​
# TrustID X3 Root from IdenTrust
wget https://letsencrypt.org/certs/trustid-x3-root.pem
ln -s trustid-x3-root.pem $(openssl x509 -in trustid-x3-root.pem -hash -noout).0
​
# ISRG Root X1
wget https://letsencrypt.org/certs/isrgrootx1.pem
ln -s isrgrootx1.pem $(openssl x509 -in isrgrootx1.pem -hash -noout).0
The links to the certificates are taken from the Let's Encrypt website. You can read more about the setup in the syslog-ng documentation.
2. Create a config file with the following content:
/etc/syslog-ng/conf.d/70-logtail.conf
destination d_logtail {
syslog(
"in.logtail.com"
transport("tls")
port(6514)
tls(
peer-verify(required-trusted)
ca-dir("/etc/syslog-ng/ca.d")
trusted-dn("CN=*.logtail.com")
sni(yes)
)
);
};
​
rewrite add_logtail_credentials {
set("YOUR_LOGTAIL_SOURCE_TOKEN" value("[email protected]_token"));
};
​
log {
source(s_src);
rewrite(add_logtail_credentials);
destination(d_logtail);
};
Make sure you replace YOUR_LOGTAIL_SOURCE_TOKEN with your own source token from Logtail.com.
3. Restart the syslog-ng service:
systemctl restart syslog-ng
​
​
πŸ”€οΈ Log forwarding - Previous
Fluentd
Next - API
Getting Started
Last modified 2mo ago
Copy link