rsyslog

The Rsyslog log processor is very popular and is being shipped with most popular Linux distributions, including Ubuntu and CentOS. Rsyslog provides a long list of plugins, most importantly the Elastic search output plugin, which is supported by LogScale.

Self-hosted users will have to enable the ElasticSearch bulk endpoint on port 9200. See ELASTIC_PORT.

Configuration

We recommend some minimal configuration for forwarding all logs to LogScale. You'll need to create a file named /etc/rsyslog.d/33-humio.conf with the following contents.

Please ensure the $YOUR_LOGSCALE_URL is the URL of your LogScale instance.

Finally the $INGEST_TOKEN is the Ingest Tokens for your repository.

logscale
module(load="omelasticsearch")
template(name="humiotemplate" type="list" option.json="on") {
  constant(value="{")
    constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
    constant(value="\",\"message\":\"") property(name="msg")
    constant(value="\",\"host\":\"") property(name="hostname")
    constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
    constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
    constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
    constant(value="\",\"name\":\"") property(name="programname")
    constant(value="\",\"pid\":\"") property(name="procid")
  constant(value="\"}")
}
*.* action(type="omelasticsearch"
        server="$YOUR_LOGSCALE_URL/$YOUR_LOGSCALE_INGEST_PORT"
        template="humiotemplate"
        uid="any-organization"
        pwd="$INGEST_TOKEN"
        bulkmode="on"
        usehttps="on")

The $INGEST_TOKEN in this example should be the Ingest Tokens for your repository. Thebulkmode and usehttps have to be set to on for installations in which LogScale is behind an HTTPS proxy.

When you've finished with this configuration file, restart rsyslog from the command-line like so:

logscale
systemctl restart rsyslog.service

By now, your logs should start populating into your repository and can be found with a simple search in LogScale:

logscale
syslogtag=*

If logs don't begin loading into your repository, check the status of the rsyslog service (i.e., systemctl status rsyslog.service) to see if the Elasticsearch module failed to load. In most cases this can be corrected by installing the module using apt-get install rsyslog-elasticsearch on Ubuntu or yum install rsyslog-elasticsearch on CentOS/RHEL.