Collecting logs using rsyslog

rsyslog is a high-performance, open-source, modular syslog daemon commonly installed on Linux systems, designed to collect, parse, and ship system and application logs. It’s a cornerstone of reliable log pipelines because it supports modern protocols and formats, strong transport security (TLS), and robust buffering with disk-assisted queues that prevent data loss during network interruptions. With its flexible rules engine, rsyslog can enrich events, drop noise, tag sources, and fan-out to multiple destinations—making it ideal for forwarding the log to a TeskaLabs LogMan.io at scale.

Installation

Linux Ubuntu

# sudo apt install rsyslog rsyslog-gnutls

Configuration

The following section presents a production-ready rsyslog configuration for forwarding logs to TeskaLabs LogMan.io over TLS.

/etc/rsyslog.d/to-logman.conf:

*.* action(
    type="omfwd"
    protocol="tcp"
    target="<IP address of the collector>"
    port="514"
    KeepAlive="on"
    queue.type="LinkedList"
    queue.size="10000"

    # Following lines enables TLS/SSL encryption
    # the default smart syslog port at TeskaLabs LogMan.io will auto-detect incomming TLS/SSL connection.
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="anon"
)

Changes are applied by:

# sudo systemctl restart rsyslog.service

Test the configuration by:

# logger -t rsyslog-test "Hello from $(hostname)"

Tip

Enable the MARK module in /etc/rsyslog.conf to emit periodic -- MARK -- messages, which makes it easy to spot silent or disconnected senders.

module(load="immark")