Skip to main content
Sumo Logic

rsyslog

Sumo Logic supports syslog clients such as rsyslog. This document has instructions on how to configure your server to send syslog data. If syslog data does not appear in Sumo Logic, refer to the Troubleshooting section in the Cloud Syslog Source document.

Set up TLS

Set up Transport Layer Security (TLS).

Download the DigiCert certificate from https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt.

rsyslog

To set up your DigiCert certificate follow these steps:

$ cd /etc/rsyslog.d/keys/ca.d
$ wget -O digicert_ca.der https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt
$ openssl x509 -inform der -in digicert_ca.der -out digicert_ca.crt

Send data to a Cloud Syslog Source with rsyslog

This section shows how to configure a syslog client using rsyslog that will send the syslog message to be received by the Sumo Logic Cloud syslog service. If you are new to rsyslog, follow the rsyslog documentation to install.

After rsyslog is installed, edit the configuration file to start sending logs to Sumo. The configuration file is located at/etc/rsyslog.conf by default. 

For rsyslog v7 and earlier

# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog         # where to place spool files
$ActionQueueFileName fwdRule1             # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g               # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on             # save messages to disk on shutdown
$ActionQueueType LinkedList               # run asynchronously
$ActionResumeRetryCount -1                # infinite retries if host is down

# RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/digicert_ca.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer syslog.collection.YOUR_DEPLOYMENT.sumologic.com

template(name="SumoFormat" type="string" string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [YOUR_TOKEN] %msg%\n")

*.* action(type="omfwd" protocol="tcp" target="syslog.collection.YOUR_DEPLOYMENT.sumologic.com" port="6514" template="SumoFormat")

In the template statement, be sure to replace YOUR_TOKEN with your actual token, and YOUR_DEPLOYMENT with your deployment. Properties in the string begin and end with '%'. All other texts and white space are treated literally. For more information about rsyslog configuration, see the rsyslog template documentation or the rsyslog omfwd documentation.

For rsyslog v8 and later

# Setup disk assisted queues# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog     # where to place spool files
$ActionQueueFileName fwdRule1         # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g           # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on         # save messages to disk on shutdown
$ActionQueueType LinkedList           # run asynchronously
$ActionResumeRetryCount -1            # infinite retries if host is down

# RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/digicert_ca.crt

template(name="SumoFormat" type="string" string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [YOUR_TOKEN] %msg%\n")

action(type="omfwd"
    protocol="tcp"
    target="syslog.collection.YOUR_DEPLOYMENT.sumologic.com"
    port="6514"
    template="SumoFormat"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="x509/name"
    StreamDriverPermittedPeers="syslog.collection.*.sumologic.com")

In the template statement, be sure to replace YOUR_TOKEN with your actual token, and YOUR_DEPLOYMENT with your deployment. Properties in the string begin and end with '%'. All other texts and white space are treated literally. For more information about rsyslog configuration, see the rsyslog template documentation or the rsyslog omfwd documentation.