Introduction

Rsyslog is a system for log processing and capable of accepting inputs from various sources, transforming them, and outputting to a variety of destinations.

To integrate Rsyslog with OpsRamp, use the following configuration:

Default configuration

# supported version for this configuration is RSyslog 8.2001.0
syslog_server:
  type: syslog
  source: syslog_server
  address: "0.0.0.0:514"
  mode: tcp
  protocol: rfc3164

Configuration for receiving data from network

To configure Rsyslog to receive data from the network, you need to append the following lines to the /etc/rsyslog.conf file:

# for TCP use:
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
# for UDP use:
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

Configuration for pushing data to OpsRamp Agent

  • To configure Rsyslog to forward all logs to the OpsRamp agent, append the following lines to the /etc/rsyslog.conf file:
*.* @X.X.X.X:514 # X.X.X.X is the hostname or IP address to the opsramp agent device. Single @ symbol means UDP and 514 is the destination port.
*.* @@X.X.X.X:514 # X.X.X.X is the hostname or IP address to the opsramp agent device. Double @@ symbols mean TCP and 514 is the destination port.

Or,
*.* action(type="omfwd" target="X.X.X.X" port="514" protocol="udp") # incase of UDP, where X.X.X.X is the hostname or IP address to the opsramp agent device and 514 is the destination port
*.* action(type="omfwd" target="X.X.X.X" port="514" protocol="tcp") # incase of TCP, where X.X.X.X is the hostname or IP address to the opsramp agent device and 514 is the destination port
  • To restart Rsyslog in Linux distributions, you can execute the following command in the terminal:
sudo systemctl restart rsyslog

Custom configuration

  1. Create custom configuration file /opt/opsramp/agent/conf/log.d/log-config.yaml with the content copied from sample config file /opt/opsramp/agent/conf/log.d/log-config.yaml.sample.
  2. Update (add / edit / remove) configurations as needed for syslog_server source using the guidelines for field definitions provided below:
source_name: # Replace 'source_name' with application/source name
  type: "" # "syslog" is the type for syslog
  source: "" # specify the name of the application(if empty the source name is used)
  mode: # The type of socket to use. Valid Sockets are ["tcp","udp","unix"]
  address: # specify the "ip:port" on which the syslog server must run (only applicable if mode is set to "tcp" or "udp")
  protocol: # The protocol to parse the syslog messages as. Options are rfc3164 and rfc5424
  filters: # (optional) This section is used for filtering out logs by attribute_type. Execution happens in the order in which the filters are specified.
    - attribute_type: "body" # Possible values for attribute_type [ "body", "attributes", "resource" ] (defaults to "body" if the field is ignored).
      key: "" # The tag for which the respective filtering rule must be applied.
      include: "" # keeps the records which match the specified pattern.
    - key: "" # attribute_type defaults to "body" if the field is ignored.
      exclude: "" # removes the records which match the specified pattern
  masking: # (optional) This section is used to specify rules to mask any sensitive data in the logs.
    - text: "" # The text which needs to be masked.
      placeholder: "" # The string to replace the text to be masked.
  labels: # (optional) Allows to set up to 5 resource labels. If more than 5 are specified then the first five are considered and others are ignored.
    key: "{{value}}"
  attributes: [ ] # (optional) Specify parsed fields which need to be set as record attributes.
  resource_attributes: [ ] # (optional) Specify parsed fields which need to be set as resource attributes.

  1. Save the updated configuration file /opt/opsramp/agent/conf/log.d/log-config.yaml.

  2. Restart the agent by executing the below command in terminal:

    systemctl restart opsramp-agent