Introduction
Rsyslog is a system for log processing and capable of accepting inputs from various sources, transforming them, and outputting to a variety of destinations.
To integrate Rsyslog with OpsRamp, use the following configuration:
Default configuration
# supported version for this configuration is RSyslog 8.2001.0
syslog_server:
type: syslog
source: syslog_server
address: "0.0.0.0:514"
mode: tcp
protocol: rfc3164
Note
This integration is supported in OpsRamp agent version 13.1 and above.Configuration for receiving data from network
To configure Rsyslog to receive data from the network, you need to append the following lines to the /etc/rsyslog.conf
file:
# for TCP use:
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
# for UDP use:
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
Configuration for pushing data to OpsRamp Agent
- To configure Rsyslog to forward all logs to the OpsRamp agent, append the following lines to the
/etc/rsyslog.conf
file:
*.* @X.X.X.X:514 # X.X.X.X is the hostname or IP address to the opsramp agent device. Single @ symbol means UDP and 514 is the destination port.
*.* @@X.X.X.X:514 # X.X.X.X is the hostname or IP address to the opsramp agent device. Double @@ symbols mean TCP and 514 is the destination port.
Or,*.* action(type="omfwd" target="X.X.X.X" port="514" protocol="udp") # incase of UDP, where X.X.X.X is the hostname or IP address to the opsramp agent device and 514 is the destination port
*.* action(type="omfwd" target="X.X.X.X" port="514" protocol="tcp") # incase of TCP, where X.X.X.X is the hostname or IP address to the opsramp agent device and 514 is the destination port
- To restart Rsyslog in Linux distributions, you can execute the following command in the terminal:
sudo systemctl restart rsyslog
Note
The configuration example provided for RSyslog is generic. If you need to forward logs only from a specific host, see the RSyslog documentation for detailed instructions.Custom configuration
- Create custom configuration file
/opt/opsramp/agent/conf/log.d/log-config.yaml
with the content copied from sample config file/opt/opsramp/agent/conf/log.d/log-config.yaml.sample
. - Update (add / edit / remove) configurations as needed for
syslog_server
source using the guidelines for field definitions provided below:
source_name: # Replace 'source_name' with application/source name
type: "" # "syslog" is the type for syslog
source: "" # specify the name of the application(if empty the source name is used)
mode: # The type of socket to use. Valid Sockets are ["tcp","udp","unix"]
address: # specify the "ip:port" on which the syslog server must run (only applicable if mode is set to "tcp" or "udp")
protocol: # The protocol to parse the syslog messages as. Options are rfc3164 and rfc5424
filters: # (optional) This section is used for filtering out logs by attribute_type. Execution happens in the order in which the filters are specified.
- attribute_type: "body" # Possible values for attribute_type [ "body", "attributes", "resource" ] (defaults to "body" if the field is ignored).
key: "" # The tag for which the respective filtering rule must be applied.
include: "" # keeps the records which match the specified pattern.
- key: "" # attribute_type defaults to "body" if the field is ignored.
exclude: "" # removes the records which match the specified pattern
masking: # (optional) This section is used to specify rules to mask any sensitive data in the logs.
- text: "" # The text which needs to be masked.
placeholder: "" # The string to replace the text to be masked.
labels: # (optional) Allows to set up to 5 resource labels. If more than 5 are specified then the first five are considered and others are ignored.
key: "{{value}}"
attributes: [ ] # (optional) Specify parsed fields which need to be set as record attributes.
resource_attributes: [ ] # (optional) Specify parsed fields which need to be set as resource attributes.
Save the updated configuration file
/opt/opsramp/agent/conf/log.d/log-config.yaml
.Restart the agent by executing the below command in terminal:
systemctl restart opsramp-agent