Simple sending using rsyslog
This article describes how to manually configure rsyslog to send system log events to Devo over an unsecured channel. This is the recommended procedure when you want to forward events within your network to a Devo In-House Relay.
The /etc/rsyslog.conf file
It is advisable to have only the
include directive on the
/etc/rsyslog.conf file. Otherwise, it may lead to configuration errors.
# # http://www.rsyslog.com/doc/ # # Include all config files in /etc/rsyslog.d/ include(file="/etc/rsyslog.d/*.conf")
Create the Devo configuration files
To forward a system’s internal logs to a Devo Relay, you need to create two files in the
/etc/rsyslog.d/ directory. The
00-devo.conf file contains general connection settings. The
49-devo.conf file is responsible for forwarding the events to the Devo Relay.
This file contains general connection settings. Create it with the following contents.
module( load="imfile" mode="inotify" ) module( load="immark" interval="60" ) module( load="imuxsock" SysSock.RateLimit.Interval="0" ) global( workDirectory="/var/spool/rsyslog" )
Make sure that the
workDirectory path exists and that the user running rsyslog (often
syslog) has permissions over it. To find out which user runs rsyslog, enter the following command:
ps -ouser= $(pgrep rsyslogd)
If it is not root it is recommended to perform the below command. Please note that in some distributions it runs by default as root and in others, a drop of privileges to syslog user is performed..
mkdir /var/spool/rsyslog chown syslog:syslog /var/spool/rsyslog chmod 770 /var/spool/rsyslog
49-devo.conf file forwards the operating system log events to the Devo Relay. Create the file with the following contents.
template( name = "box-unix" type = "string" string = "<%PRI%>%timegenerated% %HOSTNAME% box.unix.%syslogtag% %msg%" ) action( type="omfwd" template="box-unix" queue.type="LinkedList" queue.filename="boxq1" queue.saveonshutdown="on" action.resumeRetryCount="-1" Target="<your-devo-relay-ip>" Port="<your devo relay port>" Protocol="tcp" )
Portvalues with your relay IP address and port.
action.resumeRetryCountparameters are optional but recommended to prevent data loss in the event of a connectivity problem between the machine and the relay.
In case you have more configuration files in the
/etc/rsyslog.d/ directory, this one should be sequentially one of the last ones. This is because this action has no filter, so it will forward every message. By making this one of the last files to be processed in this directory, you can prevent the duplication of logs.
You may want to list the files in
/etc/rsyslog.d/ to review and confirm the run order:.
ls -1 /etc/rsyslog.d/ -rw-r--r-- 1 root root 241 Oct 24 13:04 00-devo.conf -rw-r--r-- 1 root root 642 Oct 24 13:02 40-iptables.conf -rw-r--r-- 1 root root 1495 Oct 24 13:02 45-apache.conf -rw-r--r-- 1 root root 899 Oct 24 13:02 45-mongodb.conf -rw-r--r-- 1 root root 916 Oct 24 13:02 45-myapplogfile.conf -rw-r--r-- 1 root root 901 Oct 24 13:02 45-tomcat.conf -rw-r--r-- 1 root root 597 Oct 24 13:02 46-lt-monitor.conf -rw-r--r-- 1 root root 664 Oct 24 13:02 49-devo.conf
After creating and saving the new files, restart rsyslog to activate the new configuration:
With the configuration activated, rsyslog should begin to forward events to your Devo Relay.
Test the connection
You can make sure that the events are being forwarded to the Relay by using the logger command to write testing messages to the system log.
logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01"
In the Devo web application, go to Data Search. Open the
box.unix data table to confirm that these logger events were forwarded and received correctly.