This topic describes the required steps.
Limits
-
The Syslog protocol must be the standard RFC 5424. If you use other Syslog protocols, we recommend that you see Collect Syslog from Linux systems.
-
The maximum size of a log entry is 64 KB.
-
To ensure data transmission security, you must transmit data over TCP using Transport Layer Security (TLS) 1.2.
Configuration
Most on-premises devices, such as VPNs and routers, do not support the TLS protocol or the RFC 5424 format. To collect data from these devices, we recommend that you use the Syslog plug-in for Logtail. For more information, see Collect Syslog from Linux systems.
To upload logs using the Syslog protocol, you must configure a log upload address in the ProjectName.Endpoint:SyslogPort format. Example: test-project-1.cn-hangzhou-intranet.log.aliyuncs.com:10009. Select an endpoint based on the region where your project is located. For more information, see Endpoints. The Syslog port is 10009. You must also configure parameters in the STRUCTURED-DATA field, such as the Simple Log Service project and LogStore, and your Alibaba Cloud account's AccessKey pair.
|
Parameter |
Description |
Example |
|
STRUCTURED-DATA |
The value is fixed to logservice. |
logservice |
|
project |
The name of the Simple Log Service project. You must create a project in advance. For more information, see Manage Projects. |
test-project-1 |
|
logstore |
The name of the LogStore. You must create a LogStore in advance. For more information, see Create a LogStore. |
test-LogStore-1 |
|
access-key-id |
The AccessKey ID. We recommend that you use the AccessKey pair of a RAM user. For more information, see Authorization. |
LTAI**************** |
|
access-key-secret |
The AccessKey Secret. We recommend that you use the AccessKey pair of a RAM user. For more information, see Authorization. |
yourAccessKeySecret |
Example: Collect logs by using syslog-ng
syslog-ng is an open-source implementation of the Syslog protocol for UNIX and UNIX-like systems. You can run the sudo yum install syslog-ng or sudo apt-get install syslog-ng command to install syslog-ng.
Rsyslog is installed on Linux servers by default. Rsyslog and syslog-ng cannot run at the same time. If you want to use syslog-ng, you must uninstall Rsyslog first.
-
Open the syslog-ng configuration file.
The configuration file is typically located at /etc/syslog-ng/syslog-ng.conf.
-
Add the following configuration block to the end of the syslog-ng configuration file, and then configure the parameters within it based on your business requirements.
### Syslog-ng Logging Config for LogService ### template LogServiceFormat { template("<${PRI}>1 ${ISODATE} ${HOST:--} ${PROGRAM:--} ${PID:--} ${MSGID:--} [logservice project=\"test-project-1\" logstore=\"test-logstore-1\" access-key-id=\"<yourAccessKeyId>\" access-key-secret=\"<yourAccessKeySecret>\"] $MSG\n"); template_escape(no); }; destination d_logservice{ tcp("test-project-1.cn-hangzhou.log.aliyuncs.com" port(10009) tls(peer-verify(required-untrusted)) template(LogServiceFormat)); }; log { source(s_sys); # default use s_sys destination(d_logservice); }; ### END Syslog-ng Logging Config for LogService ### -
Restart syslog-ng.
Run the sudo /etc/init.d/syslog-ng restart, sudo service syslog-ng restart, or sudo systemctl restart syslog-ng command to restart syslog-ng.
-
Run the logger command to generate a test log.
Example: Run the logger hello world! command to generate a log.
Sample log
After you upload logs, you must configure indexes before you can view the logs in the Simple Log Service console. For more information, see Create an index.
For more information about the log fields, see RFC 5424.
To prevent AccessKey pair leaks, Simple Log Service deletes the logservice field by default.
03-28 11:01:01 __source__: xxx
__topic__: syslog-forwarder
_facility_: 3
_hostname_: xxx
_priority_: 30
_program_: systemd
_severity_: 6
_unixtimestamp_: 1553742061117098000
content: Started Session 59532 of user root.
03-28 11:00:15 __source__: mymachine.example.com
__topic__: syslog-forwarder
_facility_: 4
_hostname_: mymachine.example.com
_message_id_: ID47
_priority_: 34
_program_: su
_severity_: 2
_unixtimestamp_: 1553742015003000000
content: this is a test message|
Field |
Description |
|
__source__ |
The value of the hostname field in the raw log. |
|
__topic__ |
The value is fixed to syslog-forwarder. |
|
__facility__ |
The facility information, which indicates the device or module that generates the log. |
|
__program__ |
The process name. |
|
__severity__ |
The severity of the log. |
|
__priority__ |
The priority of the log. |
|
__unixtimestamp__ |
The timestamp from the raw log, in nanoseconds. |
|
content |
The value of the msg field in the raw log. |
FAQ
-
Test log uploads
You can use Netcat to test log uploads to verify network connectivity and ensure that the AccessKey has upload permissions.
-
Log on to the server on which you want to test log uploads.
-
Run the following command to install Netcat:
sudo yum install nmap-ncat -
Run the following command to connect to Simple Log Service:
ncat --ssl <yourProject>.<yourEndpoint> 10009Sample command:
ncat --ssl test-project-1.cn-hangzhou.log.aliyuncs.com 10009 -
Netcat does not automatically detect network disconnections. Within 30 seconds of running the ncat command, enter the log message and press Enter.
<34>1 2019-03-28T03:00:15.003Z mymachine.example.com su - ID47 [logservice project="<yourProject>" logstore="<yourLogstore>" access-key-id="<yourAccessKeyID>" access-key-secret="<yourAccessKeySecret>"] this is a test messageSample command:
<34>1 2019-03-28T03:00:15.003Z mymachine.example.com su - ID47 [logservice project="trace-doc-test" logstore="doc-test-001-logs" access-key-id="<yourAccessKeyID>" access-key-secret="<yourAccessKeySecret>"] this is a test message -
Preview logs in the Simple Log Service console to check whether the logs are uploaded.
For more information, see Preview logs.
A log entry with a timestamp of
2019-03-28 11:00:15and a source ofmymachine.example.comappears in the preview results. The Syslog fields in the content column, including_hostname_,_severity_,_facility_,_message_id_,_unixtimestamp_,_program_, and_priority_, are parsed. This indicates that the log was uploaded and parsed successfully.
-
-
Diagnose collection errors
If a manual log upload fails, you can view specific error messages by diagnosing collection errors. For more information, see How to view Logtail collection error information.