Simple sending using rsyslog (Obsolete legacy format)
- Juan Tomás Alonso Nieto (Deactivated)
This article describes how to manually configure rsyslog to send system log events to Devo over an unsecured channel. This is the recommended procedure when you want to forward events within your network to a Devo In-House Relay.
Create the Devo configuration files
To forward a system’s internal logs to a Devo Relay, you need to create two files in the /etc/rsyslog.d/ directory. The 00-devo.conf file contains general connection settings. The 49-devo.conf file is responsible for forwarding the events to the Devo Relay.
00-devo.conf
This file contains general connection settings. Create it with the following contents.
$ModLoad imfile $ModLoad immark $MarkMessagePeriod 60 $WorkDirectory /var/spool/rsyslog $RepeatedMsgReduction off #Disable imuxsock rate limit $IMUXSockRateLimitInterval 0 $SystemLogRateLimitInterval 0
Make sure that the $WorkDirectory path exists and that the user running rsyslog (often syslog) has permissions over it. To find out which user runs rsyslog, enter the following command:
ps -ouser= $(pgrep rsyslogd)
If it is not root it is recommended to perform the below command. Please note that in some distributions it runs by default as root and in others, a drop of privileges to syslog user is performed.
mkdir /var/spool/rsyslog chown syslog:syslog /var/spool/rsyslog chmod 770 /var/spool/rsyslog
49-devo.conf
The 49-devo.conf file forwards the operating system log events to the Devo Relay. Create the file with the following contents.
$template boxunix,"<%PRI%>%timegenerated% %HOSTNAME% box.unix.%syslogtag%%msg%" #ActionQueue section $ActionQueueType LinkedList $ActionQueueFileName ltboxq1 $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on *.* @@DEVO-RELAY_IP:PORT;boxunix
- Replace DEVO-RELAY:PORT with your relay IP address and port.
- The Action Queue section is optional but is recommended to prevent data loss in the event of a connectivity problem between the machine and the relay.
This file should be sequentially one of the last ones in the /etc/rsyslog.d/ directory. This is because wildcards *.* are used in the forwarding rule. By making this one of the last files to be processed in this directory, you can prevent the duplication of logs.
You may want to list the files in /etc/rsyslog.d/ to review and confirm the run order:
ls -1 /etc/rsyslog.d/ -rw-r--r-- 1 root root 241 Oct 24 13:04 00-devo.conf -rw-r--r-- 1 root root 642 Oct 24 13:02 40-iptables.conf -rw-r--r-- 1 root root 1495 Oct 24 13:02 45-apache.conf -rw-r--r-- 1 root root 899 Oct 24 13:02 45-mongodb.conf -rw-r--r-- 1 root root 916 Oct 24 13:02 45-myapplogfile.conf -rw-r--r-- 1 root root 901 Oct 24 13:02 45-tomcat.conf -rw-r--r-- 1 root root 597 Oct 24 13:02 46-lt-monitor.conf -rw-r--r-- 1 root root 664 Oct 24 13:02 49-devo.conf
Restart rsyslog
After creating and saving the new files, restart rsyslog to activate the new configuration:
/etc/init.d/rsyslog restart
With the configuration activated, rsyslog should begin to forward events to your Devo Relay.
Test the connection
You can make sure that the events are being forwarded to the Relay by using the logger command to write test messages to the system log.
logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01"
In the Devo web application, go to Data Search. Open the box.unix data table to confirm that these logger events were forwarded and received correctly.