rsyslog

rsyslog

The Rsyslog log processor is very popular and is being shipped with most popular Linux distributions, including Ubuntu and CentOS. Rsyslog provides a long list of plugins, most importantly the Elastic search output plugin, which is supported by Humio.

Self-hosted users will have to enable the ElasticSearch bulk endpoint on port 9200. See ELASTIC_PORT.

Configuration

We recommend some minimal configuration for forwarding all logs to Humio. You’ll need to create a file named /etc/rsyslog.d/33-humio.conf with the following contents.

Please ensure the $YOUR_HUMIO_URL for on-prem is the URL of your Humio instance and for Humio Cloud it should either be https://cloud.humio.com for EU Cloud or https://cloud.us.humio.com for US Cloud. For example if you are sending data to Humio EU Cloud your server URL should look like this https://cloud.humio.com:443/.

Finally the $INGEST_TOKEN is the ingest token for your repository.

.. code-block:: humio
module(load=”omelasticsearch”)
template(name=”humiotemplate” type=”list” option.json=”on”) {
constant(value=”{“)
constant(value=”"@timestamp":"”) property(name=”timereported” dateFormat=”rfc3339”)
constant(value=”","message":"”) property(name=”msg”)
constant(value=”","host":"”) property(name=”hostname”)
constant(value=”","severity":"”) property(name=”syslogseverity-text”)
constant(value=”","facility":"”) property(name=”syslogfacility-text”)
constant(value=”","syslogtag":"”) property(name=”syslogtag”)
constant(value=”","name":"”) property(name=”programname”)
constant(value=”","pid":"”) property(name=”procid”)
constant(value=”"}”)
}
. action(type=”omelasticsearch”
server=”$YOUR_HUMIO_URL/$YOUR_HUMIO_INGEST_PORT”
template=”humiotemplate”
uid=”any-organization”
pwd=”$INGEST_TOKEN”
bulkmode=”on”
usehttps=”on”)
The $INGEST_TOKEN in this example should be the ingest token for your repository. The``bulkmode`` and usehttps have to be set to on for Humio Cloud and for self-hosted installations in which Humio is behind an HTTPS proxy.
When you’ve finished with this configuration file, restart rsyslog from the command-line like so:
.. code-block:: shell
systemctl restart rsyslog.service
By now, your logs should start populating into your repository and can be found
with a simple search in Humio:
.. code-block:: humio
syslogtag=*
If logs don’t begin loading into your repository, check the status of the rsyslog service (i.e., systemctl status rsyslog.service) to see if the Elasticsearch module failed to load. In most cases this can be corrected by installing the module using apt-get install rsyslog-elasticsearch on Ubuntu or yum install rsyslog-elasticsearch on CentOS/RHEL.
.. knowledgebase-bykw::
:keywords: humio-url :showtitle: related